wireshark network analysis

I'd like the capture the latency for VoIP traffic at each device. In other words, if you look at my setup below, I'd like to capture the packet timestamp from the VoIP phone1 to router1, from router1 to router2, and router2 to phone2. How will I do that?

PC1<-->phone1 <-->router1<-->router2<-->phone2<-->PC2

I know that I cannot capture the VoIP traffic with Wireshark on PC1 because PC1 is behind phone1. So I think I have to use port mirroring on router1. In that case, all I can see is the timestamp for the traffic between phone1 and phone2. Any thoughts will be greatly appreciated. Thx
Who is Participating?
KorbusConnect With a Mentor Commented:
Do you have the option to NOT connect the computer THROUGH the phone?  If you simply connect each device individually to the switch you should be good.  You could also use a small HUB or switch at each desk, an connect the computer and phone through that to the main switch.

But even before you do that, It might be worth testing to see if the traffic between PC1 and phone1, actually does NOT go to the switch.  It MIGHT be (depends on phone), that the phone acts like a simple switch, and passes traffic from the PC to the main switch, EVEN if the traffic is addressed to the phone.  (to test: run wireshark, ping the phone from the PC, stop wireshark, and see if wireshark detected any traffic with that source & destination IP address.)
giltjrConnect With a Mentor Commented:
Why not just ping PC1 from PC2?  The latency will be equal to that or slightly less.

Are router1 and router2 next to each other?

You really need to mirror the ports that the phones connect to on BOTH routers and then either capture the packets with the same PC at the same time, or two difference PC at the same time, but the two PC's have to have the same exact time.
leblancAccountingAuthor Commented:
router1 and router2 are not next to each other. They are running VPN between them.
I cannot add any hardware at the remote site where PC2 is.
The phones are all Cisco phones and yes they act like a switch as the PC1 and PC2 traffic will go through the phones, then to the main switch then to the router to go to the other side.

Sure. I can ping from PC1 to PC2 but I want to capture the VoIP traffic between the two locations. If I run Wireshark on PC1, I will not see any VoIP traffic.

What I'd like to do is  to capture the packets timestamp from phone1 to router1, from router1 to router2, and router2 to phone2.
I think I can capture the traffic from phone1 to phone2 if I know the port where they connect to on the switch and mirror the port. But I do not know how to get the timestamps from the phone1 to router1, router1 to router2, and router2 to phone2.

The problem that I am having is when somebody picks up phone2, it take 5 seconds before they can hear a dial tone. I want to see with Wireshark, where it breaks.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Will the problem is that you are trying to get something that does not exist.  Neitther IP nor TCP has true timestamps in the headers.  RFC 1323 does talk about TCP timestamps, but this "the time"  it is an arbitrary number that is increased by 1 every ms so that one side can measure the RTT.

When you look at a packet capture, the  timestamps that show date and time were put there by the utility that catpure the packets, tcpdump in the *nix world or winpcap normally in the Windows world.

So in order to see the timestamps you want to see, you have to do multiple captures at the same time and hope each device doing the capture has the same time.

Ping'ing  between PC1 and PC2 will tell you what the latency is between them.

However, based on what you are describing, you need to see what the latency is between phone2 and the VIOP server.  For that you should be able to ping the VOIP server from PC2.
leblancAccountingAuthor Commented:
"Ping'ing  between PC1 and PC2 will tell you what the latency is between them." but there are the routers between PC1 and PC2 and I want to see how long it takes for a packet to go from PC1 to router1, then from router1 to router2, and then from router2 to PC2. In my case, it is phone1 and phone2 instead of PC1 and PC2.

I guess by timestamp, I meant the delta time in Wireshark or whatever time that Wireshark see the packet.
Then use traceroute, under Windows it is tracert.

However, if there is a VPN connection between router1 and router2, you will not see any of the routers between router1 and router2.  You will see router1 and then router2 only, along with any other routers between PC/Phone1 and router1 and between PC/Phone2 and router2.

Using the detla between timestamps in Wireshark is no more, nor less, accurate than using traceroute.

However, I'm confused.  If you are worried about the time it take phone2 to get a dial tone, why do you care about phone1.
leblancAccountingAuthor Commented:
You're right. Phone1 is out of the equation.  
From my understanding, when phone2 gets the dial tone, it means that it gets back its request signal from the Call Manager. So my plan is I want to see how long it takes for the voice signal to go to the CM and back. If it takes 1 sec from phone2 to router2 and e secs from router2 to router1, then I will need to contact the ISP.  
I 'd like to use Wireshark because I want to see the VoIP signal packets.
giltjrConnect With a Mentor Commented:
Then you need to do a packet capture at site two from router2.  

However, a trace route from PC2 to Call Manager server, or from the Call Manager server to Phone2,  will give you what the latency is.  You can do trace routes at different times of day

Do you have the same ISP for site1 and site2?  If they have different ISP's there is not a whole lot the ISP can do.  In fact even if they are the same ISP unless you are paying for some type of VPN from that ISP and it has some level of guaranteed RTT there is nothing the ISP can do.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.