Solved

wireshark network analysis

Posted on 2014-03-09
8
655 Views
Last Modified: 2014-03-24
I'd like the capture the latency for VoIP traffic at each device. In other words, if you look at my setup below, I'd like to capture the packet timestamp from the VoIP phone1 to router1, from router1 to router2, and router2 to phone2. How will I do that?

PC1<-->phone1 <-->router1<-->router2<-->phone2<-->PC2

I know that I cannot capture the VoIP traffic with Wireshark on PC1 because PC1 is behind phone1. So I think I have to use port mirroring on router1. In that case, all I can see is the timestamp for the traffic between phone1 and phone2. Any thoughts will be greatly appreciated. Thx
0
Comment
Question by:leblanc
  • 4
  • 3
8 Comments
 
LVL 10

Accepted Solution

by:
Korbus earned 167 total points
ID: 39916066
Do you have the option to NOT connect the computer THROUGH the phone?  If you simply connect each device individually to the switch you should be good.  You could also use a small HUB or switch at each desk, an connect the computer and phone through that to the main switch.

But even before you do that, It might be worth testing to see if the traffic between PC1 and phone1, actually does NOT go to the switch.  It MIGHT be (depends on phone), that the phone acts like a simple switch, and passes traffic from the PC to the main switch, EVEN if the traffic is addressed to the phone.  (to test: run wireshark, ping the phone from the PC, stop wireshark, and see if wireshark detected any traffic with that source & destination IP address.)
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 333 total points
ID: 39916262
Why not just ping PC1 from PC2?  The latency will be equal to that or slightly less.

Are router1 and router2 next to each other?

You really need to mirror the ports that the phones connect to on BOTH routers and then either capture the packets with the same PC at the same time, or two difference PC at the same time, but the two PC's have to have the same exact time.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39916297
router1 and router2 are not next to each other. They are running VPN between them.
I cannot add any hardware at the remote site where PC2 is.
The phones are all Cisco phones and yes they act like a switch as the PC1 and PC2 traffic will go through the phones, then to the main switch then to the router to go to the other side.

Sure. I can ping from PC1 to PC2 but I want to capture the VoIP traffic between the two locations. If I run Wireshark on PC1, I will not see any VoIP traffic.

What I'd like to do is  to capture the packets timestamp from phone1 to router1, from router1 to router2, and router2 to phone2.
I think I can capture the traffic from phone1 to phone2 if I know the port where they connect to on the switch and mirror the port. But I do not know how to get the timestamps from the phone1 to router1, router1 to router2, and router2 to phone2.

The problem that I am having is when somebody picks up phone2, it take 5 seconds before they can hear a dial tone. I want to see with Wireshark, where it breaks.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39916317
Will the problem is that you are trying to get something that does not exist.  Neitther IP nor TCP has true timestamps in the headers.  RFC 1323 does talk about TCP timestamps, but this "the time"  it is an arbitrary number that is increased by 1 every ms so that one side can measure the RTT.

When you look at a packet capture, the  timestamps that show date and time were put there by the utility that catpure the packets, tcpdump in the *nix world or winpcap normally in the Windows world.

So in order to see the timestamps you want to see, you have to do multiple captures at the same time and hope each device doing the capture has the same time.

Ping'ing  between PC1 and PC2 will tell you what the latency is between them.

However, based on what you are describing, you need to see what the latency is between phone2 and the VIOP server.  For that you should be able to ping the VOIP server from PC2.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Comment

by:leblanc
ID: 39916464
"Ping'ing  between PC1 and PC2 will tell you what the latency is between them." but there are the routers between PC1 and PC2 and I want to see how long it takes for a packet to go from PC1 to router1, then from router1 to router2, and then from router2 to PC2. In my case, it is phone1 and phone2 instead of PC1 and PC2.

I guess by timestamp, I meant the delta time in Wireshark or whatever time that Wireshark see the packet.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39916514
Then use traceroute, under Windows it is tracert.

However, if there is a VPN connection between router1 and router2, you will not see any of the routers between router1 and router2.  You will see router1 and then router2 only, along with any other routers between PC/Phone1 and router1 and between PC/Phone2 and router2.

Using the detla between timestamps in Wireshark is no more, nor less, accurate than using traceroute.

However, I'm confused.  If you are worried about the time it take phone2 to get a dial tone, why do you care about phone1.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39916596
You're right. Phone1 is out of the equation.  
From my understanding, when phone2 gets the dial tone, it means that it gets back its request signal from the Call Manager. So my plan is I want to see how long it takes for the voice signal to go to the CM and back. If it takes 1 sec from phone2 to router2 and e secs from router2 to router1, then I will need to contact the ISP.  
I 'd like to use Wireshark because I want to see the VoIP signal packets.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 333 total points
ID: 39916615
Then you need to do a packet capture at site two from router2.  

However, a trace route from PC2 to Call Manager server, or from the Call Manager server to Phone2,  will give you what the latency is.  You can do trace routes at different times of day

Do you have the same ISP for site1 and site2?  If they have different ISP's there is not a whole lot the ISP can do.  In fact even if they are the same ISP unless you are paying for some type of VPN from that ISP and it has some level of guaranteed RTT there is nothing the ISP can do.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now