Solved

VoIP traffic

Posted on 2014-03-17
18
459 Views
Last Modified: 2014-04-07
I have VoIP phones on my network and I have site-to-site VPN connection between my 3 sites. I am using Wireshark to sniff for my voice traffic. I have my Wireshark on the switch behind the firewall. I don't understand why I do not see any VoIP traffic with RTP. Any inputs will be greatly appreciated. Thx
0
Comment
Question by:leblanc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 2
  • +1
18 Comments
 
LVL 20

Accepted Solution

by:
José Méndez earned 500 total points
ID: 39935914
You are probably seeing it as UDP traffic, but if you right click on it (after identifying it by source and destination IPs) and click on Decode as => RTP, your wshark will dissect the packets the way you expect it to.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39935927
I see. How do I get the call signaling traffic from Wireshark? Thx
0
 
LVL 20

Expert Comment

by:José Méndez
ID: 39935948
assuming its SIP signaling, you can filter it like this:

sip and (ip.addr eq 1.1.1.1 and ip.addr eq 2.2.2.2)

replace the IP addresses with the addresses of the devices you are tracing. Also you could just throw sip into the filter search field. Then click on the Find icon similar to a magnifying glass, choose to lookup Strings and search for the called/calling numbers involved in a specific call.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 2

Expert Comment

by:IMGIDC
ID: 39936185
you didn't mentioned either you can see any other traffic!!

the particular port connected to wireshark machine, Did you enable monitor-mode on that port  (if it's manageable switch ) of switch???

if the switch is not manageable, replace switch with hub.
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 39936705
Many reasons could affect traffic capturing with wireshark. it might be that you're running an old wincap version on Windows 2012/windows 8. and if so you need to install the latest version of Wireshark.

You will also need to make sure that you select the right NIC card. and you need to use a hub not Switch to be able to get all the traffic or you can use managed switches which have the monitor capability (Port mapping) on some ports.

here's a ref.

http://wiki.wireshark.org/CaptureSetup/Ethernet#Capture_using_a_monitor_mode_of_the_switch
0
 
LVL 1

Author Comment

by:leblanc
ID: 39937683
I can see all other traffic. I did a capture for 10 minutes.
Also, Looking at the conversation stats, it says that I have 89% of TCP traffic, but when I expand the tree to see what type of tcp, it did not add up to 89%. I am not sure I understand why. Thx
0
 
LVL 20

Expert Comment

by:José Méndez
ID: 39938206
Bobon did you follow my steps to find the UDP traffic?
0
 
LVL 2

Expert Comment

by:IMGIDC
ID: 39938876
Bobon,

1st - are you running very latest version of wireshark ? if not try to use latest version. (check either it's working or not )

2nd - see if there are any other filters or your own filters in place. remove all filters and capture for some time without any filters. (check either it's working or not )

3rd - try to replace switch  with HUB for some time (15 min. ) to capture traffic (check either it's working or not )

4th - check either your phones ( and controllers ) running on standard VoIP protocols.
ex: SIP (port 5060) and SIPS (port 5061) (check either it's working or not )

5th - try to filter traffic based on protocol (ex : sip/sips ) (check either it's working or not )
0
 
LVL 1

Author Comment

by:leblanc
ID: 39948881
willlywilburwonka

I tried your recommendation and I see RTP traffic. I filtered on UDP and I decoded UDP (port 32158 to 19386) traffic to RTP. What does it mean when I decode UDP to RTP?
When I filtered SIP, I did not see anything. I guess I am not using SIP. Correct?
0
 
LVL 20

Assisted Solution

by:José Méndez
José Méndez earned 500 total points
ID: 39949188
When you decode UDP traffic as RTP, it means that Wireshark will dissect that traffic as audio and will give you some other options, like for example, you can do stream analysis from WS itself, and even reconstruct the packets to obtain an audio file that you can play in your PC:

https://supportforums.cisco.com/discussion/11517891/how-save-rtp-streams-wireshark-and-play-it-using-application-called-audacity

if nothing shows up when you filter by sip, then yes, there are no SIP messages in the capture. Can you upload a sample sniffer trace? Also, what type of VOIP system are we talking about?
0
 
LVL 1

Author Comment

by:leblanc
ID: 39949278
I am fairly new to this VoIP system. But from my understanding, this network has all Cisco gears. The Call Manager is Linux but it is a Cisco Call Manager. Unfortunately, I cannot share the Wireshark trace. It is management decision. If it is not SIP, then it should be SCCP. I don't think it is H223. Is there anywhere I can look?
What I want to investigate is how long it takes for the phone to communicate with the call manager before it can make the connection with the other phone. Thanks
0
 
LVL 20

Assisted Solution

by:José Méndez
José Méndez earned 500 total points
ID: 39949281
This is what you want in order to sniff call signaling:

https://supportforums.cisco.com/docs/DOC-11599
0
 
LVL 1

Author Comment

by:leblanc
ID: 39949309
How do I find out which VoIP signaling protocol I am using with Wireshark? I know that it is not SIP
0
 
LVL 20

Assisted Solution

by:José Méndez
José Méndez earned 500 total points
ID: 39949325
if you are using SCCP phones, try typing "skinny" , if you type sccp then wireshark will understand a different protocol.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39949394
You sure know VoIP.
So if I have a source as cisco-sccp and destination as 52325, then it means that the source is the CM and the port 52325 is the phone. Correct?
Is there a way to see the traffic flow for one conversation from the setup time to the tear down of the call?

Also I was trying to use the Telephony feature in Wireshark 1.8.3. But it does not work. I was trying to look at the VoIP Calls option and I did not get anything.

Thanks
0
 
LVL 20

Expert Comment

by:José Méndez
ID: 39950249
Could you please let me know where we are at so far?? Were you able to find SCCP traffic in that capture? Were you able to run the capture within the Callmanager itself?
0
 
LVL 1

Author Comment

by:leblanc
ID: 39951060
Yes I see SCCP traffic. No I was not able to do the capture within the CM as it is manged by a 3rd vendor. I have to contact them. Thanks
0
 
LVL 20

Expert Comment

by:José Méndez
ID: 39951090
You are welcome. Was the original question fully answered?
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Developer portfolios can be a bit of an enigma—how do you present yourself to employers without burying them in lines of code?  A modern portfolio is more than just work samples, it’s also a statement of how you work.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question