+1 855 802 6465    +1 888 483 5723

Getting Help From Tshark

ClearlyIP’s Tips and Tricks


The other day we had to assist a customer with some registration issues. A couple of their extensions are using PJSIP technology running on port 5160 and one of them couldn’t register to the PBX.

As you know we wrote an article about SIP debugging with sngrep, but today we will talk about tshark.

According to its manual page [1] “Tshark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. Tshark’s native capture file format is pcapng format, which is also the format used by Wireshark and various other tools.”

In our particular case, sngrep was not installed on their PBX but tshark was and we decided to run the following command to see in real-time if the extension that was having issues registering to the PBX was actually sending the registration on port 5160.

tshark -f “udp port 5160” -i any

Where the option -f is the packet filter, and -i stands for interface, so we are filtering udp packets on port 5160 on any network interface.

Once we ran the command and asked the user to register the extension again, we saw in real-time how the extensions were sending registration attempts to the PBX.


With this, we saw port 5160 was able to catch registrations and, in the end, the issue was caused by a typo error in the extension number