?
Solved

VoIP traffic

Posted on 2014-03-17
18
Medium Priority
?
469 Views
Last Modified: 2014-04-07
I have VoIP phones on my network and I have site-to-site VPN connection between my 3 sites. I am using Wireshark to sniff for my voice traffic. I have my Wireshark on the switch behind the firewall. I don't understand why I do not see any VoIP traffic with RTP. Any inputs will be greatly appreciated. Thx
0
Comment
Question by:leblanc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 2
  • +1
18 Comments
 
LVL 20

Accepted Solution

by:
José Méndez earned 2000 total points
ID: 39935914
You are probably seeing it as UDP traffic, but if you right click on it (after identifying it by source and destination IPs) and click on Decode as => RTP, your wshark will dissect the packets the way you expect it to.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39935927
I see. How do I get the call signaling traffic from Wireshark? Thx
0
 
LVL 20

Expert Comment

by:José Méndez
ID: 39935948
assuming its SIP signaling, you can filter it like this:

sip and (ip.addr eq 1.1.1.1 and ip.addr eq 2.2.2.2)

replace the IP addresses with the addresses of the devices you are tracing. Also you could just throw sip into the filter search field. Then click on the Find icon similar to a magnifying glass, choose to lookup Strings and search for the called/calling numbers involved in a specific call.
0
Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

 
LVL 2

Expert Comment

by:IMGIDC
ID: 39936185
you didn't mentioned either you can see any other traffic!!

the particular port connected to wireshark machine, Did you enable monitor-mode on that port  (if it's manageable switch ) of switch???

if the switch is not manageable, replace switch with hub.
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 39936705
Many reasons could affect traffic capturing with wireshark. it might be that you're running an old wincap version on Windows 2012/windows 8. and if so you need to install the latest version of Wireshark.

You will also need to make sure that you select the right NIC card. and you need to use a hub not Switch to be able to get all the traffic or you can use managed switches which have the monitor capability (Port mapping) on some ports.

here's a ref.

http://wiki.wireshark.org/CaptureSetup/Ethernet#Capture_using_a_monitor_mode_of_the_switch
0
 
LVL 1

Author Comment

by:leblanc
ID: 39937683
I can see all other traffic. I did a capture for 10 minutes.
Also, Looking at the conversation stats, it says that I have 89% of TCP traffic, but when I expand the tree to see what type of tcp, it did not add up to 89%. I am not sure I understand why. Thx
0
 
LVL 20

Expert Comment

by:José Méndez
ID: 39938206
Bobon did you follow my steps to find the UDP traffic?
0
 
LVL 2

Expert Comment

by:IMGIDC
ID: 39938876
Bobon,

1st - are you running very latest version of wireshark ? if not try to use latest version. (check either it's working or not )

2nd - see if there are any other filters or your own filters in place. remove all filters and capture for some time without any filters. (check either it's working or not )

3rd - try to replace switch  with HUB for some time (15 min. ) to capture traffic (check either it's working or not )

4th - check either your phones ( and controllers ) running on standard VoIP protocols.
ex: SIP (port 5060) and SIPS (port 5061) (check either it's working or not )

5th - try to filter traffic based on protocol (ex : sip/sips ) (check either it's working or not )
0
 
LVL 1

Author Comment

by:leblanc
ID: 39948881
willlywilburwonka

I tried your recommendation and I see RTP traffic. I filtered on UDP and I decoded UDP (port 32158 to 19386) traffic to RTP. What does it mean when I decode UDP to RTP?
When I filtered SIP, I did not see anything. I guess I am not using SIP. Correct?
0
 
LVL 20

Assisted Solution

by:José Méndez
José Méndez earned 2000 total points
ID: 39949188
When you decode UDP traffic as RTP, it means that Wireshark will dissect that traffic as audio and will give you some other options, like for example, you can do stream analysis from WS itself, and even reconstruct the packets to obtain an audio file that you can play in your PC:

https://supportforums.cisco.com/discussion/11517891/how-save-rtp-streams-wireshark-and-play-it-using-application-called-audacity

if nothing shows up when you filter by sip, then yes, there are no SIP messages in the capture. Can you upload a sample sniffer trace? Also, what type of VOIP system are we talking about?
0
 
LVL 1

Author Comment

by:leblanc
ID: 39949278
I am fairly new to this VoIP system. But from my understanding, this network has all Cisco gears. The Call Manager is Linux but it is a Cisco Call Manager. Unfortunately, I cannot share the Wireshark trace. It is management decision. If it is not SIP, then it should be SCCP. I don't think it is H223. Is there anywhere I can look?
What I want to investigate is how long it takes for the phone to communicate with the call manager before it can make the connection with the other phone. Thanks
0
 
LVL 20

Assisted Solution

by:José Méndez
José Méndez earned 2000 total points
ID: 39949281
This is what you want in order to sniff call signaling:

https://supportforums.cisco.com/docs/DOC-11599
0
 
LVL 1

Author Comment

by:leblanc
ID: 39949309
How do I find out which VoIP signaling protocol I am using with Wireshark? I know that it is not SIP
0
 
LVL 20

Assisted Solution

by:José Méndez
José Méndez earned 2000 total points
ID: 39949325
if you are using SCCP phones, try typing "skinny" , if you type sccp then wireshark will understand a different protocol.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39949394
You sure know VoIP.
So if I have a source as cisco-sccp and destination as 52325, then it means that the source is the CM and the port 52325 is the phone. Correct?
Is there a way to see the traffic flow for one conversation from the setup time to the tear down of the call?

Also I was trying to use the Telephony feature in Wireshark 1.8.3. But it does not work. I was trying to look at the VoIP Calls option and I did not get anything.

Thanks
0
 
LVL 20

Expert Comment

by:José Méndez
ID: 39950249
Could you please let me know where we are at so far?? Were you able to find SCCP traffic in that capture? Were you able to run the capture within the Callmanager itself?
0
 
LVL 1

Author Comment

by:leblanc
ID: 39951060
Yes I see SCCP traffic. No I was not able to do the capture within the CM as it is manged by a 3rd vendor. I have to contact them. Thanks
0
 
LVL 20

Expert Comment

by:José Méndez
ID: 39951090
You are welcome. Was the original question fully answered?
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article was originally published on Monitis Blog, you can check it here . If you have responsibility for software in production, I bet you’d like to know more about it. I don’t mean that you’d like an extra peek into the bowels of the sourc…
There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question