VoIP, SIP, RTP: Voice over IP, Session Initiation Protocol, Real-time Transport Protocol

data carving layer 7 RTP RTCP SIP VoIP

VoIP SIP RTP

This tutorial shows the capabilities of the plugin voipDetector. It displays troubleshooting information of SIP/RTP/RTCP and is able to carve RTP content.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y

Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the core (tranalyzer2) and the following plugins:

t2build tranalyzer2 basicFlow voipDetector txtSink

...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAP used in this tutorial can be downloaded here:

Please save them in your ~/data folder.

Now you are all set for analyzing VoIP traffic!

voipDetector

This plugin was originally designed for troubleshooting of telco VoIP communication, therefore RTCP is also decoded which provides additional statistics to the basicStats plugin, such as packets lost and maximal jitter reporting.

Data carving with voipDetector

The configuration listed below, allows the user to enable the RTP content save mode, the length of SIP names in the flow structure, the path where RTP content is saved and the default name as a prefix if no file name can be found.

We also added an configurable offset in the payload of RTP, for special purpose applications.

voipDetector

vi src/voipDetector.h

...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define VOIP_SIP     2 // > 0 Enable SIP decoder, 2: add RTP / SIP findex/ssrc flow correlation
#define VOIP_SIP_PRV 0 // 1: add srcIP for flow correlation, 2: add srcIP of SIP flow (VOIP_SIP=2)
#define VOIP_RTP     1 // Enable RTP/RTCP decoder
#define VOIP_RTCP    1 // Enable RTCP decoder
#define VOIP_ANALEN  0 // Check reported len against snap payload len

#define VOIP_SAVE    0 // Save RTP content
#define VOIP_BUFMODE 1 // Enable buffering of saved RTP content
#define VOIP_SILREST 1 // Restore back G.711 suppressed silences (require VOIP_SAVE=1)
#define VOIP_PLDOFF  0 // Offset for payload to save (require VOIP_SAVE=1)
#define VOIP_SVFDX   1 // Merge ops: 0: SSRC, 1: findex

#define VOIP_MINPKT  1 // Minimum packet length of a flow (require VOIP_SAVE=1)

#define RTPFMAX     20 // Maximal SSRC files (VOIP_SVFDX == 0)
#define SIPNMMAX    35 // Maximal SIP caller name length
#define SIPSTATMAX   8 // Maximal SIP state requests
#define SIPCLMAX     3 // Maximal SIP state requests name length
#define SIPRFXMAX  100 // Maximal SIP IP addr, m=audio / video ports
//#define SIPADDMAX  100 // Maximal SIP addr
#define NUMCSRCMAX  30 // Max number of CSRC to store

#define RTPBUFSIZE 4096 // Size of buffer for RTP content

#define VOIP_PERM S_IRWXU // File permissions

#define RTPMAXVERS  1 // Maximal # version violations

/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */

#define VOIP_RMDIR   1                // Empty VOIP_V_PATH before starting (require VOIP_SAVE=1)
#define VOIP_V_PATH  "/tmp/TranVoIP"  // Path for raw VoIP
#define VOIP_FNAME   "nudel"          // Default content file name prefix

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

We leave VOIP_SAVE=2 in order to demonstrate the SIP RTP flow correlation. VOIP_RMDIR=1 as we like t2 to delete the files between experiments to remove clutter. RTCP decoding stays off as there is not much to troubleshoot in our pcaps and we like to put an emphasis to the data carving capabilities of t2.

Use t2conf, recompile and engage t2 on the MagicJack pcap with the packet mode.

t2conf voipDetector -D VOIP_SAVE=1 && t2build voipDetector

t2 -s -r ~/data/MagicJack_short_call.pcap -w ~/results

i================================================================================
Tranalyzer 0.9.4 (Anteater), Cobra. PID: 78369, Prio: 0, SID: 666
================================================================================
Date: 1751738570.000284997 sec (Sat 05 Jul 2025 20:02:50 CEST)
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.4
    02: voipDetector, 0.9.4
    03: txtSink, 0.9.4
[INF] IPv4 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 7237865 (7.24 M)
[INF] IPv6 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 1419083 (1.42 M)
Processing file: /home/user/data/MagicJack_short_call.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 65535 (65.53 K)
Dump start: 1334245056.670292000 sec (Thu 12 Apr 2012 15:37:36 GMT)
Dump stop : 1334245246.895631000 sec (Thu 12 Apr 2012 15:40:46 GMT)
Total dump duration: 190.225339000 sec (3m 10s)
Finished processing. Elapsed time: 0.001512618 sec
Finished unloading flow memory. Time: 0.001643613 sec
Percentage completed: 100.00%
Number of processed packets: 1381 (1.38 K)
Number of processed bytes: 293315 (293.31 K)
Number of raw bytes: 293315 (293.31 K)
Number of pad bytes: 490
Number of pcap bytes: 315435 (315.44 K)
Number of L2 packets: 21 [1.52%]
Number of IPv4 packets: 1360 (1.36 K) [98.48%]
Number of A packets: 720 [52.14%]
Number of B packets: 661 [47.86%]
Number of A bytes: 152644 (152.64 K) [52.04%]
Number of B bytes: 140671 (140.67 K) [47.96%]
<A packet load>: 212.01
<B packet load>: 212.82
--------------------------------------------------------------------------------
voipDetector: Aggregated voipStat=0x03c5
voipDetector: Aggregated sipMethods=0x000e
voipDetector: Number of SIP packets: 11 [0.80%]
voipDetector: Number of SIP INVITE packets: 2 [18.18%]
voipDetector: Number of SIP ACK packets: 2 [18.18%]
voipDetector: Number of SIP BYE packets: 1 [9.09%]
voipDetector: Number of SDP packets: 4 [0.29%]
voipDetector: Number of unique SDP audio address, port: 2 [50.00%]
voipDetector: Number of unique SIP/RTP flow matches: 2
voipDetector: Number of RTP packets: 1268 (1.27 K) [91.82%]
voipDetector: Max number of file handles: 2
--------------------------------------------------------------------------------
Headers count: min: 2, max: 3, avg: 2.98
Number of ARP packets: 21 [1.52%]
Number of ICMP packets: 10 [0.72%]
Number of TCP packets: 31 [2.24%]
Number of TCP bytes: 4774 (4.77 K) [1.63%]
Number of UDP packets: 1319 (1.32 K) [95.51%]
Number of UDP bytes: 286559 (286.56 K) [97.70%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 22
Number of processed L2   flows: 7 [31.82%]
Number of processed IPv4 flows: 15 [68.18%]
Number of processed A    flows: 15 [68.18%]
Number of processed B    flows: 7 [31.82%]
Number of request        flows: 15 [68.18%]
Number of reply          flows: 7 [31.82%]
Total   A/B    flow asymmetry: 0.36
Total req/rply flow asymmetry: 0.36
Number of processed A+B packets/A+B flows: 62.77
Number of processed A   packets/A   flows: 48.00
Number of processed   B packets/  B flows: 94.43
Number of processed total packets/s: 7.26
Number of processed A+B   packets/s: 7.26
Number of processed A     packets/s: 3.78
Number of processed   B   packets/s: 3.47
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<Number of processed flows/s>: 0.12
<Bandwidth>: 12278 b/s (12.28 Kb/s)
<Raw bandwidth>: 12335 b/s (12.34 Kb/s)
Max number of flows in memory: 22 [0.01%]
Memory usage: 0.03 GB [0.04%]
Aggregated flowStat=0x0400000010004044
[INF] Layer 2 flows
[INF] IPv4 flows
[INF] ARP
[INF] SIP/RTP

The end report tells you that RTP, SIP are detected and he found 2 voice comms being written to your /tmp/TranVoIP/ directory.

tawk -V voipStat=0x03c5

The voipStat column with value 0x0385 is to be interpreted as follows:

   bit | voipStat   | Description
   =============================================================================
     0 | 0x0001     | RTP detected
     2 | 0x0004     | SIP detected
     6 | 0x0040     | SDP detected
     7 | 0x0080     | RTP marker
     8 | 0x0100     | RTP content write operation
     9 | 0x0200     | SIP audio RTP flow announced

Note that there is no RTCP detected, as it is switched off. First look at the flow file, you see the flows labelled as SIP, or RTP, certain SIP, RTP parameters and the names of extracted content.

tawk 'bitsanyset($voipStat,0x0005)' MagicJack_short_call_flows.txt | tcol

%dir  flowInd  flowStat            timeFirst             timeLast              duration       numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  vlanID  srcIP          srcIPCC  srcIPOrg            srcPort  dstIP          dstIPCC  dstIPOrg            dstPort  l4Proto  voipStat  voipType  voipSSRC    voipCSRC  voipSRCnt  rtpPMCnt  rtpPMr  sipMethods  sipStatCnt  sipReqCnt  sipUsrAgnt  sipRealIP  sipFrom                                                   sipTo                                                     sipCallID                              sipContact                                                     sipStat          sipReq   sdpSessID     sdpRFAdd       sdpRAFPrt  sdpRVFPrt  sdpRTPMap                                                    voipFindex  rtcpTPCnt  rtcpTBCnt  rtcpFracLst  rtcpCPMCnt  rtcpMaxIAT  voipFname
A     8        0x0400000000004000  1334245222.765593000  1334245235.575661000  12.810068000   1           3        eth:ipv4:udp  6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800           192.168.0.10   07       "!Private network"  49154    216.234.64.16  us       "AS-NETZERO"        54550    17       0x0181    0         0x2a173650            0          0         0       0x0000      0           0          ""          ""                                                                                                                                                                                                                                                                                                                                                                                         0          0          0            0           0           "/tmp/TranVoIP/nudel_666_8_G711u_0_A.raw"
B     8        0x0400000000004001  1334245222.821580000  1334245235.307648000  12.486068000   1           3        eth:ipv4:udp  68:7f:74:1d:5f:eb  6c:33:a9:61:4d:17  0x0800           216.234.64.16  us       "AS-NETZERO"        54550    192.168.0.10   07       "!Private network"  49154    17       0x0101    0         0x31be1e0e            0          0         0       0x0000      0           0          ""          ""                                                                                                                                                                                                                                                                                                                                                                                         0          0          0            0           0           "/tmp/TranVoIP/nudel_666_8_G711u_0_B.raw"
A     4        0x0400000000004000  1334245062.390891000  1334245235.625275000  173.234384000  1           3        eth:ipv4:udp  6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800           192.168.0.10   07       "!Private network"  59205    216.234.64.8   us       "AS-NETZERO"        5070     17       0x0244              0x31be1e0e            0          0         0       0x0006      1           2          ""          ""         "E646657195201@talk4free.com";"9055551212@talk4free.com"  "9055551212@talk4free.com";"E646657195201@talk4free.com"  "C5570127C1A6A1ABF7ED9DB9AD608CE00xc"  "E646657195201@192.168.0.10:59205"                             200              INV;ACK  "2209074887"  192.168.0.10   49154      0          0 PCMU/8000;8 PCMA/8000;101 telephone-event/8000;13 CN/8000  8           0          0          0            0           0           ""
B     4        0x0400000000004001  1334245215.755652000  1334245235.514488000  19.758836000   1           3        eth:ipv4:udp  68:7f:74:1d:5f:eb  6c:33:a9:61:4d:17  0x0800           216.234.64.8   us       "AS-NETZERO"        5070     192.168.0.10   07       "!Private network"  59205    17       0x0244              0x2a173650            0          0         0       0x0008      4           1          ""          ""         "E646657195201@talk4free.com";"9055551212@talk4free.com"  "9055551212@talk4free.com";"E646657195201@talk4free.com"  "C5570127C1A6A1ABF7ED9DB9AD608CE00xc"  "4165551212@216.234.64.8:5070";"9055551212@216.234.64.8:5070"  100;401;183;200  BYE      "819596013"   216.234.64.16  54550      0          0 PCMU/8000;101 telephone-event/8000                         8           0          0          0            0           0           ""

flow 4 is SIP and the corresponding RTP flow is 8 as you can see in column voipFindex in the SIP flow. The file name denotes the VoIP ID, type of codec, compression type and the flow number, so that each file can be linked back to the originating flow and vice versa.

/directory/default name_voipID_flowIndex_A|B_CodecCoding.raw

tawk 'flow(4)' ~/results/MagicJack_short_call_packets.txt| tcol

%pktNo  flowInd  flowStat            time                  pktIAT        pktTrip       flowDuration   numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP         srcIPCC  srcIPOrg          srcPort  dstIP         dstIPCC  dstIPOrg          dstPort  l4Proto  voipStat  voipType  voipSeqN  voipTs  voipTsDiff  voipSSRC  l7Content
6       4        0x0400000000004000  1334245062.390891000  0.000000000   0.000000000   0.000000000    3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10  07       !Private network  59205    216.234.64.8  us       AS-NETZERO        5070     17       0x0004                                                      \r\n
15      4        0x0400000000004000  1334245082.389245000  19.998354000  0.000000000   19.998354000   3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10  07       !Private network  59205    216.234.64.8  us       AS-NETZERO        5070     17       0x0004                                                      \r\n
17      4        0x0400000000004000  1334245102.387733000  19.998488000  0.000000000   39.996842000   3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10  07       !Private network  59205    216.234.64.8  us       AS-NETZERO        5070     17       0x0004                                                      \r\n
27      4        0x0400000000004000  1334245122.385808000  19.998075000  0.000000000   59.994917000   3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10  07       !Private network  59205    216.234.64.8  us       AS-NETZERO        5070     17       0x0004                                                      \r\n
28      4        0x0400000000004000  1334245142.384185000  19.998377000  0.000000000   79.993294000   3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10  07       !Private network  59205    216.234.64.8  us       AS-NETZERO        5070     17       0x0004                                                      \r\n
29      4        0x0400000000004000  1334245162.382649000  19.998464000  0.000000000   99.991758000   3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10  07       !Private network  59205    216.234.64.8  us       AS-NETZERO        5070     17       0x0004                                                      \r\n
37      4        0x0400000000004000  1334245182.380802000  19.998153000  0.000000000   119.989911000  3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10  07       !Private network  59205    216.234.64.8  us       AS-NETZERO        5070     17       0x0004                                                      \r\n
38      4        0x0400000000004000  1334245202.379126000  19.998324000  0.000000000   139.988235000  3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10  07       !Private network  59205    216.234.64.8  us       AS-NETZERO        5070     17       0x0004                                                      \r\n
46      4        0x0400000000004000  1334245215.711324000  13.332198000  0.000000000   153.320433000  3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10  07       !Private network  59205    216.234.64.8  us       AS-NETZERO        5070     17       0x0044                                                      INVITE sip:9055551212@talk4free.com SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport\r\nFrom: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nTo: <sip:9055551212@talk4free.com>\r\nContact: <sip:E646657195201@192.168.0.10:59205>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 INVITE\r\nMax-Forwards: 70\r\nUser-Agent: mJ/2.00.632b.11054E4\r\nContent-Length: 307\r\nContent-Type: application/sdp\r\nMin-SE: 90\r\nSession-Expires: 600;refresher=uac\r\nSupported: replaces,norefersub,timer\r\nX-NATType: bPrUmtdEXuiRekQWte1LXTKJ3VNrFPndz3Ft8rPs5TPM7DDT5Nxsa+bhj/YTWmRM\r\n\r\nv=0\r\no=- 2209074887 2209074887 IN IP4 192.168.0.10\r\ns=SJphone\r\nc=IN IP4 192.168.0.10\r\nt=0 0\r\nm=audio 49154 RTP/AVP 0 8 101 13\r\nc=IN IP4 192.168.0.10\r\na=ptime:30\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:8 PCMA/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-16\r\na=rtpmap:13 CN/8000\r\na=setup:active\r\na=sendrecv\r\n
47      4        0x0400000000004001  1334245215.755652000  0.000000000   0.044327936   0.000000000    3        eth:ipv4:udp          68:7f:74:1d:5f:eb  6c:33:a9:61:4d:17  0x0800   216.234.64.8  us       AS-NETZERO        5070     192.168.0.10  07       !Private network  59205    17       0x0004                                                      SIP/2.0 100 Trying\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport=59205;received=206.248.161.77\r\nTo: <sip:9055551212@talk4free.com>\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 INVITE\r\nContent-Length: 0\r\n\r\n
48      4        0x0400000000004001  1334245215.769396000  0.013744000   0.058071936   0.013744000    3        eth:ipv4:udp          68:7f:74:1d:5f:eb  6c:33:a9:61:4d:17  0x0800   216.234.64.8  us       AS-NETZERO        5070     192.168.0.10  07       !Private network  59205    17       0x0004                                                      SIP/2.0 401 Unauthorized\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport=59205;received=206.248.161.77\r\nTo: <sip:9055551212@talk4free.com>\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 INVITE\r\nDate: Thu, 12 Apr 2012 15:40:15 GMT\r\nUser-Agent: ENSR3.2.21.22-IS15-RMRG0-RG900-EP\r\nWWW-Authenticate: Digest nonce="30da0aed2_12170",realm="stratus.com",algorithm=MD5\r\nContent-Length: 0\r\n\r\n
49      4        0x0400000000004000  1334245215.882668000  0.171344000   0.113272064   153.491777000  3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10  07       !Private network  59205    216.234.64.8  us       AS-NETZERO        5070     17       0x0004                                                      ACK sip:9055551212@talk4free.com SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport\r\nFrom: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nTo: <sip:9055551212@talk4free.com>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 ACK\r\nMax-Forwards: 70\r\nUser-Agent: mJ/2.00.632b.11054E4\r\nContent-Length: 0\r\n\r\n
50      4        0x0400000000004000  1334245215.884964000  0.002296000   0.115568000   153.494073000  3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10  07       !Private network  59205    216.234.64.8  us       AS-NETZERO        5070     17       0x0044                                                      INVITE sip:9055551212@talk4free.com SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052182706faf2cbf3d;rport\r\nFrom: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nTo: <sip:9055551212@talk4free.com>\r\nContact: <sip:E646657195201@192.168.0.10:59205>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 INVITE\r\nMax-Forwards: 70\r\nUser-Agent: mJ/2.00.632b.11054E4\r\nAuthorization: Digest username="E646657195201",realm="stratus.com",nonce="30da0aed2_12170",uri="sip:9055551212@talk4free.com",response="329e0b8a19bad6f3098c21cd11ec7979",algorithm=MD5\r\nContent-Length: 307\r\nContent-Type: application/sdp\r\nMin-SE: 90\r\nSession-Expires: 600;refresher=uac\r\nSupported: replaces,norefersub,timer\r\nX-NATType: bPrUmtdEXuiRekQWte1LXTKJ3VNrFPndz3Ft8rPs5TPM7DDT5Nxsa+bhj/YTWmRM\r\n\r\nv=0\r\no=- 2209074887 2209074887 IN IP4 192.168.0.10\r\ns=SJphone\r\nc=IN IP4 192.168.0.10\r\nt=0 0\r\nm=audio 49154 RTP/AVP 0 8 101 13\r\nc=IN IP4 192.168.0.10\r\na=ptime:30\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:8 PCMA/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-16\r\na=rtpmap:13 CN/8000\r\na=setup:active\r\na=sendrecv\r\n
51      4        0x0400000000004001  1334245215.931983000  0.162587000   0.047019008   0.176331000    3        eth:ipv4:udp          68:7f:74:1d:5f:eb  6c:33:a9:61:4d:17  0x0800   216.234.64.8  us       AS-NETZERO        5070     192.168.0.10  07       !Private network  59205    17       0x0004                                                      SIP/2.0 100 Trying\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052182706faf2cbf3d;rport=59205;received=206.248.161.77\r\nTo: <sip:9055551212@talk4free.com>\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 INVITE\r\nContent-Length: 0\r\n\r\n
54      4        0x0400000000004001  1334245222.700515000  6.768532000   6.815551040   6.944863000    3        eth:ipv4:udp          68:7f:74:1d:5f:eb  6c:33:a9:61:4d:17  0x0800   216.234.64.8  us       AS-NETZERO        5070     192.168.0.10  07       !Private network  59205    17       0x0044                                                      SIP/2.0 183 Session Progress\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052182706faf2cbf3d;rport=59205;received=206.248.161.77\r\nContact: <sip:4165551212@216.234.64.8:5070>\r\nTo: <sip:9055551212@talk4free.com>;tag=30da0aed-co12170-INS015\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 INVITE\r\nContent-Type: application/sdp\r\nDate: Thu, 12 Apr 2012 15:40:21 GMT\r\nUser-Agent: ENSR3.2.21.22-IS15-RMRG5002-RG900-EP-CPI15-CPO25791\r\nContent-Length: 236\r\nX-Number-Type: 9055551212;type=off-net\r\n\r\nv=0\r\no=- 819596013 819596013 IN IP4 216.234.64.8\r\ns=ENSResip\r\nc=IN IP4 216.234.64.16\r\nt=0 0\r\nm=audio 54550 RTP/AVP 0 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-11\r\na=ptime:20\r\na=setup:active\r\na=sendrecv\r\n
925     4        0x0400000000004001  1334245231.438652000  8.738137000   15.553688032  15.683000000   3        eth:ipv4:udp          68:7f:74:1d:5f:eb  6c:33:a9:61:4d:17  0x0800   216.234.64.8  us       AS-NETZERO        5070     192.168.0.10  07       !Private network  59205    17       0x0044                                                      SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052182706faf2cbf3d;rport=59205;received=206.248.161.77\r\nContact: <sip:9055551212@216.234.64.8:5070>\r\nTo: <sip:9055551212@talk4free.com>;tag=30da0aed-co12170-INS015\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 INVITE\r\nSession-Expires: 600;refresher=uac\r\nContent-Type: application/sdp\r\nDate: Thu, 12 Apr 2012 15:40:30 GMT\r\nUser-Agent: ENSR3.2.21.22-IS15-RMRG5002-RG900-EP-CPI15-CPO25791\r\nContent-Length: 236\r\nX-Number-Type: 9055551212;type=off-net\r\n\r\nv=0\r\no=- 819596013 819596013 IN IP4 216.234.64.8\r\ns=ENSResip\r\nc=IN IP4 216.234.64.16\r\nt=0 0\r\nm=audio 54550 RTP/AVP 0 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-11\r\na=ptime:20\r\na=setup:active\r\na=sendrecv\r\n
953     4        0x0400000000004000  1334245231.720574000  15.835610000  0.281922016   169.329683000  3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10  07       !Private network  59205    216.234.64.8  us       AS-NETZERO        5070     17       0x0004                                                      ACK sip:9055551212@216.234.64.8:5070 SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a0521bfbabb4b83043f;rport\r\nFrom: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nTo: <sip:9055551212@talk4free.com>;tag=30da0aed-co12170-INS015\r\nContact: <sip:E646657195201@192.168.0.10:59205>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 ACK\r\nMax-Forwards: 70\r\nUser-Agent: mJ/2.00.632b.11054E4\r\nAuthorization: Digest username="E646657195201",realm="stratus.com",nonce="30da0aed2_12170",uri="sip:9055551212@talk4free.com",response="329e0b8a19bad6f3098c21cd11ec7979",algorithm=MD5\r\nContent-Length: 0\r\n\r\n
1324    4        0x0400000000004001  1334245235.514488000  4.075836000   3.793913984   19.758836000   3        eth:ipv4:udp          68:7f:74:1d:5f:eb  6c:33:a9:61:4d:17  0x0800   216.234.64.8  us       AS-NETZERO        5070     192.168.0.10  07       !Private network  59205    17       0x0004                                                      BYE sip:E646657195201@206.248.161.77:59205 SIP/2.0\r\nVia: SIP/2.0/UDP 216.234.64.8:5070;branch=z9hG4bK15d8ea400811cc4503BYE30da0aed4f86f75f\r\nMax-Forwards: 35\r\nTo: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nFrom: <sip:9055551212@talk4free.com>;tag=30da0aed-co12170-INS015\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1217001 BYE\r\nDate: Thu, 12 Apr 2012 15:40:34 GMT\r\nUser-Agent: ENSR3.2.21.22-IS15-RMRG900-RG900-EP-CPI15-CPO25791\r\nContent-Length: 0\r\n\r\n
1329    4        0x0400000000004000  1334245235.625275000  3.904701000   0.110787008   173.234384000  3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10  07       !Private network  59205    216.234.64.8  us       AS-NETZERO        5070     17       0x0004                                                      SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP 216.234.64.8:5070;branch=z9hG4bK15d8ea400811cc4503BYE30da0aed4f86f75f;received=216.234.64.8\r\nFrom: <sip:9055551212@talk4free.com>;tag=30da0aed-co12170-INS015\r\nTo: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nContact: <sip:E646657195201@192.168.0.10:59205>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1217001 BYE\r\nContent-Length: 0\r\nServer: mJ/2.00.632b.11054E4\r\nSupported: replaces,norefersub,timer\r\nX-RTPStat: RX=626;TX=640;ORD=0;DROP=0;MISS=0;INVPT=0;LOST=0;DUP=0;LATE=0;STOP=0;SR=1;LAST=220\r\nX-NATType: bPrUmtdEXuiRekQWte1LXTKJ3VNrFPndz3Ft8rPs5TPM7DDT5Nxsa+bhj/YTWmRM\r\n\r\n

Similar info is available in the packet file, were you can also track sequence numbers and IDs. If you look at the SIP flow in the packet file you can follow isequence numbers, SSRC, etc. Really useful in analyzing complicated call schemes.

tawk 'flow(8)' ~/results/MagicJack_short_call_packets.txt| tcol

%pktNo  flowInd  flowStat            time                  pktIAT       pktTrip      flowDuration  numHdrs  hdrDesc       vlanID  srcMac             dstMac             ethType  srcIP          srcIPCC  srcIPOrg          srcPort  dstIP          dstIPCC  dstIPOrg          dstPort  l4Proto  voipStat  voipType  voipSeqN  voipTs      voipTsDiff  voipSSRC    l7Content
55      8        0x0400000000004000  1334245222.765593000  0.000000000  0.000000000  0.000000000   3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10   07       !Private network  49154    216.234.64.16  us       AS-NETZERO        54550    17       0x0081    0         26528     0           0           0x2a173650  ..g.....*.6P.~.~~~~.....~~~~~...~...~}}~.....~~.~}~.....~~}~...~.....~~.~...~}~..~......~}}~.~..~...~~~~....~.~~~~...~..~}}...~....~~~~~..~~....~.~.....~~~~~~.....~~}.~....
57      8        0x0400000000004000  1334245222.795663000  0.030070000  0.000000000  0.030070000   3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10   07       !Private network  49154    216.234.64.16  us       AS-NETZERO        54550    17       0x0101    0         26529     160         160         0x2a173650  ..g.....*.6P.~~..~.~~.....~.~......~~~~~.~~.....~~.~....~~~~~.~...~.~~~~....~..~.}~.~...~~~~~~.~...~~~}~..~..~.~~~~....~....~.....~~~~~~}~.....~.~~~......~~..~~....~.~~~.~.
58      8        0x0400000000004000  1334245222.796902000  0.001239000  0.000000000  0.031309000   3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10   07       !Private network  49154    216.234.64.16  us       AS-NETZERO        54550    17       0x0101    0         26530     320         160         0x2a173650  ..g....@*.6P..~~~~.~~~...~}~.~......~}}~......~~~~~~~~..~~~.~...~~.~~~.~}~~~~..~.~~.......~~~.~....~.~~~...~..~.~~....~....~~...~.....~~~.~~...~~~~.~~...~~~}.~......~.~~~~.
59      8        0x0400000000004001  1334245222.821580000  0.000000000  0.024678016  0.000000000   3        eth:ipv4:udp          68:7f:74:1d:5f:eb  6c:33:a9:61:4d:17  0x0800   216.234.64.16  us       AS-NETZERO        54550    192.168.0.10   07       !Private network  49154    17       0x0001    0         18437     1769305803  0           0x31be1e0e  ..H.iuv.1..........J8/,,.5B.........Y<1,+,0;V.........D6.,,/8I.........P<3/.07Ci........lG;535:BX.........VF?<=?HV.........mYPNNPXau.................waWOMMOWj.........WH?<<
62      8        0x0400000000004000  1334245222.825426000  0.028524000  0.003845952  0.059833000   3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10   07       !Private network  49154    216.234.64.16  us       AS-NETZERO        54550    17       0x0101    0         26531     480         160         0x2a173650  ..g.....*.6P..~~~~~~......~~~~....~}~~~~~....~..}~~~~...~..~...~....~~.~.~~~~..~~}~~~~..~.}~..~.....~~~~......~~.~...~.....~~..~~....~~~....~..~~~}~...~..~.}.........~~.~..
63      8        0x0400000000004001  1334245222.828270000  0.006690000  0.002844032  0.006690000   3        eth:ipv4:udp          68:7f:74:1d:5f:eb  6c:33:a9:61:4d:17  0x0800   216.234.64.16  us       AS-NETZERO        54550    192.168.0.10   07       !Private network  49154    17       0x0101    0         18438     1769305963  160         0x31be1e0e  ..H.iuwk1...>ET.........ZC:535:Ef........oD70..2;N.........K9/,,.5B.........Z<1,+,0;U.........D6.,,/8H.........Q<3/.07Bg........mG;635:BW.........WG?==?HV.........nZQNNQXau
64      8        0x0400000000004001  1334245222.848215000  0.019945000  0.022788992  0.026635000   3        eth:ipv4:udp          68:7f:74:1d:5f:eb  6c:33:a9:61:4d:17  0x0800   216.234.64.16  us       AS-NETZERO        54550    192.168.0.10   07       !Private network  49154    17       0x0101    0         18439     1769306123  160         0x31be1e0e  ..H.iux\v1....................waVOMLOWj.........WH?<<>ES.........ZC:535:Ed........rD80..2;N.........K9/,,.5A|........[=1,+,0;T.........E6.,,/8H.........R=3/.07Bf........oG;6
65      8        0x0400000000004000  1334245222.855383000  0.029957000  0.007168000  0.089790000   3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10   07       !Private network  49154    216.234.64.16  us       AS-NETZERO        54550    17       0x0101    0         26532     640         160         0x2a173650  ..g.....*.6P.~~.~.~~~..~~|..}~.......~}~.......~~~~~~..~.~~}~~......~~~~.~}~....~....~...~~~~~.~...~}}~~}~~~.........~~~}~..~.....~...}~}~.....~~.~}}....~.~~~~~......~~~...
66      8        0x0400000000004000  1334245222.856587000  0.001204000  0.008372032  0.090994000   3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10   07       !Private network  49154    216.234.64.16  us       AS-NETZERO        54550    17       0x0101    0         26533     800         160         0x2a173650  ..g.... *.6P.}.~~.~.}.~~...~~}~.....}}........~~}~~.~~..~..~........~~}~.....~~~~~.....~~~~~~~...}..~}~.....~.}~.~...~~~..~~......~~~~~.~....~~~~..~....~~~.}}~~...~.~......
67      8        0x0400000000004001  1334245222.868178000  0.019963000  0.011590976  0.046598000   3        eth:ipv4:udp          68:7f:74:1d:5f:eb  6c:33:a9:61:4d:17  0x0800   216.234.64.16  us       AS-NETZERO        54550    192.168.0.10   07       !Private network  49154    17       0x0101    0         18440     1769306283  160         0x31be1e0e  ..H\biux.1...45:BV.........WG?==?HU.........nZQNNQXbu.................x`VOLLNWi.........WH?<<>DR.........[C:535:Dc........uE80..2;M.........K9/,,.4Ay........\\=1,+,0;S.......
68      8        0x0400000000004000  1334245222.885435000  0.028848000  0.017257024  0.119842000   3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10   07       !Private network  49154    216.234.64.16  us       AS-NETZERO        54550    17       0x0101    0         26534     960         160         0x2a173650  ..g.....*.6P~~~~~.~..}~...~~~.......~}~~.....~~~~~~....~}~...~~...~~}....~~..~~~~~~..~~.~.~~...~..~~}}~~....~~~~....~}....~...~..~~~~}~....}.~..~.~....~.}.~~~~~....~.....~.
69      8        0x0400000000004001  1334245222.887884000  0.019706000  0.002449024  0.066304000   3        eth:ipv4:udp          68:7f:74:1d:5f:eb  6c:33:a9:61:4d:17  0x0800   216.234.64.16  us       AS-NETZERO        54550    192.168.0.10   07       !Private network  49154    17       0x0101    0         18441     1769306443  160         0x31be1e0e  ..H\tiuyK1.....E6.,,/7H.........S=4/.07Bd........pH;645:BV.........XG?==?HU.........o[RNORYbu.................x`VOLLNVh.........XH?<<=DR.........[C:534:Da........xE80..2;M..
70      8        0x0400000000004001  1334245222.908335000  0.020451000  0.022899968  0.086755000   3        eth:ipv4:udp          68:7f:74:1d:5f:eb  6c:33:a9:61:4d:17  0x0800   216.234.64.16  us       AS-NETZERO        54550    192.168.0.10   07       !Private network  49154    17       0x0101    0         18442     1769306603  160         0x31be1e0e  ..H\niuy.1..........L9/,,.4Au........]=1-+,0;R.........F6.,,/7G.........T=4/.07Ac........sH<6459AU.........XH?==@HU.........o[ROORYbt.................y`VNLLNVh.........XH?<;
71      8        0x0400000000004000  1334245222.915332000  0.029897000  0.006996992  0.149739000   3        eth:ipv4:udp          6c:33:a9:61:4d:17  68:7f:74:1d:5f:eb  0x0800   192.168.0.10   07       !Private network  49154    216.234.64.16  us       AS-NETZERO        54550    17       0x0101    0         26535     1120        160         0x2a173650  ..g....`*.6P.~.~.~..~~}~....~~~....~~}~......~~~.~~...~~~~.~....~~~~~~~...~~}~~......~~~~~~......~~~~}....~}~~~......~}~~........}~~~~.~~.~..~.........~~~.......~........~.
...

In order to listen to the content you need to convert to e.g. .wav format. Note that the encoding format G711. indicates that the raw stream is mu-law compressed. Just use ffmpeg which does a fine job.

cd /tmp/TranVoIP

ls

nudel_2a173650_8_A_G711u.raw  nudel_31be1e0e_8_B_G711u.raw

ffmpeg -f mulaw -ar 8k -ac 1 -i nudel_2a173650_8_A_G711u.raw nudelA.wav

ffmpeg version n4.3.2 Copyright (c) 2000-2021 the FFmpeg developers
...

$ ffmpeg -f mulaw -ar 8k -ac 1 -i nudel_666_8_G711u_0_A.raw nudelA.wav … $ ffmpeg -f mulaw -ar 8k -ac 1 -i nudel_31be1e0e_8_B_G711u.raw nudelB.wav … $

ls

nudel_666_8_G711u_0_A.raw  nudel_666_8_G711u_0_B.raw  nudelA.wav  nudelB.wav

If you use a player such as vlc, then in nudelA.wav you hear the caller and in nudelB.wav the callee.

In order to see some RTCP output, switch switch it on and recompile

t2conf voipDetector -D VOIP_RTCP=1 && t2build voipDetector

Now try this pcap sip_sjphone_conf.pcap and execute t2 on it including packet mode.

t2 -r ~/data/sip_sjphone_conf.pcap -w ~/results/ -s

...
--------------------------------------------------------------------------------
voipDetector: Aggregated voipStat=0x03c7
voipDetector: Aggregated sipMethods=0x006e
voipDetector: Number of SIP packets: 60 [66.67%]
voipDetector: Number of SIP INVITE packets: 10 [16.67%]
voipDetector: Number of SIP ACK packets: 10 [16.67%]
voipDetector: Number of SIP BYE packets: 4 [6.67%]
voipDetector: Number of SIP REGISTER packets: 3 [5.00%]
voipDetector: Number of SIP OPTIONS packets: 2 [3.33%]
voipDetector: Number of SDP packets: 21 [23.33%]
voipDetector: Number of unique SDP audio address, port: 12 [57.14%]
voipDetector: Number of unique SIP/RTP flow matches: 4
voipDetector: Number of RTP packets: 16 [17.78%]
voipDetector: Number of RTCP packets: 14 [15.56%]
voipDetector: Max number of file handles: 1
--------------------------------------------------------------------------------
...

And the end report tells us, there is indeed RTCP and 4 SIP/RTP voice comms with some packet loss. The extracted content is written to the /tmp/TranVoip directory, but as configured the directory is erased before writing.

tawk -V voipStat=0x03c7

The voipStat column with value 0x0387 is to be interpreted as follows:

   bit | voipStat   | Description
   =============================================================================
     0 | 0x0001     | RTP detected
     1 | 0x0002     | RTCP detected
     2 | 0x0004     | SIP detected
     6 | 0x0040     | SDP detected
     7 | 0x0080     | RTP marker
     8 | 0x0100     | RTP content write operation
     9 | 0x0200     | SIP audio RTP flow announced

In the flow file you can spot the SIP/RTP pairs, the extracte sound files and the RTCP flows

tcol sip_sjphone_conf_flows.txt

%dir  flowInd  flowStat            timeFirst             timeLast              duration      numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  vlanID  srcIP        srcIPCC  srcIPOrg            srcPort  dstIP        dstIPCC  dstIPOrg            dstPort  l4Proto  voipStat  voipType  voipSSRC               voipCSRC  voipSRCnt  rtpPMCnt  rtpPMr     sipMethods  sipStatCnt  sipReqCnt  sipUsrAgnt          sipRealIP  sipFrom                                                      sipTo                                                                      sipCallID                                                                                                                                                sipContact                                                                                          sipStat          sipReq               sdpSessID                  sdpRFAdd                                         sdpRAFPrt               sdpRVFPrt  sdpRTPMap                                                                                                                                           voipFindex  rtcpTPCnt  rtcpTBCnt  rtcpFracLst  rtcpCPMCnt  rtcpMaxIAT  voipFname
A     4        0x0400000000004000  1272330640.436538000  1272330640.472347000  0.035809000   1           3        eth:ipv4:udp  00:19:b9:f7:4b:02  00:16:cb:8c:ea:27  0x0800           10.10.3.109  04       "!Private network"  13300    10.10.1.159  04       "!Private network"  49152    17       0x0101    0         0x3efeb4de                       0          0         0          0x0000      0           0          ""                  ""                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   0          0          0            0           0           "/tmp/TranVoIP/nudel_666_4_G711u_0_A.raw"
B     4        0x0400000000004001  1272330640.468537000  1272330640.547489000  0.078952000   1           3        eth:ipv4:udp  00:16:cb:8c:ea:27  00:19:b9:f7:4b:02  0x0800           10.10.1.159  04       "!Private network"  49152    10.10.3.109  04       "!Private network"  13300    17       0x0181    3         0x81bc2252                       0          0         0          0x0000      0           0          ""                  ""                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   0          0          0            0           0           "/tmp/TranVoIP/nudel_666_4_GSM_3_B.raw"
A     5        0x0400000000004000  1272330645.436875000  1272330665.436731000  19.999856000  1           3        eth:ipv4:udp  00:19:b9:f7:4b:02  00:16:cb:8c:ea:27  0x0800           10.10.3.109  04       "!Private network"  13301    10.10.1.159  04       "!Private network"  49153    17       0x0002    200;201   0x3efeb4de                       1          0         0          0x0000      0           0          ""                  ""                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   3          480        0            0           37          ""
A     6        0x0400000000004000  1272330645.455867000  1272330665.455723000  19.999856000  1           3        eth:ipv4:udp  00:19:b9:f7:4b:02  00:16:cb:ab:a2:2b  0x0800           10.10.3.109  04       "!Private network"  18933    10.10.1.203  04       "!Private network"  49153    17       0x0002    201       0x41f3bca2                       1          0         0          0x0000      0           0          ""                  ""                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   0          0          0            0           16          ""
A     9        0x0400000000004000  1272330666.186196000  1272330666.207883000  0.021687000   1           3        eth:ipv4:udp  00:16:cb:8c:ea:27  00:19:b9:f7:4b:02  0x0800           10.10.1.159  04       "!Private network"  49154    10.10.3.109  04       "!Private network"  11128    17       0x8000                                               0          0         0          0x0000      0           0          ""                  ""                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   0          0          0            0           0           ""
A     7        0x0400000000004000  1272330659.729745000  1272330669.382626000  9.652881000   1           3        eth:ipv4:udp  00:16:cb:ab:a2:2b  00:19:b9:f7:4b:02  0x0800           10.10.1.203  04       "!Private network"  50030    10.10.3.109  04       "!Private network"  5060     17       0x0244                                               0          0         0          0x0020      3           1          "Telephone 0.14.3"  ""         "alice@10.10.3.109";"Aaron@10.10.3.109"                      "alice@10.10.3.109";"alice@10.10.1.203"                                    "7UsL.UI5KOo0OTW6kIAIgjgiMMSOr9Hk";"0f0789f74e063ed55238d1bc1af6fc59@10"                                                                                 "alice@10.10.1.203:50030"                                                                           100;180;200      REG                  "3481319463"               10.10.1.203                                      4000                    0          0 PCMU/8000;101 telephone-event/8000;7 LPC/8000;97 iLBC/8000;111 G726-32/8000                                                                                   0          0          0            0           0           ""
B     7        0x0400000000004001  1272330659.729874000  1272330669.373073000  9.643199000   1           3        eth:ipv4:udp  00:19:b9:f7:4b:02  00:16:cb:ab:a2:2b  0x0800           10.10.3.109  04       "!Private network"  5060     10.10.1.203  04       "!Private network"  50030    17       0x0244                                               0          0         0          0x000e      2           3          "Asterisk PBX"      ""         "alice@10.10.3.109";"Aaron@10.10.3.109"                      "alice@10.10.3.109";"alice@10.10.1.203:50030"                              "7UsL.UI5KOo0OTW6kIAIgjgiMMSOr9Hk";"0f0789f74e063ed55238d1bc1af6fc59@10"                                                                                 "alice@10.10.3.109";"alice@10.10.1.203:50030";"Aaron@10.10.3.109"                                   100;200          INV;ACK;BYE          "8369"                     10.10.3.109;10.10.1.159                          30552;49154             0;0        0 PCMU/8000;3 GSM/8000;8 PCMA/8000;112 AAL2-G726-32/8000;5 DVI4/8000;10 L16/8000;7 LPC/8000;97 iLBC/8000;111 G726-32/8000;101 telephone-event/8000              0          0          0            0           0           ""
A     8        0x0400000000004000  1272330666.144994000  1272330669.382632000  3.237638000   1           3        eth:ipv4:udp  00:16:cb:ab:a2:2b  00:19:b9:f7:4b:02  0x0800           10.10.1.203  04       "!Private network"  4001     10.10.3.109  04       "!Private network"  30553    17       0x0002    202;0     0x33425619                       1          0         0          0x0000      0           0          ""                  ""                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   0          0          0            0           0           ""
A     1        0x0400000000004000  1272330627.070062000  1272330670.178186000  43.108124000  1           3        eth:ipv4:udp  00:16:cb:8c:ea:27  00:19:b9:f7:4b:02  0x0800           10.10.1.159  04       "!Private network"  5060     10.10.3.109  04       "!Private network"  5060     17       0x0244              0x3efeb4de                       0          0         0          0x006e      1           5          ""                  ""         "Aaron@10.10.3.109";"aptos@10.10.3.109";"alice@10.10.3.109"  "Aaron@10.10.3.109";"aptos@10.10.3.109";"10.10.3.109";"alice@10.10.3.109"  "AA20AC76-1DD1-11B2-8F35-E1DE365F50B";"B0A0D6FC-1DD1-11B2-8F35-E1DE365F50B";"BBE0D896-1DD1-11B2-8F35-E1DE365F50B";"BFDE35BA-1DD1-11B2-8F35-E1DE365F50B"  "Aaron@10.10.1.159:5060"                                                                            200              REG;INV;ACK;OPT;BYE  "3481319437";"3481319463"  10.10.1.159;10.10.1.159                          49152;49154             0;0        3 GSM/8000;97 iLBC/8000;98 iLBC/8000;110 speex/8000;8 PCMA/8000;0 PCMU/8000;101 telephone-event/8000                                                4           0          0          0            0           0           ""
B     1        0x0400000000004001  1272330627.070257000  1272330670.178331000  43.108074000  1           3        eth:ipv4:udp  00:19:b9:f7:4b:02  00:16:cb:8c:ea:27  0x0800           10.10.3.109  04       "!Private network"  5060     10.10.1.159  04       "!Private network"  5060     17       0x0244              0x81bc2252;0x7ddbd928            0          0         0          0x0006      4           2          "Asterisk PBX"      ""         "Aaron@10.10.3.109";"aptos@10.10.3.109";"alice@10.10.3.109"  "Aaron@10.10.3.109";"aptos@10.10.3.109";"10.10.3.109";"alice@10.10.3.109"  "AA20AC76-1DD1-11B2-8F35-E1DE365F50B";"B0A0D6FC-1DD1-11B2-8F35-E1DE365F50B";"BBE0D896-1DD1-11B2-8F35-E1DE365F50B";"BFDE35BA-1DD1-11B2-8F35-E1DE365F50B"  "Aaron@10.10.3.109";"Aaron@10.10.1.159:5060";"aptos@10.10.3.109";"10.10.3.109";"alice@10.10.3.109"  100;200;180;183  INV;ACK              "8369"                     10.10.3.109;10.10.1.203;10.10.3.109;10.10.1.203  13300;49152;11128;4000  0;0;0;0    3 GSM/8000;0 PCMU/8000;8 PCMA/8000;110 speex/8000;97 iLBC/8000;101 telephone-event/8000                                                             4;9         0          0          0            0           0           ""
A     2        0x0400000000004000  1272330633.955796000  1272330670.254882000  36.299086000  1           3        eth:ipv4:udp  00:16:cb:ab:a2:2b  00:19:b9:f7:4b:02  0x0800           10.10.1.203  04       "!Private network"  5060     10.10.3.109  04       "!Private network"  5060     17       0x0244                                               0          0         0          0x0060      3           2          ""                  ""         "aptos@10.10.3.109";"Aaron@10.10.3.109"                      "aptos@10.10.3.109";"aptos@10.10.1.203:5060";"10.10.3.109"                 "AE3A28FA-1DD1-11B2-A21B-EB0302FB93D";"4da654ff563e88e64845418c304a5a5b@10";"C007E0FE-1DD1-11B2-A21B-EB0302FB93D"                                        "aptos@10.10.1.203:5060"                                                                            100;180;200      REG;OPT              "3481319438"               10.10.1.203                                      49152                   0          0 PCMU/8000;101 telephone-event/8000;3 GSM/8000                                                                                                                 0          0          0            0           0           ""
B     2        0x0400000000004001  1272330633.964017000  1272330670.221160000  36.257143000  1           3        eth:ipv4:udp  00:19:b9:f7:4b:02  00:16:cb:ab:a2:2b  0x0800           10.10.3.109  04       "!Private network"  5060     10.10.1.203  04       "!Private network"  5060     17       0x0244              0x2886dfa0                       0          0         0          0x000e      2           3          "Asterisk PBX"      ""         "aptos@10.10.3.109";"Aaron@10.10.3.109"                      "aptos@10.10.3.109";"aptos@10.10.1.203:5060";"10.10.3.109"                 "AE3A28FA-1DD1-11B2-A21B-EB0302FB93D";"4da654ff563e88e64845418c304a5a5b@10";"C007E0FE-1DD1-11B2-A21B-EB0302FB93D"                                        "aptos@10.10.3.109";"aptos@10.10.1.203:5060";"Aaron@10.10.3.109";"10.10.3.109"                      100;200          INV;ACK;BYE          "8369"                     10.10.3.109;10.10.1.159                          18932;49152             0;0        0 PCMU/8000;3 GSM/8000;8 PCMA/8000;112 AAL2-G726-32/8000;5 DVI4/8000;10 L16/8000;7 LPC/8000;97 iLBC/8000;111 G726-32/8000;101 telephone-event/8000  3           0          0          0            0           0           ""
A     3        0x0400000000004000  1272330640.436361000  1272330670.251905000  29.815544000  1           3        eth:ipv4:udp  00:16:cb:ab:a2:2b  00:19:b9:f7:4b:02  0x0800           10.10.1.203  04       "!Private network"  49152    10.10.3.109  04       "!Private network"  18932    17       0x1181    0         0x2886dfa0                       0          1         0.1666667  0x0000      0           0          ""                  ""                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   0          0          0            0           0           "/tmp/TranVoIP/nudel_666_3_G711u_0_A.raw"

In the flow file you will see that there are many RTCP types being detected, and jitter info was conveyed.

tawk 'bitsanyset($voipStat,0x0002)' ~/results/sip_sjphone_conf_flows.txt

%dir	flowInd	flowStat	timeFirst	timeLast	duration	numHdrDesc	numHdrs	hdrDesc	srcMac	dstMac	ethType	vlanID	srcIP	srcIPCC	srcIPOrg	srcPort	dstIP	dstIPCC	dstIPOrg	dstPort	l4Proto	voipStat	voipType	voipSSRC	voipCSRC	voipSRCnt	rtpPMCnt	rtpPMr	sipMethods	sipStatCnt	sipReqCnt	sipUsrAgnt	sipRealIP	sipFrom	sipTo	sipCallID	sipContact	sipStat	sipReq	sdpSessID	sdpRFAdd	sdpRAFPrt	sdpRVFPrt	sdpRTPMap	voipFindex	rtcpTPCnt	rtcpTBCnt	rtcpFracLst	rtcpCPMCnt	rtcpMaxIAT	voipFname
A	5	0x0400000000004000	1272330645.436875000	1272330665.436731000	19.999856000	1	3	eth:ipv4:udp	00:19:b9:f7:4b:02	00:16:cb:8c:ea:27	0x0800		10.10.3.109	04	"!Private network"	13301	10.10.1.159	04	"!Private network"	49153	17	0x0002	200;201	0x3efeb4de		1	0	0	0x0000	0	0	""	""													3	480	0	0	37	""
A	6	0x0400000000004000	1272330645.455867000	1272330665.455723000	19.999856000	1	3	eth:ipv4:udp	00:19:b9:f7:4b:02	00:16:cb:ab:a2:2b	0x0800		10.10.3.109	04	"!Private network"	18933	10.10.1.203	04	"!Private network"	49153	17	0x0002	201	0x41f3bca2		1	0	0	0x0000	0	0	""	""													0	0	0	0	16	""
A	8	0x0400000000004000	1272330666.144994000	1272330669.382632000	3.237638000	1	3	eth:ipv4:udp	00:16:cb:ab:a2:2b	00:19:b9:f7:4b:02	0x0800		10.10.1.203	04	"!Private network"	4001	10.10.3.109	04	"!Private network"	30553	17	0x0002	202;0	0x33425619		1	0	0	0x0000	0	0	""	""

Similar info is available on a packet basis.

tawk 'bitsanyset($voipStat,0x0002)' ~/results/sip_sjphone_conf_packets.txt

%pktNo	flowInd	flowStat	time	pktIAT	pktTrip	flowDuration	numHdrs	hdrDesc	vlanID	srcMac	dstMac	ethType	srcIP	srcIPCC	srcIPOrg	srcPort	dstIP	dstIPCC	dstIPOrg	dstPort	l4Proto	voipStat	voipType	voipSeqN	voipTs	voipTsDiff	voipSSRC	l7Content
35	5	0x0400000000004000	1272330645.436875000	0.000000000	0.000000000	0.000000000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:8c:ea:27	0x0800	10.10.3.109	04	!Private network	13301	10.10.1.159	04	!Private network	49153	17	0x0002	200;202				0x3efeb4de	...\f>.......o.T,...@.........."R......}....%............>.......
36	6	0x0400000000004000	1272330645.455867000	0.000000000	0.000000000	0.000000000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:ab:a2:2b	0x0800	10.10.3.109	04	!Private network	18933	10.10.1.203	04	!Private network	49153	17	0x0002	201;202				0x41f3bca2	....A...(.........^.................A.......
37	5	0x0400000000004000	1272330650.436866000	4.999991000	0.000000000	4.999991000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:8c:ea:27	0x0800	10.10.3.109	04	!Private network	13301	10.10.1.159	04	!Private network	49153	17	0x0002	201;202				0x3efeb4de	....>....."R......}....%............>.......
38	6	0x0400000000004000	1272330650.455831000	4.999964000	0.000000000	4.999964000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:ab:a2:2b	0x0800	10.10.3.109	04	!Private network	18933	10.10.1.203	04	!Private network	49153	17	0x0002	201;202				0x41f3bca2	....A...(.........^.................A.......
39	5	0x0400000000004000	1272330655.436803000	4.999937000	0.000000000	9.999928000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:8c:ea:27	0x0800	10.10.3.109	04	!Private network	13301	10.10.1.159	04	!Private network	49153	17	0x0002	201;202				0x3efeb4de	....>....."R......}....%............>.......
40	6	0x0400000000004000	1272330655.455793000	4.999962000	0.000000000	9.999926000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:ab:a2:2b	0x0800	10.10.3.109	04	!Private network	18933	10.10.1.203	04	!Private network	49153	17	0x0002	201;202				0x41f3bca2	....A...(.........^.................A.......
46	5	0x0400000000004000	1272330660.436770000	4.999967000	0.000000000	14.999895000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:8c:ea:27	0x0800	10.10.3.109	04	!Private network	13301	10.10.1.159	04	!Private network	49153	17	0x0002	201;202				0x3efeb4de	....>....."R......}....%.....\n......>.......
47	6	0x0400000000004000	1272330660.455760000	4.999967000	0.000000000	14.999893000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:ab:a2:2b	0x0800	10.10.3.109	04	!Private network	18933	10.10.1.203	04	!Private network	49153	17	0x0002	201;202				0x41f3bca2	....A...(.........^..........\n......A.......
56	5	0x0400000000004000	1272330665.436731000	4.999961000	0.000000000	19.999856000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:8c:ea:27	0x0800	10.10.3.109	04	!Private network	13301	10.10.1.159	04	!Private network	49153	17	0x0002	201;202				0x3efeb4de	....>....."R......}....%............>.......
57	6	0x0400000000004000	1272330665.455723000	4.999963000	0.000000000	19.999856000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:ab:a2:2b	0x0800	10.10.3.109	04	!Private network	18933	10.10.1.203	04	!Private network	49153	17	0x0002	201;202				0x41f3bca2	....A...(.........^.................A.......
58	8	0x0400000000004000	1272330666.144994000	0.000000000	0.000000000	0.000000000	3	eth:ipv4:udp		00:16:cb:ab:a2:2b	00:19:b9:f7:4b:02	0x0800	10.10.1.203	04	!Private network	4001	10.10.3.109	04	!Private network	30553	17	0x0002	202				0x33425619	....3BV...a45f2@pjbbebb2.org....
63	8	0x0400000000004000	1272330666.155469000	0.010475000	0.000000000	0.010475000	3	eth:ipv4:udp		00:16:cb:ab:a2:2b	00:19:b9:f7:4b:02	0x0800	10.10.1.203	04	!Private network	4001	10.10.3.109	04	!Private network	30553	17	0x0002					0x33425619	....3BV.
75	8	0x0400000000004000	1272330669.372273000	3.216804000	0.000000000	3.227279000	3	eth:ipv4:udp		00:16:cb:ab:a2:2b	00:19:b9:f7:4b:02	0x0800	10.10.1.203	04	!Private network	4001	10.10.3.109	04	!Private network	30553	17	0x0002	202				0x33425619	....3BV...a135a@pj0cdc76.org....
80	8	0x0400000000004000	1272330669.382632000	0.010359000	0.000000000	3.237638000	3	eth:ipv4:udp		00:16:cb:ab:a2:2b	00:19:b9:f7:4b:02	0x0800	10.10.1.203	04	!Private network	4001	10.10.3.109	04	!Private network	30553	17	0x0002					0x33425619	....3BV.

Conclusion

Try also your own traffic.

Don’t forget to reset the voipDetector plugin configuration:

t2conf --reset voipDetector && t2build voipDetector

Have fun!