VoIP traffic

I see. How do I get the call signaling traffic from Wireshark? Thx

assuming its SIP signaling, you can filter it like this:

sip and (ip.addr eq 1.1.1.1 and ip.addr eq 2.2.2.2)

replace the IP addresses with the addresses of the devices you are tracing. Also you could just throw sip into the filter search field. Then click on the Find icon similar to a magnifying glass, choose to lookup Strings and search for the called/calling numbers involved in a specific call.

you didn't mentioned either you can see any other traffic!!

the particular port connected to wireshark machine, Did you enable monitor-mode on that port  (if it's manageable switch ) of switch???

if the switch is not manageable, replace switch with hub.

Many reasons could affect traffic capturing with wireshark. it might be that you're running an old wincap version on Windows 2012/windows 8. and if so you need to install the latest version of Wireshark.

You will also need to make sure that you select the right NIC card. and you need to use a hub not Switch to be able to get all the traffic or you can use managed switches which have the monitor capability (Port mapping) on some ports.

here's a ref.

http://wiki.wireshark.org/CaptureSetup/Ethernet#Capture_using_a_monitor_mode_of_the_switch

I can see all other traffic. I did a capture for 10 minutes.
Also, Looking at the conversation stats, it says that I have 89% of TCP traffic, but when I expand the tree to see what type of tcp, it did not add up to 89%. I am not sure I understand why. Thx

Bobon did you follow my steps to find the UDP traffic?

Bobon,

1st - are you running very latest version of wireshark ? if not try to use latest version. (check either it's working or not )

2nd - see if there are any other filters or your own filters in place. remove all filters and capture for some time without any filters. (check either it's working or not )

3rd - try to replace switch  with HUB for some time (15 min. ) to capture traffic (check either it's working or not )

4th - check either your phones ( and controllers ) running on standard VoIP protocols.
ex: SIP (port 5060) and SIPS (port 5061) (check either it's working or not )

5th - try to filter traffic based on protocol (ex : sip/sips ) (check either it's working or not )

willlywilburwonka

I tried your recommendation and I see RTP traffic. I filtered on UDP and I decoded UDP (port 32158 to 19386) traffic to RTP. What does it mean when I decode UDP to RTP?
When I filtered SIP, I did not see anything. I guess I am not using SIP. Correct?

I am fairly new to this VoIP system. But from my understanding, this network has all Cisco gears. The Call Manager is Linux but it is a Cisco Call Manager. Unfortunately, I cannot share the Wireshark trace. It is management decision. If it is not SIP, then it should be SCCP. I don't think it is H223. Is there anywhere I can look?
What I want to investigate is how long it takes for the phone to communicate with the call manager before it can make the connection with the other phone. Thanks

How do I find out which VoIP signaling protocol I am using with Wireshark? I know that it is not SIP

You sure know VoIP.
So if I have a source as cisco-sccp and destination as 52325, then it means that the source is the CM and the port 52325 is the phone. Correct?
Is there a way to see the traffic flow for one conversation from the setup time to the tear down of the call?

Also I was trying to use the Telephony feature in Wireshark 1.8.3. But it does not work. I was trying to look at the VoIP Calls option and I did not get anything.

Thanks

Could you please let me know where we are at so far?? Were you able to find SCCP traffic in that capture? Were you able to run the capture within the Callmanager itself?

Yes I see SCCP traffic. No I was not able to do the capture within the CM as it is manged by a 3rd vendor. I have to contact them. Thanks

You are welcome. Was the original question fully answered?