Voice over IP voice messages can be seen and overheard by wireshark

Unanswered Question
May 28th, 2008
User Badges:

a user put wireshark onto a voice port and was able to record other users voice mails. We are thinking about using port security to stop this but I think that spoofing the mac address of the phone would be to easy. I am not sure where a broadcast or multicast would take place for a user leaving a message. Is Call Manager involved, Unity or Exchange. Is there a way to make sure that all of the voice transmissions are unicast packets. Any help would be greatly appreciated because we would like to take the necessary precautions to avoid this at all cost.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Farrukh Haroon Thu, 05/29/2008 - 02:09
User Badges:
  • Red, 2250 points or more

There is an option to disable the PC's access to the voice VLAN, have you disabled that?

I think it is under CM >> Device >> Phone (At the end of the page)



Alex Pfeil Thu, 05/29/2008 - 03:51
User Badges:

this was not the issue. The user actually unplugged the phone all together.

Farrukh Haroon Thu, 05/29/2008 - 08:43
User Badges:
  • Red, 2250 points or more

Ahh sorry for not reading your initial post clearly.

The user most probably used some manipulation of his NIC card to get into the Voice Vlan in the first place, a penetration testing tool commonly used for this is Voip Hopper:


Detailed description of the attacks can be found on:


And on this presentation, that I would highly recommend you should have a look at:


The Cisco Solution (should be combined with other security best practices like port-security, etc.)


The specific command is:

switchport voice detect cisco-phone

I hope this helps you to take a step in the right direction to secure your VOIP network.

If you enforce this, the user cannot access the voice vlan in the first place, left alone listen to multicast/broadcast voice mails (which I doubt happened in the first place anyway). He most probably used one of the above techniques to capture the 'unicast' VOIP traffic.




This Discussion