WIRESHARK VOIP ANALYSIS PROFILE
Network Analysis for VoIP Engineers — Cheesman Press
=====================================================

WHAT'S INCLUDED
---------------
preferences             - Column layout, timing, and protocol settings
colorfilters            - Color rules for SIP, RTP, errors, and DTMF
dfilters                - 20 pre-loaded filter bookmarks (labeled, in the
                          filter bookmark dropdown next to the filter bar)

INSTALLATION
------------
Wireshark stores profiles in a "profiles" directory. The location depends
on your operating system:

  macOS:    ~/Library/Application Support/Wireshark/profiles/
  Windows:  %APPDATA%\Wireshark\profiles\
  Linux:    ~/.config/wireshark/profiles/

Steps:

  1. Create a new folder named "VoIP Analysis" inside the profiles directory:
       macOS/Linux:  mkdir -p "~/.config/wireshark/profiles/VoIP Analysis"
       Windows:      Create folder manually in Explorer

  2. Copy all three files into that folder:
       preferences
       colorfilters
       dfilters

  3. In Wireshark: Edit > Configuration Profiles
     Select "VoIP Analysis" and click OK (or double-click it)

  4. Wireshark restarts with the VoIP Analysis profile active.
     You will see the custom columns and filter shortcuts immediately.

  5. To switch back to your default profile at any time:
       Edit > Configuration Profiles > Default

WHAT EACH SETTING DOES
-----------------------

COLUMNS (left to right):
  No.       Packet number
  Time      Seconds since first packet (set INVITE as time reference for call timing)
  Source    Source IP
  Destination  Destination IP
  Protocol  Protocol name (SIP, RTP, STUN, etc.)
  Length    Packet size in bytes
  Delta     Time since previous displayed packet — key for spotting retransmit intervals
  Info      Wireshark's packet summary line

The Delta column is the addition most useful for VoIP work. It shows the
inter-packet gap for each displayed packet, making retransmit intervals
(0.5s, 1.0s, 2.0s... for Timer T1) immediately visible without manual
timestamp math.

COLOR RULES (highest priority first):
  Dark red background   — SIP 5xx/6xx errors (server/global failures)
  Light red background  — SIP 4xx errors (client failures: 403, 404, 488, etc.)
  Green background      — SIP 200 OK
  Yellow background     — SIP 180 Ringing
  Blue background       — SIP INVITE
  Orange background     — DTMF events (PT=101)
  Pink background       — RTP not marked EF (QoS audit)
  Blue-grey background  — RTP (normal)
  Yellow-green          — STUN/ICE
  Cyan                  — DTLS

TIME REFERENCE TIP
------------------
Right-click any INVITE packet > Set/Unset Time Reference
This resets the Time column to 0:00.000 at that packet.
All subsequent packets show time relative to call start.
Timer B fires at ~32s, session timer at ~1800s — immediately visible
without calculating absolute timestamp differences.

FILTER BOOKMARKS
----------------
Click the bookmark icon at the left end of the display-filter bar to
open the filter bookmark menu. The profile pre-loads 20 labeled
bookmarks (All SIP, INVITE, REGISTER, BYE, Transfer flow, SIP errors,
200 OK, DTMF, G.729, RTP no QoS, Talk-spurt, STUN/DTLS, DNS + SIP,
T.38 fax, TLS errors, Fragments, SIP TCP RST, VLAN discovery, and
two combined views). Click any bookmark to apply that filter
instantly.

To turn any bookmark into a toolbar button that is always visible
above the packet list: Edit > Preferences > Filter Buttons > Add,
then enter the label and filter from the bookmark menu.
