SHARKFEST '08 | Foothill College | March 31 - April 2, 2008

Exposing VoIP problems with WiresharkApril 2, 2008

Sean WalbergNetwork Guy | Canwest

SHARKFEST '08Foothill CollegeMarch 31 - April 2, 2008

Voice is just another application

SHARKFEST '08 | Foothill College | March 31 - April 2, 2008

Without tools, VoIP is a black box

Wireshark has tools to analyze VoIP

The Agenda

1. Capturing VoIP traffic

2. Using the basic Wireshark tools

3. Digging into the signaling traffic

4. Analyzing the RTP traffic

About you

About me

1. Capture the VoIP

traffic

Location, Location, Location

Just a simple network

The signaling traffic takes a different path from the RTP traffic

Voice

Signaling

Or, it might do this

Voice

Signaling

Same conversation, different perspectives

Here you see B – A jitter, but not A - B

Here you see A – B jitter, but not B - A

NAT changes the address

Src=ADst=B

Src=CDst=D

The address changeswithin the cloud!

Set your capture filters

By the way…

If the signaling or the voice is encrypted, you won’t be able to decode it.

Sorry.

2. Use the basic tools

The Packet List window

Summaries are displayed here

Quality of Service for VoIP networks

Add a column for DSCP

Insert -> Preferences User Interface->Columns

Signaling

Tagged RTP

UntaggedRTP

Use color to show QoS problems

View -> Coloring Rules

Are you running a proprietary PBX?

Edit -> Properties, Protocols -> RTP

Use the Packet Details pane to see what’s inside the packet

3. Dig into the

signaling traffic

Signaling protocols

SIP (from the IETF) H.323 (from the ITU) MGCP IAX SS7 (Telco) GSM (Telco/Cell) SCCP (Cisco Skinny) Vendor specific

The role of signaling

Indicate to the remote end that a call is coming Establish the codec to be used for voice Establish the addresses of the endpoints Get out of the way Tear down the connection once it’s done

The 10,000 foot view of SIP

Statistics -> SIP

Demo – VoIP Call Statistics

4. Analyze the RTP

traffic

The properties of RTP

RTP simulates the real time voice normally carried over a wire

4KHz voice bandwidth = 8KHz sampling rate (Nyquist) 8 bits/sample * 8KHz = 64,000bps (DS0)

A Codec (G.711u/A law, G.729, G.726, etc) Most codecs use 20ms voice samples = 50pps Even with compression, you have a fairly consistent

packet rate, only the size changes

Three factors that affect voice quality

Latency <= 150ms (one way)

Jitter <= 20ms

Packet loss <= 0.1%

Latency <= 150ms (one way)

Hi, how are you? Hello? Oops, sorry, go ahead Fine, I oh hello, go ahead

Path delay

Serializationdelay

Jitter buffer,Transcodingdelay

Packet Loss <= 0.1%

Hi Bo *POP* How *POP*e you?Hi Bo How you?

Jitter <= 20ms

Better late than never? No.

Demo – RTP Statistics

Optional – IO Statistics

Optional – Other things you can do to monitor VoIP

That’s it!

I’m sean@ertw.com

Links related to this talk:

http://del.icio.us/seanw/sharkfest08

I’m sean@ertw.com

Links related to this talk:

http://del.icio.us/seanw/sharkfest08