VoIP, SIP, RTP: Voice over IP, Session Initiation Protocol, Real-time Transport Protocol

data carving layer 7 RTP RTCP SIP VoIP

VoIP SIP RTP
Preparation
voipDetector
Data carving with voipDetector
Conclusion

VoIP SIP RTP

This tutorial shows the capabilities of the plugin voipDetector. It displays troubleshooting information of SIP/RTP/RTCP and is able to carve RTP content.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y


Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the core (tranalyzer2) and the following plugins:

t2build tranalyzer2 basicFlow voipDetector txtSink


...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAP used in this tutorial can be downloaded here:

Please save them in your ~/data folder.

Now you are all set for analyzing VoIP traffic!

voipDetector

This plugin was originally designed for troubleshooting of telco VoIP communication, therefore RTCP is also decoded which provides additional statistics to the basicStats plugin, such as packets lost and maximal jitter reporting.

Data carving with voipDetector

The configuration listed below, allows the user to enable the RTP content save mode, the length of SIP names in the flow structure, the path where RTP content is saved and the default name as a prefix if no file name can be found.

We also added an configurable offset in the payload of RTP, for special purpose applications.

voipDetector

vi src/voipDetector.h

...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define VOIP_SIP     1 // > 0 Enable SIP decoder, 2: add RTP / SIP findex/ssrc flow correlation
#define VOIP_RTP     1 // Enable RTP/RTCP decoder
#define VOIP_SIP_PRV 1 // 1: try also srcIP for flow correlation (VOIP_SIP=2)
#define VOIP_RTCP    0 // Enable RTCP decoder
#define VOIP_ANALEN  0 // Check reported len against snap payload len

#define VOIP_SAVE    0 // Save RTP content
#define VOIP_BUFMODE 1 // Enable buffering of saved RTP content
#define VOIP_PLDOFF  0 // Offset for payload to save (require VOIP_SAVE=1)
#define VOIP_SVFDX   1 // Merge ops: 0: SSRC, 1: findex

#define VOIP_MINPKT  1 // Minimum packet length of a flow (require VOIP_SAVE=1)

#define SIPNMMAX    35 // Maximal SIP caller name length
#define SIPSTATMAX   8 // Maximal SIP state requests
#define SIPCLMAX     3 // Maximal SIP state requests name length
#define SIPRFXMAX  100 // Maximal SIP IP addr, m=audio / video ports
#define SIPADDMAX  100 // Maximal SIP addr

#define RTPBUFSIZE 4096 // Size of buffer for RTP content

#define VOIP_PERM S_IRWXU // File permissions

/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */

#define VOIP_RMDIR   1                // Empty VOIP_V_PATH before starting (require VOIP_SAVE=1)
#define VOIP_V_PATH  "/tmp/TranVoIP"  // Path for raw VoIP
#define VOIP_FNAME   "nudel"          // Default content file name prefix

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

For now we switch on VOIP_SAVE=1 and keep VOIP_RMDIR=1 as we like t2 to delete the files between experiments to remove clutter. RTCP decoding stays off as there is not much to troubleshoot in our pcaps and we like to put an emphasis to the data carving capabilities of t2.

Use t2conf, recompile and engage t2 on the MagicJack pcap with the packet mode.

t2conf voipDetector -D VOIP_SAVE=1 && t2build voipDetector

t2 -s -r ~/data/MagicJack_short_call.pcap -w ~/results


================================================================================
Tranalyzer 0.9.1 (Anteater), Cobra. PID: 10181, SID: 666
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.9.1
    02: voipDetector, 0.9.1
    03: txtSink, 0.9.1
[INF] IPv4 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 481438 (481.44 K)
[INF] IPv6 Ver: 5, Rev: 09082023, Range Mode: 0, subnet ranges loaded: 41486 (41.49 K)
Processing file: /home/user/test_data/data/rtp/MagicJack_short_call.pcap
Link layer type: Ethernet [EN10MB/1]
Snapshot length: 65535 (65.53 K)
Dump start: 1334245056.670292000 sec (Thu 12 Apr 2012 15:37:36 GMT)
Dump stop : 1334245246.895631000 sec (Thu 12 Apr 2012 15:40:46 GMT)
Total dump duration: 190.225339000 sec (3m 10s)
Finished processing. Elapsed time: 0.011634019 sec
Finished unloading flow memory. Time: 0.011839879 sec
Percentage completed: 100.00%
Number of processed packets: 1381 (1.38 K)
Number of processed bytes: 293315 (293.31 K)
Number of raw bytes: 293315 (293.31 K)
Number of pad bytes: 130
Number of pcap bytes: 315435 (315.44 K)
Number of IPv4 packets: 1360 (1.36 K) [98.48%]
Number of A packets: 720 [52.14%]
Number of B packets: 661 [47.86%]
Number of A bytes: 152644 (152.64 K) [52.04%]
Number of B bytes: 140671 (140.67 K) [47.96%]
<A packet load>: 212.01
<B packet load>: 212.82
--------------------------------------------------------------------------------
voipDetector: Aggregated voipStat=0x0385
voipDetector: Max number of file handles: 2
voipDetector: Number of SIP packets: 6 [0.43%]
voipDetector: Number of SDP packets: 2 [0.14%]
voipDetector: Number of INV packets: 1 [0.07%]
voipDetector: Number of BYE packets: 1 [0.07%]
voipDetector: Number of unique SDP audio address, port: 1 [0.07%]
voipDetector: Number of RTP packets: 1268 (1.27 K) [91.82%]
--------------------------------------------------------------------------------
Headers count: min: 2, max: 3, avg: 2.98
Number of ARP packets: 21 [1.52%]
Number of ICMP packets: 10 [0.72%]
Number of TCP packets: 31 [2.24%]
Number of TCP bytes: 4774 (4.77 K) [1.63%]
Number of UDP packets: 1319 (1.32 K) [95.51%]
Number of UDP bytes: 286559 (286.56 K) [97.70%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed      flows: 22
Number of processed L2   flows: 7 [31.82%]
Number of processed IPv4 flows: 15 [68.18%]
Number of processed A    flows: 15 [68.18%]
Number of processed B    flows: 7 [31.82%]
Number of request        flows: 15 [68.18%]
Number of reply          flows: 7 [31.82%]
Total   A/B    flow asymmetry: 0.36
Total req/rply flow asymmetry: 0.36
Number of processed A+B packets/A+B flows: 62.77
Number of processed A   packets/A   flows: 48.00
Number of processed   B packets/  B flows: 94.43
Number of processed total packets/s: 7.26
Number of processed A+B   packets/s: 7.26
Number of processed A     packets/s: 3.78
Number of processed   B   packets/s: 3.47
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<Number of processed flows/s>: 0.12
<Bandwidth>: 12278 b/s (12.28 Kb/s)
<Raw bandwidth>: 12335 b/s (12.34 Kb/s)
Max number of flows in memory: 22 [0.01%]
Memory usage: 0.03 GB [0.05%]
Aggregated flowStat=0x0400000010004044
[INF] Layer 2 flows
[INF] IPv4 flows
[INF] ARP
[INF] SIP/RTP

The end report tells you that RTP, SIP are detected and he found 2 voice comms being written to your /tmp/TranVoIP/ directory.

tawk -V voipStat=0x0385


The voipStat column with value 0x0385 is to be interpreted as follows:

   bit | voipStat   | Description
   =============================================================================
     0 | 0x0001     | RTP detected
     2 | 0x0004     | SIP detected
     7 | 0x0080     | RTP marker
     8 | 0x0100     | RTP content write operation
     9 | 0x0200     | SIP audio RTP flow announced

Note that there is no RTCP detected, as it is switched off. First look at the flow file, you see the flows labelled as SIP, or RTP, certain SIP, RTP parameters and the names of extracted content.

tcol ~/results/MagicJack_short_call_flows.txt

%dir	flowInd	flowStat	timeFirst	timeLast	duration	numHdrDesc	numHdrs	hdrDesc	srcMac	dstMac	ethType	vlanID	srcIP	srcIPCC	srcIPOrg	srcPort	dstIP	dstIPCC	dstIPOrg	dstPort	l4Proto	voipStat	voipType	voipID	voipSRCnt	voipPMCnt	voipPMr	voipSIPStatCnt	voipSIPReqCnt	voipSIPUsrAgnt	voipSIPRealIP	voipSIPFrm	voipSIPTo	voipSIPCallID	voipSIPContact	voipSIPStat	voipSIPReq	voipSDPSessID	voipSIPRFAdd	voipSIPRAFPrt	voipSIPRVFPrt	voipFname
A	7	0x0000000000000044	1334245104.331341000	1334245104.331341000	0.000000000	1	2	eth:arp	00:0e:53:1c:7e:b2	ff:ff:ff:ff:ff:ff	0x0806		-	-	"-"	0	-	-	"-"	0	0	0x0000		00	0	0	0	""	""											""
A	3	0x0000000000000044	1334245061.682774000	1334245220.746608000	159.063834000	1	2	eth:arp	68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0806		-	-	"-"	0	-	-	"-"	0	0	0x0000		00	0	0	0	""	""											""
B	3	0x0000000000000045	1334245061.683269000	1334245220.747090000	159.063821000	1	2	eth:arp	6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0806		-	-	"-"	0	-	-	"-"	0	0	0x0000		00	0	0	0	""	""											""
A	8	0x0400000000004000	1334245222.765593000	1334245235.575661000	12.810068000	1	3	eth:ipv4:udp	6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800		192.168.0.10	07	"Private network"	49154	216.234.64.16	us	"Ymax Communications / Magicjac"	54550	17	0x0181	0	0x2a173650	0	0	0	0	0	""	""											"/tmp/TranVoIP/nudel_666_8_G711u_0_A.raw"
B	8	0x0400000000004001	1334245222.821580000	1334245235.307648000	12.486068000	1	3	eth:ipv4:udp	68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800		216.234.64.16	us	"Ymax Communications / Magicjac"	54550	192.168.0.10	07	"Private network"	49154	17	0x0101	0	0x31be1e0e	0	0	0	0	0	""	""											"/tmp/TranVoIP/nudel_666_8_G711u_0_B.raw"
A	4	0x0400000000004000	1334245062.390891000	1334245235.625275000	173.234384000	1	3	eth:ipv4:udp	6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800		192.168.0.10	07	"Private network"	59205	216.234.64.8	us	"Ymax Communications / Magicjac"	5070	17	0x0000			0	0	0	0	0	""	""											""
B	4	0x0400000000004001	1334245215.755652000	1334245235.514488000	19.758836000	1	3	eth:ipv4:udp	68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800		216.234.64.8	us	"Ymax Communications / Magicjac"	5070	192.168.0.10	07	"Private network"	59205	17	0x0204			0	0	0	4	1	""	""	"sip:E646657195201@talk4free.com";"sip:9055551212@talk4free.com"	"sip:9055551212@talk4free.com";"sip:E646657195201@talk4free.com"	"C5570127C1A6A1ABF7ED9DB9AD608CE00xc"	"sip:9055551212@216.234.64.8:5070"	100;401;183;200	BYE	"819596013"	216.234.64.16	54550	0	""
A	1	0x0400000000004000	1334245056.670292000	1334245236.655187000	179.984895000	1	3	eth:ipv4:icmp	6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800		192.168.0.10	07	"Private network"	0	192.168.0.1	07	"Private network"	0	1	0x0000			0	0	0	0	0	""	""											""
B	1	0x0400000000004001	1334245056.686806000	1334245236.671664000	179.984858000	1	3	eth:ipv4:icmp	68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800		192.168.0.1	07	"Private network"	0	192.168.0.10	07	"Private network"	0	1	0x0000			0	0	0	0	0	""	""											""
A	6	0x0000000000000044	1334245068.782499000	1334245241.665789000	172.883290000	1	2	eth:arp	68:7f:74:1d:5f:eb	00:16:ec:e2:0d:f8	0x0806		-	-	"-"	0	-	-	"-"	0	0	0x0000		00	0	0	0	""	""											""
B	6	0x0000000000000045	1334245068.782544000	1334245241.665836000	172.883292000	1	2	eth:arp	00:16:ec:e2:0d:f8	68:7f:74:1d:5f:eb	0x0806		-	-	"-"	0	-	-	"-"	0	0	0x0000		00	0	0	0	""	""											""
A	5	0x0400000000004000	1334245067.177032000	1334245246.583157000	179.406125000	1	3	eth:ipv4:udp	00:09:6b:bf:ae:7d	ff:ff:ff:ff:ff:ff	0x0800		192.168.0.4	07	"Private network"	138	192.168.0.15	07	"Private network"	138	17	0x0000			0	0	0	0	0	""	""											""
A	9	0x0400000000004000	1334245246.582974000	1334245246.583443000	0.000469000	1	3	eth:ipv4:udp	00:16:ec:e2:0d:f8	ff:ff:ff:ff:ff:ff	0x0800		192.168.0.2	07	"Private network"	138	192.168.0.15	07	"Private network"	138	17	0x0000			0	0	0	0	0	""	""											""
A	11	0x0000000000000044	1334245246.604931000	1334245246.604931000	0.000000000	1	2	eth:arp	00:16:ec:e2:0d:f8	ff:ff:ff:ff:ff:ff	0x0806		-	-	"-"	0	-	-	"-"	0	0	0x0000		00	0	0	0	""	""											""
A	12	0x0000000000000044	1334245246.604940000	1334245246.604940000	0.000000000	1	2	eth:arp	00:09:6b:bf:ae:7d	00:16:ec:e2:0d:f8	0x0806		-	-	"-"	0	-	-	"-"	0	0	0x0000		00	0	0	0	""	""											""
A	10	0x0400000000004000	1334245246.604739000	1334245246.608019000	0.003280000	1	3	eth:ipv4:udp	00:09:6b:bf:ae:7d	ff:ff:ff:ff:ff:ff	0x0800		192.168.0.4	07	"Private network"	137	192.168.0.15	07	"Private network"	137	17	0x0000			0	0	0	0	0	""	""											""
A	13	0x0400000000004000	1334245246.605043000	1334245246.608186000	0.003143000	1	3	eth:ipv4:udp	00:16:ec:e2:0d:f8	00:09:6b:bf:ae:7d	0x0800		192.168.0.2	07	"Private network"	137	192.168.0.4	07	"Private network"	137	17	0x0000			0	0	0	0	0	""	""											""
A	15	0x0400000000004000	1334245246.608310000	1334245246.608310000	0.000000000	1	3	eth:ipv4:icmp	00:09:6b:bf:ae:7d	00:16:ec:e2:0d:f8	0x0800		192.168.0.4	07	"Private network"	0	192.168.0.2	07	"Private network"	0	1	0x0000			0	0	0	0	0	""	""											""
B	15	0x0400000000004001	1334245246.608429000	1334245246.608429000	0.000000000	1	3	eth:ipv4:icmp	00:16:ec:e2:0d:f8	00:09:6b:bf:ae:7d	0x0800		192.168.0.2	07	"Private network"	0	192.168.0.4	07	"Private network"	0	1	0x0000			0	0	0	0	0	""	""											""
A	2	0x0400000000004000	1334245056.687467000	1334245246.665263000	189.977796000	1	3	eth:ipv4:udp	68:7f:74:1d:5f:eb	00:16:ec:e2:0d:f8	0x0800		192.168.0.1	07	"Private network"	32772	192.168.0.2	07	"Private network"	2972	17	0x0000			0	0	0	0	0	""	""											""
A	14	0x0400000000004000	1334245246.605115000	1334245246.895631000	0.290516000	1	3	eth:ipv4:tcp	00:09:6b:bf:ae:7d	00:16:ec:e2:0d:f8	0x0800		192.168.0.4	07	"Private network"	2139	192.168.0.2	07	"Private network"	139	6	0x0000			0	0	0	0	0	""	""											""
B	14	0x0400000000004001	1334245246.605293000	1334245246.745603000	0.140310000	1	3	eth:ipv4:tcp	00:16:ec:e2:0d:f8	00:09:6b:bf:ae:7d	0x0800		192.168.0.2	07	"Private network"	139	192.168.0.4	07	"Private network"	2139	6	0x0000			0	0	0	0	0	""	""

The file name coding denotes the VoIP ID, type of codec, compression type and which flow, so that each file can be linked back to the originating flow and vice versa.

/directory/default name_voipID_flowIndex_A|B_CodecCoding.raw

Similar info is available in the packet file, were you can also track sequence numbers and IDs.

tcol ~/results/MagicJack_short_call_packets.txt

%pktNo  flowInd  flowStat            time               pktIAT    flowDuration  numHdrs  hdrDesc        ethVlanID  srcMac             dstMac             ethType  srcIP         srcIPCC  srcIPOrg         srcPort  dstIP         dstIPCC  dstIPOrg         dstPort  l4Proto  voipStat  voipType  voipSeqN  voipID  l7Content
...
44	6	0x0000000000000045	1334245210.507043000	28.838830000	0.000044992	141.724499000	2	eth:arp		00:16:ec:e2:0d:f8	68:7f:74:1d:5f:eb	0x0806										0x0000		..\b.........\r.....h.t._.......................
45	2	0x0400000000004000	1334245211.522083000	5.763982000	0.000000000	154.834616000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	00:16:ec:e2:0d:f8	0x0800	192.168.0.1	07	Private network	32772	192.168.0.2	07	Private network	2972	17	0x0000				<12>Apr 12 11:40:10 kernel: DROP IN=ppp0 OUT= MAC= SRC=108.173.102.108 DST=206.248.161.77 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=419 DF PROTO=TCP SPT=64590 DPT=27488 SEQ=3689285428 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405AC01010402) \n
46	4	0x0400000000004000	1334245215.711324000	13.332198000	0.000000000	153.320433000	3	eth:ipv4:udp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800	192.168.0.10	07	Private network	59205	216.234.64.8	us	Ymax Communications / Magicjac	5070	17	0x0000				INVITE sip:9055551212@talk4free.com SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport\r\nFrom: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nTo: <sip:9055551212@talk4free.com>\r\nContact: <sip:E646657195201@192.168.0.10:59205>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 INVITE\r\nMax-Forwards: 70\r\nUser-Agent: mJ/2.00.632b.11054E4\r\nContent-Length: 307\r\nContent-Type: application/sdp\r\nMin-SE: 90\r\nSession-Expires: 600;refresher=uac\r\nSupported: replaces,norefersub,timer\r\nX-NATType: bPrUmtdEXuiRekQWte1LXTKJ3VNrFPndz3Ft8rPs5TPM7DDT5Nxsa+bhj/YTWmRM\r\n\r\nv=0\r\no=- 2209074887 2209074887 IN IP4 192.168.0.10\r\ns=SJphone\r\nc=IN IP4 192.168.0.10\r\nt=0 0\r\nm=audio 49154 RTP/AVP 0 8 101 13\r\nc=IN IP4 192.168.0.10\r\na=ptime:30\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:8 PCMA/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-16\r\na=rtpmap:13 CN/8000\r\na=setup:active\r\na=sendrecv\r\n
47	4	0x0400000000004001	1334245215.755652000	0.000000000	0.044327936	0.000000000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800	216.234.64.8	us	Ymax Communications / Magicjac	5070	192.168.0.10	07	Private network	59205	17	0x0004				SIP/2.0 100 Trying\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport=59205;received=206.248.161.77\r\nTo: <sip:9055551212@talk4free.com>\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 INVITE\r\nContent-Length: 0\r\n\r\n
48	4	0x0400000000004001	1334245215.769396000	0.013744000	0.058071936	0.013744000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800	216.234.64.8	us	Ymax Communications / Magicjac	5070	192.168.0.10	07	Private network	59205	17	0x0004				SIP/2.0 401 Unauthorized\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport=59205;received=206.248.161.77\r\nTo: <sip:9055551212@talk4free.com>\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 INVITE\r\nDate: Thu, 12 Apr 2012 15:40:15 GMT\r\nUser-Agent: ENSR3.2.21.22-IS15-RMRG0-RG900-EP\r\nWWW-Authenticate: Digest nonce="30da0aed2_12170",realm="stratus.com",algorithm=MD5\r\nContent-Length: 0\r\n\r\n
49	4	0x0400000000004000	1334245215.882668000	0.171344000	0.113272064	153.491777000	3	eth:ipv4:udp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800	192.168.0.10	07	Private network	59205	216.234.64.8	us	Ymax Communications / Magicjac	5070	17	0x0000				ACK sip:9055551212@talk4free.com SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport\r\nFrom: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nTo: <sip:9055551212@talk4free.com>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 ACK\r\nMax-Forwards: 70\r\nUser-Agent: mJ/2.00.632b.11054E4\r\nContent-Length: 0\r\n\r\n
50	4	0x0400000000004000	1334245215.884964000	0.002296000	0.115568000	153.494073000	3	eth:ipv4:udp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800	192.168.0.10	07	Private network	59205	216.234.64.8	us	Ymax Communications / Magicjac	5070	17	0x0000				INVITE sip:9055551212@talk4free.com SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052182706faf2cbf3d;rport\r\nFrom: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nTo: <sip:9055551212@talk4free.com>\r\nContact: <sip:E646657195201@192.168.0.10:59205>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 INVITE\r\nMax-Forwards: 70\r\nUser-Agent: mJ/2.00.632b.11054E4\r\nAuthorization: Digest username="E646657195201",realm="stratus.com",nonce="30da0aed2_12170",uri="sip:9055551212@talk4free.com",response="329e0b8a19bad6f3098c21cd11ec7979",algorithm=MD5\r\nContent-Length: 307\r\nContent-Type: application/sdp\r\nMin-SE: 90\r\nSession-Expires: 600;refresher=uac\r\nSupported: replaces,norefersub,timer\r\nX-NATType: bPrUmtdEXuiRekQWte1LXTKJ3VNrFPndz3Ft8rPs5TPM7DDT5Nxsa+bhj/YTWmRM\r\n\r\nv=0\r\no=- 2209074887 2209074887 IN IP4 192.168.0.10\r\ns=SJphone\r\nc=IN IP4 192.168.0.10\r\nt=0 0\r\nm=audio 49154 RTP/AVP 0 8 101 13\r\nc=IN IP4 192.168.0.10\r\na=ptime:30\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:8 PCMA/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-16\r\na=rtpmap:13 CN/8000\r\na=setup:active\r\na=sendrecv\r\n
51	4	0x0400000000004001	1334245215.931983000	0.162587000	0.047019008	0.176331000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800	216.234.64.8	us	Ymax Communications / Magicjac	5070	192.168.0.10	07	Private network	59205	17	0x0004				SIP/2.0 100 Trying\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052182706faf2cbf3d;rport=59205;received=206.248.161.77\r\nTo: <sip:9055551212@talk4free.com>\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 INVITE\r\nContent-Length: 0\r\n\r\n
52	3	0x0000000000000044	1334245220.746608000	39.078481000	39.077982016	159.063834000	2	eth:arp		68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0806										0x0000		..\b.....h.t._..............\n...............m..
53	3	0x0000000000000045	1334245220.747090000	39.078464000	0.000481984	159.063821000	2	eth:arp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0806										0x0000		..\b.....l3.aM....\nh.t._....................m..
54	4	0x0400000000004001	1334245222.700515000	6.768532000	6.815551040	6.944863000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800	216.234.64.8	us	Ymax Communications / Magicjac	5070	192.168.0.10	07	Private network	59205	17	0x0004				SIP/2.0 183 Session Progress\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052182706faf2cbf3d;rport=59205;received=206.248.161.77\r\nContact: <sip:4165551212@216.234.64.8:5070>\r\nTo: <sip:9055551212@talk4free.com>;tag=30da0aed-co12170-INS015\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 INVITE\r\nContent-Type: application/sdp\r\nDate: Thu, 12 Apr 2012 15:40:21 GMT\r\nUser-Agent: ENSR3.2.21.22-IS15-RMRG5002-RG900-EP-CPI15-CPO25791\r\nContent-Length: 236\r\nX-Number-Type: 9055551212;type=off-net\r\n\r\nv=0\r\no=- 819596013 819596013 IN IP4 216.234.64.8\r\ns=ENSResip\r\nc=IN IP4 216.234.64.16\r\nt=0 0\r\nm=audio 54550 RTP/AVP 0 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-11\r\na=ptime:20\r\na=setup:active\r\na=sendrecv\r\n
55	8	0x0400000000004000	1334245222.765593000	0.000000000	0.000000000	0.000000000	3	eth:ipv4:udp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800	192.168.0.10	07	Private network	49154	216.234.64.16	us	Ymax Communications / Magicjac	54550	17	0x0081	0	26528	0x2a173650	..g.....*.6P.~.~~~~.....~~~~~...~...~}}~.....~~.~}~.....~~}~...~.....~~.~...~}~..~......~}}~.~..~...~~~~....~.~~~~...~..~}}...~....~~~~~..~~....~.~.....~~~~~~.....~~}.~....
56	2	0x0400000000004000	1334245222.779378000	11.257295000	0.000000000	166.091911000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	00:16:ec:e2:0d:f8	0x0800	192.168.0.1	07	Private network	32772	192.168.0.2	07	Private network	2972	17	0x0000				<12>Apr 12 11:40:21 kernel: ACCEPT IN=br0 OUT=ppp0 SRC=192.168.0.10 DST=216.234.64.16 LEN=200 TOS=0x00 PREC=0x00 TTL=63 ID=11188 PROTO=UDP SPT=49154 DPT=54550 LEN=180 \n
57	8	0x0400000000004000	1334245222.795663000	0.030070000	0.000000000	0.030070000	3	eth:ipv4:udp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800	192.168.0.10	07	Private network	49154	216.234.64.16	us	Ymax Communications / Magicjac	54550	17	0x0101	0	26529	0x2a173650	..g.....*.6P.~~..~.~~.....~.~......~~~~~.~~.....~~.~....~~~~~.~...~.~~~~....~..~.}~.~...~~~~~~.~...~~~}~..~..~.~~~~....~....~.....~~~~~~}~.....~.~~~......~~..~~....~.~~~.~.
58	8	0x0400000000004000	1334245222.796902000	0.001239000	0.000000000	0.031309000	3	eth:ipv4:udp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800	192.168.0.10	07	Private network	49154	216.234.64.16	us	Ymax Communications / Magicjac	54550	17	0x0101	0	26530	0x2a173650	..g....@*.6P..~~~~.~~~...~}~.~......~}}~......~~~~~~~~..~~~.~...~~.~~~.~}~~~~..~.~~.......~~~.~....~.~~~...~..~.~~....~....~~...~.....~~~.~~...~~~~.~~...~~~}.~......~.~~~~.
59	8	0x0400000000004001	1334245222.821580000	0.000000000	0.024678016	0.000000000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800	216.234.64.16	us	Ymax Communications / Magicjac	54550	192.168.0.10	07	Private network	49154	17	0x0001	0	18437	0x31be1e0e	..H.iuv.1..........J8/,,.5B.........Y<1,+,0;V.........D6.,,/8I.........P<3/.07Ci........lG;535:BX.........VF?<=?HV.........mYPNNPXau.................waWOMMOWj.........WH?<<
60	2	0x0400000000004000	1334245222.822292000	0.042914000	0.000000000	166.134825000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	00:16:ec:e2:0d:f8	0x0800	192.168.0.1	07	Private network	32772	192.168.0.2	07	Private network	2972	17	0x0000				<12>Apr 12 11:40:22 kernel: ACCEPT IN=br0 OUT=ppp0 SRC=192.168.0.10 DST=216.234.64.16 LEN=200 TOS=0x00 PREC=0x00 TTL=63 ID=11189 PROTO=UDP SPT=49154 DPT=54550 LEN=180 \n
61	2	0x0400000000004000	1334245222.822473000	0.000181000	0.000000000	166.135006000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	00:16:ec:e2:0d:f8	0x0800	192.168.0.1	07	Private network	32772	192.168.0.2	07	Private network	2972	17	0x0000				<12>Apr 12 11:40:22 kernel: ACCEPT IN=br0 OUT=ppp0 SRC=192.168.0.10 DST=216.234.64.16 LEN=200 TOS=0x00 PREC=0x00 TTL=63 ID=11190 PROTO=UDP SPT=49154 DPT=54550 LEN=180 \n
62	8	0x0400000000004000	1334245222.825426000	0.028524000	0.003845952	0.059833000	3	eth:ipv4:udp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800	192.168.0.10	07	Private network	49154	216.234.64.16	us	Ymax Communications / Magicjac	54550	17	0x0101	0	26531	0x2a173650	..g.....*.6P..~~~~~~......~~~~....~}~~~~~....~..}~~~~...~..~...~....~~.~.~~~~..~~}~~~~..~.}~..~.....~~~~......~~.~...~.....~~..~~....~~~....~..~~~}~...~..~.}.........~~.~..
63	8	0x0400000000004001	1334245222.828270000	0.006690000	0.002844032	0.006690000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800	216.234.64.16	us	Ymax Communications / Magicjac	54550	192.168.0.10	07	Private network	49154	17	0x0101	0	18438	0x31be1e0e	..H.iuwk1...>ET.........ZC:535:Ef........oD70..2;N.........K9/,,.5B.........Z<1,+,0;U.........D6.,,/8H.........Q<3/.07Bg........mG;635:BW.........WG?==?HV.........nZQNNQXau
64	8	0x0400000000004001	1334245222.848215000	0.019945000	0.022788992	0.026635000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800	216.234.64.16	us	Ymax Communications / Magicjac	54550	192.168.0.10	07	Private network	49154	17	0x0101	0	18439	0x31be1e0e	..H.iux.1....................waVOMLOWj.........WH?<<>ES.........ZC:535:Ed........rD80..2;N.........K9/,,.5A|........[=1,+,0;T.........E6.,,/8H.........R=3/.07Bf........oG;6
65	8	0x0400000000004000	1334245222.855383000	0.029957000	0.007168000	0.089790000	3	eth:ipv4:udp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800	192.168.0.10	07	Private network	49154	216.234.64.16	us	Ymax Communications / Magicjac	54550	17	0x0101	0	26532	0x2a173650	..g.....*.6P.~~.~.~~~..~~|..}~.......~}~.......~~~~~~..~.~~}~~......~~~~.~}~....~....~...~~~~~.~...~}}~~}~~~.........~~~}~..~.....~...}~}~.....~~.~}}....~.~~~~~......~~~...
66	8	0x0400000000004000	1334245222.856587000	0.001204000	0.008372032	0.090994000	3	eth:ipv4:udp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800	192.168.0.10	07	Private network	49154	216.234.64.16	us	Ymax Communications / Magicjac	54550	17	0x0101	0	26533	0x2a173650	..g.... *.6P.}.~~.~.}.~~...~~}~.....}}........~~}~~.~~..~..~........~~}~.....~~~~~.....~~~~~~~...}..~}~.....~.}~.~...~~~..~~......~~~~~.~....~~~~..~....~~~.}}~~...~.~......
67	8	0x0400000000004001	1334245222.868178000	0.019963000	0.011590976	0.046598000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800	216.234.64.16	us	Ymax Communications / Magicjac	54550	192.168.0.10	07	Private network	49154	17	0x0101	0	18440	0x31be1e0e	..H\biux.1...45:BV.........WG?==?HU.........nZQNNQXbu.................x`VOLLNWi.........WH?<<>DR.........[C:535:Dc........uE80..2;M.........K9/,,.4Ay........\=1,+,0;S.......
68	8	0x0400000000004000	1334245222.885435000	0.028848000	0.017257024	0.119842000	3	eth:ipv4:udp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800	192.168.0.10	07	Private network	49154	216.234.64.16	us	Ymax Communications / Magicjac	54550	17	0x0101	0	26534	0x2a173650	..g.....*.6P~~~~~.~..}~...~~~.......~}~~.....~~~~~~....~}~...~~...~~}....~~..~~~~~~..~~.~.~~...~..~~}}~~....~~~~....~}....~...~..~~~~}~....}.~..~.~....~.}.~~~~~....~.....~.
69	8	0x0400000000004001	1334245222.887884000	0.019706000	0.002449024	0.066304000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800	216.234.64.16	us	Ymax Communications / Magicjac	54550	192.168.0.10	07	Private network	49154	17	0x0101	0	18441	0x31be1e0e	..H\tiuyK1.....E6.,,/7H.........S=4/.07Bd........pH;645:BV.........XG?==?HU.........o[RNORYbu.................x`VOLLNVh.........XH?<<=DR.........[C:534:Da........xE80..2;M..
70	8	0x0400000000004001	1334245222.908335000	0.020451000	0.022899968	0.086755000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800	216.234.64.16	us	Ymax Communications / Magicjac	54550	192.168.0.10	07	Private network	49154	17	0x0101	0	18442	0x31be1e0e	..H\niuy.1..........L9/,,.4Au........]=1-+,0;R.........F6.,,/7G.........T=4/.07Ac........sH<6459AU.........XH?==@HU.........o[ROORYbt.................y`VNLLNVh.........XH?<;
71	8	0x0400000000004000	1334245222.915332000	0.029897000	0.006996992	0.149739000	3	eth:ipv4:udp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800	192.168.0.10	07	Private network	49154	216.234.64.16	us	Ymax Communications / Magicjac	54550	17	0x0101	0	26535	0x2a173650	..g....`*.6P.~.~.~..~~}~....~~~....~~}~......~~~.~~...~~~~.~....~~~~~~~...~~}~~......~~~~~~......~~~~}....~}~~~......~}~~........}~~~~.~~.~..~.........~~~.......~........~.
72	8	0x0400000000004000	1334245222.916573000	0.001241000	0.008238016	0.150980000	3	eth:ipv4:udp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800	192.168.0.10	07	Private network	49154	216.234.64.16	us	Ymax Communications / Magicjac	54550	17	0x0101	0	26536	0x2a173650	..g.....*.6P~~~}.~..~~~~~...~.....~~~}~....~~~~~}~....~}..~~....~~..~~}....~.~~.~~....}~~|......~~.~~}.....~}}~......}~~...~....~~~~.....~~~.~~....~..~~~....~~~~~........~~
73	8	0x0400000000004001	1334245222.927796000	0.019461000	0.011222976	0.106216000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800	216.234.64.16	us	Ymax Communications / Magicjac	54550	192.168.0.10	07	Private network	49154	17	0x0101	0	18443	0x31be1e0e	..H.iuz.1...=DQ.........\D:5349C`........{E80..2:L.........L9/,,.4@q........^=2-+,0:Q.........F7/,,/7G.........U=4/.07Aa........vI<6459AU.........YH?==@HU}........p[SOORYbt
74	8	0x0400000000004000	1334245222.945426000	0.028853000	0.017630016	0.179833000	3	eth:ipv4:udp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800	192.168.0.10	07	Private network	49154	216.234.64.16	us	Ymax Communications / Magicjac	54550	17	0x0101	0	26537	0x2a173650	..g.....*.6P~~~.....}}}~....~.~..~}.~~.~...~..~......~~~~~.~~..~.~~~......~.~..~.....~~~~....~~..~~.~~.....~~~~......~~}.~......~~~~~~....~~.~.~~...~~~~~~.~~}~...~~....~..~
75	8	0x0400000000004001	1334245222.947757000	0.019961000	0.002331008	0.126177000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800	216.234.64.16	us	Ymax Communications / Magicjac	54550	192.168.0.10	07	Private network	49154	17	0x0101	0	18444	0x31be1e0e	..H\fiu{+1..........~.........y`VNLKNUg.........XH?<;=CP.........]D:5249C_.........F80..1:L.........M9/,,.4@n........_=2-+,/:P.........G7/,,/7F.........V=4/.07A_........yI<6
76	8	0x0400000000004001	1334245222.967973000	0.020216000	0.022547008	0.146393000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800	216.234.64.16	us	Ymax Communications / Magicjac	54550	192.168.0.10	07	Private network	49154	17	0x0101	0	18445	0x31be1e0e	..H\riu{.1...459AT.........YH?==@HU|........r\SOOSYct.......~.........y`UNKKMUf.........XH?<;=CP.........]D:5249C^.........F80..1:K.........M:/,,-4?l........`>2-+,/:O.......
77	8	0x0400000000004000	1334245222.975446000	0.030020000	0.007473024	0.209853000	3	eth:ipv4:udp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800	192.168.0.10	07	Private network	49154	216.234.64.16	us	Ymax Communications / Magicjac	54550	17	0x0101	0	26538	0x2a173650	..g....@*.6P.~.~....~~~~~~~~.....~~~~}.....~..~~.~..~..~~~}....~~}..~.......~~.~......~~~~.~~..~~~.~~~~~....~.~~.~...~}}}..~~....~~~~.~...|..~........~~~~~~~...}}~..~~.....
78	8	0x0400000000004000	1334245222.976670000	0.001224000	0.008697024	0.211077000	3	eth:ipv4:udp		6c:33:a9:61:4d:17	68:7f:74:1d:5f:eb	0x0800	192.168.0.10	07	Private network	49154	216.234.64.16	us	Ymax Communications / Magicjac	54550	17	0x0101	0	26539	0x2a173650	..g.....*.6P~~~~....~~.~~...~..~...~}.......~~.~.~.....~}~~.~...~}~}........~..~....~.~.}~~~~..~~}~~}}~....~~}~~...~~~~.~.......~~~}~}..~~..~.~~...~..~~~.}}~~.....~......~~
79	8	0x0400000000004001	1334245222.988158000	0.020185000	0.011488000	0.166578000	3	eth:ipv4:udp		68:7f:74:1d:5f:eb	6c:33:a9:61:4d:17	0x0800	216.234.64.16	us	Ymax Communications / Magicjac	54550	192.168.0.10	07	Private network	49154	17	0x0101	0	18446	0x31be1e0e	..H.iu|k1.....G7/,,/7F.........W>4/.06A_........|I<6459AT.........ZI@==@HTz........s\TOOSZct.......}.........z`UNKKMTe.........YH?<;=CO.........^D:4249B].........F80..1:K..
...

In order to listen to the content you need to convert to e.g. .wav format. Note that the encoding format G711. indicates that the raw stream is mu-law compressed. Just use ffmpeg which does a fine job.

cd /tmp/TranVoIP

ls


nudel_2a173650_8_A_G711u.raw  nudel_31be1e0e_8_B_G711u.raw

ffmpeg -f mulaw -ar 8k -ac 1 -i nudel_2a173650_8_A_G711u.raw nudelA.wav

ffmpeg version n4.3.2 Copyright (c) 2000-2021 the FFmpeg developers
...

$ ffmpeg -f mulaw -ar 8k -ac 1 -i nudel_666_8_G711u_0_A.raw nudelA.wav … $ ffmpeg -f mulaw -ar 8k -ac 1 -i nudel_31be1e0e_8_B_G711u.raw nudelB.wav … $

ls


nudel_666_8_G711u_0_A.raw  nudel_666_8_G711u_0_B.raw  nudelA.wav  nudelB.wav

If you use a player such as vlc, then in nudelA.wav you hear the caller and in nudelB.wav the callee.

In order to see some RTCP output, switch switch it on and recompile

t2conf voipDetector -D VOIP_RTCP=1 && t2build voipDetector

Now try this pcap sip_sjphone_conf.pcap and execute t2 on it including packet mode.

t2 -r ~/data/sip_sjphone_conf.pcap -w ~/results/ -s


...
--------------------------------------------------------------------------------
voipDetector: Aggregated voipStat=0x0387
voipDetector: Max number of file handles: 1
voipDetector: Number of SIP packets: 60 [66.67%]
voipDetector: Number of SDP packets: 21 [23.33%]
voipDetector: Number of INV packets: 20 [22.22%]
voipDetector: Number of BYE packets: 8 [8.89%]
voipDetector: Number of unique SDP audio address, port: 12 [13.33%]
voipDetector: Number of RTP packets: 16 [17.78%]
voipDetector: Number of RTCP packets: 14 [15.56%]
--------------------------------------------------------------------------------
...

And the end report tells us, there is indeed RTCP and 4 voice comms with some packet loss. The extracted content is written to the /tmp/TranVoip directory, but as configured the directory is erased before writing.

tawk -V voipStat=0x0387


The voipStat column with value 0x0387 is to be interpreted as follows:

   bit | voipStat   | Description
   =============================================================================
     0 | 0x0001     | RTP detected
     1 | 0x0002     | RTCP detected
     2 | 0x0004     | SIP detected
     7 | 0x0080     | RTP marker
     8 | 0x0100     | RTP content write operation
     9 | 0x0200     | SIP audio RTP flow announced

In the flow file you will see that there are many RTCP types being detected, and jitter info was conveyed.

tawk ‘bitsanyset($voipStat,0x0002)’ ~/results/sip_sjphone_conf_flows.txt

%dir	flowInd	flowStat	timeFirst	timeLast	duration	numHdrDesc	numHdrs	hdrDesc	srcMac	dstMac	ethType	vlanID	srcIP	srcIPCC	srcIPOrg	srcPort	dstIP	dstIPCC	dstIPOrg	dstPort	l4Proto	voipStat	voipType	voipID	voipSRCnt	voipPMCnt	voipPMr	voipSIPStatCnt	voipSIPReqCnt	voipSIPUsrAgnt	voipSIPRealIP	voipSIPFrm	voipSIPTo	voipSIPCallID	voipSIPContact	voipSIPStat	voipSIPReq	voipSDPSessID	voipSIPRFAdd	voipSIPRAFPrt	voipSIPRVFPrt	voipTPCnt	voipTBCnt	voipFracLst	voipCPMCnt	voipMaxIAT
A	5	0x0400000000004000	1272330645.436875000	1272330665.436731000	19.999856000	1	3	eth:ipv4:udp	00:19:b9:f7:4b:02	00:16:cb:8c:ea:27	0x0800		10.10.3.109	04	"Private network"	13301	10.10.1.159	04	"Private network"	49153	17	0x0002	200;201	0x3efeb4de	1	0	0	0	0	""	""											3	480	0	0	37
A	6	0x0400000000004000	1272330645.455867000	1272330665.455723000	19.999856000	1	3	eth:ipv4:udp	00:19:b9:f7:4b:02	00:16:cb:ab:a2:2b	0x0800		10.10.3.109	04	"Private network"	18933	10.10.1.203	04	"Private network"	49153	17	0x0002	201	0x41f3bca2	1	0	0	0	0	""	""											0	0	0	0	16
A	8	0x0400000000004000	1272330666.144994000	1272330669.382632000	3.237638000	1	3	eth:ipv4:udp	00:16:cb:ab:a2:2b	00:19:b9:f7:4b:02	0x0800		10.10.1.203	04	"Private network"	4001	10.10.3.109	04	"Private network"	30553	17	0x0002	202;0	0x33425619	1	0	0	0	0	""	""

Similar info is available on a packet basis.

tawk ‘bitsanyset($voipStat,0x0002)’ ~/results/sip_sjphone_conf_packets.txt

%pktNo	flowInd	flowStat	time	pktIAT	pktTrip	flowDuration	numHdrs	hdrDesc	vlanID	srcMac	dstMac	ethType	srcIP	srcIPCC	srcIPOrg	srcPort	dstIP	dstIPCC	dstIPOrg	dstPort	l4Proto	voipStat	voipType	voipSeqN	voipID	l7Content
35	5	0x0400000000004000	1272330645.436875000	0.000000000	0.000000000	0.000000000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:8c:ea:27	0x0800	10.10.3.109	04	Private network	13301	10.10.1.159	04	Private network	49153	17	0x0002	200;202		0x3efeb4de	...\f>.......o.T,...@.........."R......}....%............>.......
36	6	0x0400000000004000	1272330645.455867000	0.000000000	0.000000000	0.000000000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:ab:a2:2b	0x0800	10.10.3.109	04	Private network	18933	10.10.1.203	04	Private network	49153	17	0x0002	201;202		0x41f3bca2	....A...(.........^.................A.......
37	5	0x0400000000004000	1272330650.436866000	4.999991000	0.000000000	4.999991000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:8c:ea:27	0x0800	10.10.3.109	04	Private network	13301	10.10.1.159	04	Private network	49153	17	0x0002	201;202		0x3efeb4de	....>....."R......}....%............>.......
38	6	0x0400000000004000	1272330650.455831000	4.999964000	0.000000000	4.999964000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:ab:a2:2b	0x0800	10.10.3.109	04	Private network	18933	10.10.1.203	04	Private network	49153	17	0x0002	201;202		0x41f3bca2	....A...(.........^.................A.......
39	5	0x0400000000004000	1272330655.436803000	4.999937000	0.000000000	9.999928000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:8c:ea:27	0x0800	10.10.3.109	04	Private network	13301	10.10.1.159	04	Private network	49153	17	0x0002	201;202		0x3efeb4de	....>....."R......}....%............>.......
40	6	0x0400000000004000	1272330655.455793000	4.999962000	0.000000000	9.999926000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:ab:a2:2b	0x0800	10.10.3.109	04	Private network	18933	10.10.1.203	04	Private network	49153	17	0x0002	201;202		0x41f3bca2	....A...(.........^.................A.......
46	5	0x0400000000004000	1272330660.436770000	4.999967000	0.000000000	14.999895000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:8c:ea:27	0x0800	10.10.3.109	04	Private network	13301	10.10.1.159	04	Private network	49153	17	0x0002	201;202		0x3efeb4de	....>....."R......}....%.....\n......>.......
47	6	0x0400000000004000	1272330660.455760000	4.999967000	0.000000000	14.999893000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:ab:a2:2b	0x0800	10.10.3.109	04	Private network	18933	10.10.1.203	04	Private network	49153	17	0x0002	201;202		0x41f3bca2	....A...(.........^..........\n......A.......
56	5	0x0400000000004000	1272330665.436731000	4.999961000	0.000000000	19.999856000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:8c:ea:27	0x0800	10.10.3.109	04	Private network	13301	10.10.1.159	04	Private network	49153	17	0x0002	201;202		0x3efeb4de	....>....."R......}....%............>.......
57	6	0x0400000000004000	1272330665.455723000	4.999963000	0.000000000	19.999856000	3	eth:ipv4:udp		00:19:b9:f7:4b:02	00:16:cb:ab:a2:2b	0x0800	10.10.3.109	04	Private network	18933	10.10.1.203	04	Private network	49153	17	0x0002	201;202		0x41f3bca2	....A...(.........^.................A.......
58	8	0x0400000000004000	1272330666.144994000	0.000000000	0.000000000	0.000000000	3	eth:ipv4:udp		00:16:cb:ab:a2:2b	00:19:b9:f7:4b:02	0x0800	10.10.1.203	04	Private network	4001	10.10.3.109	04	Private network	30553	17	0x0002	202		0x33425619	....3BV...a45f2@pjbbebb2.org....
63	8	0x0400000000004000	1272330666.155469000	0.010475000	0.000000000	0.010475000	3	eth:ipv4:udp		00:16:cb:ab:a2:2b	00:19:b9:f7:4b:02	0x0800	10.10.1.203	04	Private network	4001	10.10.3.109	04	Private network	30553	17	0x0002			0x33425619	....3BV.
75	8	0x0400000000004000	1272330669.372273000	3.216804000	0.000000000	3.227279000	3	eth:ipv4:udp		00:16:cb:ab:a2:2b	00:19:b9:f7:4b:02	0x0800	10.10.1.203	04	Private network	4001	10.10.3.109	04	Private network	30553	17	0x0002	202		0x33425619	....3BV...a135a@pj0cdc76.org....
80	8	0x0400000000004000	1272330669.382632000	0.010359000	0.000000000	3.237638000	3	eth:ipv4:udp		00:16:cb:ab:a2:2b	00:19:b9:f7:4b:02	0x0800	10.10.1.203	04	Private network	4001	10.10.3.109	04	Private network	30553	17	0x0002			0x33425619	....3BV.

Conclusion

Try also your own traffic.

Don’t forget to reset the voipDetector plugin configuration:

t2conf --reset voipDetector && t2build voipDetector

Have fun!