Solved

wireshark network analysis

Posted on 2014-03-09
8
671 Views
Last Modified: 2014-03-24
I'd like the capture the latency for VoIP traffic at each device. In other words, if you look at my setup below, I'd like to capture the packet timestamp from the VoIP phone1 to router1, from router1 to router2, and router2 to phone2. How will I do that?

PC1<-->phone1 <-->router1<-->router2<-->phone2<-->PC2

I know that I cannot capture the VoIP traffic with Wireshark on PC1 because PC1 is behind phone1. So I think I have to use port mirroring on router1. In that case, all I can see is the timestamp for the traffic between phone1 and phone2. Any thoughts will be greatly appreciated. Thx
0
Comment
Question by:leblanc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 10

Accepted Solution

by:
Korbus earned 167 total points
ID: 39916066
Do you have the option to NOT connect the computer THROUGH the phone?  If you simply connect each device individually to the switch you should be good.  You could also use a small HUB or switch at each desk, an connect the computer and phone through that to the main switch.

But even before you do that, It might be worth testing to see if the traffic between PC1 and phone1, actually does NOT go to the switch.  It MIGHT be (depends on phone), that the phone acts like a simple switch, and passes traffic from the PC to the main switch, EVEN if the traffic is addressed to the phone.  (to test: run wireshark, ping the phone from the PC, stop wireshark, and see if wireshark detected any traffic with that source & destination IP address.)
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 333 total points
ID: 39916262
Why not just ping PC1 from PC2?  The latency will be equal to that or slightly less.

Are router1 and router2 next to each other?

You really need to mirror the ports that the phones connect to on BOTH routers and then either capture the packets with the same PC at the same time, or two difference PC at the same time, but the two PC's have to have the same exact time.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39916297
router1 and router2 are not next to each other. They are running VPN between them.
I cannot add any hardware at the remote site where PC2 is.
The phones are all Cisco phones and yes they act like a switch as the PC1 and PC2 traffic will go through the phones, then to the main switch then to the router to go to the other side.

Sure. I can ping from PC1 to PC2 but I want to capture the VoIP traffic between the two locations. If I run Wireshark on PC1, I will not see any VoIP traffic.

What I'd like to do is  to capture the packets timestamp from phone1 to router1, from router1 to router2, and router2 to phone2.
I think I can capture the traffic from phone1 to phone2 if I know the port where they connect to on the switch and mirror the port. But I do not know how to get the timestamps from the phone1 to router1, router1 to router2, and router2 to phone2.

The problem that I am having is when somebody picks up phone2, it take 5 seconds before they can hear a dial tone. I want to see with Wireshark, where it breaks.
0
Report: Liquid Web beats Amazon, Rackspace & More

A study by performance analyst firm Cloud Spectator finds that Liquid Web beats rivals Amazon, Rackspace and DigitalOcean when it comes to website and cloud application performance.

 
LVL 57

Expert Comment

by:giltjr
ID: 39916317
Will the problem is that you are trying to get something that does not exist.  Neitther IP nor TCP has true timestamps in the headers.  RFC 1323 does talk about TCP timestamps, but this "the time"  it is an arbitrary number that is increased by 1 every ms so that one side can measure the RTT.

When you look at a packet capture, the  timestamps that show date and time were put there by the utility that catpure the packets, tcpdump in the *nix world or winpcap normally in the Windows world.

So in order to see the timestamps you want to see, you have to do multiple captures at the same time and hope each device doing the capture has the same time.

Ping'ing  between PC1 and PC2 will tell you what the latency is between them.

However, based on what you are describing, you need to see what the latency is between phone2 and the VIOP server.  For that you should be able to ping the VOIP server from PC2.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39916464
"Ping'ing  between PC1 and PC2 will tell you what the latency is between them." but there are the routers between PC1 and PC2 and I want to see how long it takes for a packet to go from PC1 to router1, then from router1 to router2, and then from router2 to PC2. In my case, it is phone1 and phone2 instead of PC1 and PC2.

I guess by timestamp, I meant the delta time in Wireshark or whatever time that Wireshark see the packet.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39916514
Then use traceroute, under Windows it is tracert.

However, if there is a VPN connection between router1 and router2, you will not see any of the routers between router1 and router2.  You will see router1 and then router2 only, along with any other routers between PC/Phone1 and router1 and between PC/Phone2 and router2.

Using the detla between timestamps in Wireshark is no more, nor less, accurate than using traceroute.

However, I'm confused.  If you are worried about the time it take phone2 to get a dial tone, why do you care about phone1.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39916596
You're right. Phone1 is out of the equation.  
From my understanding, when phone2 gets the dial tone, it means that it gets back its request signal from the Call Manager. So my plan is I want to see how long it takes for the voice signal to go to the CM and back. If it takes 1 sec from phone2 to router2 and e secs from router2 to router1, then I will need to contact the ISP.  
I 'd like to use Wireshark because I want to see the VoIP signal packets.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 333 total points
ID: 39916615
Then you need to do a packet capture at site two from router2.  

However, a trace route from PC2 to Call Manager server, or from the Call Manager server to Phone2,  will give you what the latency is.  You can do trace routes at different times of day

Do you have the same ISP for site1 and site2?  If they have different ISP's there is not a whole lot the ISP can do.  In fact even if they are the same ISP unless you are paying for some type of VPN from that ISP and it has some level of guaranteed RTT there is nothing the ISP can do.
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question