Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 482
  • Last Modified:

VoIP traffic

I have VoIP phones on my network and I have site-to-site VPN connection between my 3 sites. I am using Wireshark to sniff for my voice traffic. I have my Wireshark on the switch behind the firewall. I don't understand why I do not see any VoIP traffic with RTP. Any inputs will be greatly appreciated. Thx
0
leblanc
Asked:
leblanc
  • 8
  • 7
  • 2
  • +1
4 Solutions
 
José MéndezCommented:
You are probably seeing it as UDP traffic, but if you right click on it (after identifying it by source and destination IPs) and click on Decode as => RTP, your wshark will dissect the packets the way you expect it to.
0
 
leblancAccountingAuthor Commented:
I see. How do I get the call signaling traffic from Wireshark? Thx
0
 
José MéndezCommented:
assuming its SIP signaling, you can filter it like this:

sip and (ip.addr eq 1.1.1.1 and ip.addr eq 2.2.2.2)

replace the IP addresses with the addresses of the devices you are tracing. Also you could just throw sip into the filter search field. Then click on the Find icon similar to a magnifying glass, choose to lookup Strings and search for the called/calling numbers involved in a specific call.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
IMGIDCCommented:
you didn't mentioned either you can see any other traffic!!

the particular port connected to wireshark machine, Did you enable monitor-mode on that port  (if it's manageable switch ) of switch???

if the switch is not manageable, replace switch with hub.
0
 
Mohammed HamadaSenior IT ConsultantCommented:
Many reasons could affect traffic capturing with wireshark. it might be that you're running an old wincap version on Windows 2012/windows 8. and if so you need to install the latest version of Wireshark.

You will also need to make sure that you select the right NIC card. and you need to use a hub not Switch to be able to get all the traffic or you can use managed switches which have the monitor capability (Port mapping) on some ports.

here's a ref.

http://wiki.wireshark.org/CaptureSetup/Ethernet#Capture_using_a_monitor_mode_of_the_switch
0
 
leblancAccountingAuthor Commented:
I can see all other traffic. I did a capture for 10 minutes.
Also, Looking at the conversation stats, it says that I have 89% of TCP traffic, but when I expand the tree to see what type of tcp, it did not add up to 89%. I am not sure I understand why. Thx
0
 
José MéndezCommented:
Bobon did you follow my steps to find the UDP traffic?
0
 
IMGIDCCommented:
Bobon,

1st - are you running very latest version of wireshark ? if not try to use latest version. (check either it's working or not )

2nd - see if there are any other filters or your own filters in place. remove all filters and capture for some time without any filters. (check either it's working or not )

3rd - try to replace switch  with HUB for some time (15 min. ) to capture traffic (check either it's working or not )

4th - check either your phones ( and controllers ) running on standard VoIP protocols.
ex: SIP (port 5060) and SIPS (port 5061) (check either it's working or not )

5th - try to filter traffic based on protocol (ex : sip/sips ) (check either it's working or not )
0
 
leblancAccountingAuthor Commented:
willlywilburwonka

I tried your recommendation and I see RTP traffic. I filtered on UDP and I decoded UDP (port 32158 to 19386) traffic to RTP. What does it mean when I decode UDP to RTP?
When I filtered SIP, I did not see anything. I guess I am not using SIP. Correct?
0
 
José MéndezCommented:
When you decode UDP traffic as RTP, it means that Wireshark will dissect that traffic as audio and will give you some other options, like for example, you can do stream analysis from WS itself, and even reconstruct the packets to obtain an audio file that you can play in your PC:

https://supportforums.cisco.com/discussion/11517891/how-save-rtp-streams-wireshark-and-play-it-using-application-called-audacity

if nothing shows up when you filter by sip, then yes, there are no SIP messages in the capture. Can you upload a sample sniffer trace? Also, what type of VOIP system are we talking about?
0
 
leblancAccountingAuthor Commented:
I am fairly new to this VoIP system. But from my understanding, this network has all Cisco gears. The Call Manager is Linux but it is a Cisco Call Manager. Unfortunately, I cannot share the Wireshark trace. It is management decision. If it is not SIP, then it should be SCCP. I don't think it is H223. Is there anywhere I can look?
What I want to investigate is how long it takes for the phone to communicate with the call manager before it can make the connection with the other phone. Thanks
0
 
José MéndezCommented:
This is what you want in order to sniff call signaling:

https://supportforums.cisco.com/docs/DOC-11599
0
 
leblancAccountingAuthor Commented:
How do I find out which VoIP signaling protocol I am using with Wireshark? I know that it is not SIP
0
 
José MéndezCommented:
if you are using SCCP phones, try typing "skinny" , if you type sccp then wireshark will understand a different protocol.
0
 
leblancAccountingAuthor Commented:
You sure know VoIP.
So if I have a source as cisco-sccp and destination as 52325, then it means that the source is the CM and the port 52325 is the phone. Correct?
Is there a way to see the traffic flow for one conversation from the setup time to the tear down of the call?

Also I was trying to use the Telephony feature in Wireshark 1.8.3. But it does not work. I was trying to look at the VoIP Calls option and I did not get anything.

Thanks
0
 
José MéndezCommented:
Could you please let me know where we are at so far?? Were you able to find SCCP traffic in that capture? Were you able to run the capture within the Callmanager itself?
0
 
leblancAccountingAuthor Commented:
Yes I see SCCP traffic. No I was not able to do the capture within the CM as it is manged by a 3rd vendor. I have to contact them. Thanks
0
 
José MéndezCommented:
You are welcome. Was the original question fully answered?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 8
  • 7
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now