Solved

VoIP traffic

Posted on 2014-03-17
18
454 Views
Last Modified: 2014-04-07
I have VoIP phones on my network and I have site-to-site VPN connection between my 3 sites. I am using Wireshark to sniff for my voice traffic. I have my Wireshark on the switch behind the firewall. I don't understand why I do not see any VoIP traffic with RTP. Any inputs will be greatly appreciated. Thx
0
Comment
Question by:leblanc
  • 8
  • 7
  • 2
  • +1
18 Comments
 
LVL 20

Accepted Solution

by:
José Méndez earned 500 total points
ID: 39935914
You are probably seeing it as UDP traffic, but if you right click on it (after identifying it by source and destination IPs) and click on Decode as => RTP, your wshark will dissect the packets the way you expect it to.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39935927
I see. How do I get the call signaling traffic from Wireshark? Thx
0
 
LVL 20

Expert Comment

by:José Méndez
ID: 39935948
assuming its SIP signaling, you can filter it like this:

sip and (ip.addr eq 1.1.1.1 and ip.addr eq 2.2.2.2)

replace the IP addresses with the addresses of the devices you are tracing. Also you could just throw sip into the filter search field. Then click on the Find icon similar to a magnifying glass, choose to lookup Strings and search for the called/calling numbers involved in a specific call.
0
 
LVL 2

Expert Comment

by:IMGIDC
ID: 39936185
you didn't mentioned either you can see any other traffic!!

the particular port connected to wireshark machine, Did you enable monitor-mode on that port  (if it's manageable switch ) of switch???

if the switch is not manageable, replace switch with hub.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 39936705
Many reasons could affect traffic capturing with wireshark. it might be that you're running an old wincap version on Windows 2012/windows 8. and if so you need to install the latest version of Wireshark.

You will also need to make sure that you select the right NIC card. and you need to use a hub not Switch to be able to get all the traffic or you can use managed switches which have the monitor capability (Port mapping) on some ports.

here's a ref.

http://wiki.wireshark.org/CaptureSetup/Ethernet#Capture_using_a_monitor_mode_of_the_switch
0
 
LVL 1

Author Comment

by:leblanc
ID: 39937683
I can see all other traffic. I did a capture for 10 minutes.
Also, Looking at the conversation stats, it says that I have 89% of TCP traffic, but when I expand the tree to see what type of tcp, it did not add up to 89%. I am not sure I understand why. Thx
0
 
LVL 20

Expert Comment

by:José Méndez
ID: 39938206
Bobon did you follow my steps to find the UDP traffic?
0
 
LVL 2

Expert Comment

by:IMGIDC
ID: 39938876
Bobon,

1st - are you running very latest version of wireshark ? if not try to use latest version. (check either it's working or not )

2nd - see if there are any other filters or your own filters in place. remove all filters and capture for some time without any filters. (check either it's working or not )

3rd - try to replace switch  with HUB for some time (15 min. ) to capture traffic (check either it's working or not )

4th - check either your phones ( and controllers ) running on standard VoIP protocols.
ex: SIP (port 5060) and SIPS (port 5061) (check either it's working or not )

5th - try to filter traffic based on protocol (ex : sip/sips ) (check either it's working or not )
0
 
LVL 1

Author Comment

by:leblanc
ID: 39948881
willlywilburwonka

I tried your recommendation and I see RTP traffic. I filtered on UDP and I decoded UDP (port 32158 to 19386) traffic to RTP. What does it mean when I decode UDP to RTP?
When I filtered SIP, I did not see anything. I guess I am not using SIP. Correct?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 20

Assisted Solution

by:José Méndez
José Méndez earned 500 total points
ID: 39949188
When you decode UDP traffic as RTP, it means that Wireshark will dissect that traffic as audio and will give you some other options, like for example, you can do stream analysis from WS itself, and even reconstruct the packets to obtain an audio file that you can play in your PC:

https://supportforums.cisco.com/discussion/11517891/how-save-rtp-streams-wireshark-and-play-it-using-application-called-audacity

if nothing shows up when you filter by sip, then yes, there are no SIP messages in the capture. Can you upload a sample sniffer trace? Also, what type of VOIP system are we talking about?
0
 
LVL 1

Author Comment

by:leblanc
ID: 39949278
I am fairly new to this VoIP system. But from my understanding, this network has all Cisco gears. The Call Manager is Linux but it is a Cisco Call Manager. Unfortunately, I cannot share the Wireshark trace. It is management decision. If it is not SIP, then it should be SCCP. I don't think it is H223. Is there anywhere I can look?
What I want to investigate is how long it takes for the phone to communicate with the call manager before it can make the connection with the other phone. Thanks
0
 
LVL 20

Assisted Solution

by:José Méndez
José Méndez earned 500 total points
ID: 39949281
This is what you want in order to sniff call signaling:

https://supportforums.cisco.com/docs/DOC-11599
0
 
LVL 1

Author Comment

by:leblanc
ID: 39949309
How do I find out which VoIP signaling protocol I am using with Wireshark? I know that it is not SIP
0
 
LVL 20

Assisted Solution

by:José Méndez
José Méndez earned 500 total points
ID: 39949325
if you are using SCCP phones, try typing "skinny" , if you type sccp then wireshark will understand a different protocol.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39949394
You sure know VoIP.
So if I have a source as cisco-sccp and destination as 52325, then it means that the source is the CM and the port 52325 is the phone. Correct?
Is there a way to see the traffic flow for one conversation from the setup time to the tear down of the call?

Also I was trying to use the Telephony feature in Wireshark 1.8.3. But it does not work. I was trying to look at the VoIP Calls option and I did not get anything.

Thanks
0
 
LVL 20

Expert Comment

by:José Méndez
ID: 39950249
Could you please let me know where we are at so far?? Were you able to find SCCP traffic in that capture? Were you able to run the capture within the Callmanager itself?
0
 
LVL 1

Author Comment

by:leblanc
ID: 39951060
Yes I see SCCP traffic. No I was not able to do the capture within the CM as it is manged by a 3rd vendor. I have to contact them. Thanks
0
 
LVL 20

Expert Comment

by:José Méndez
ID: 39951090
You are welcome. Was the original question fully answered?
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Skype is a P2P (Peer to Peer) instant messaging and VOIP (Voice over IP) service – as well as a whole lot more.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now