SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Exposing VoIP problems with WiresharkApril 2, 2008
Sean WalbergNetwork Guy | Canwest
SHARKFEST '08Foothill CollegeMarch 31 - April 2, 2008
Voice is just another application
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Without tools, VoIP is a black box
Wireshark has tools to analyze VoIP
The Agenda
1. Capturing VoIP traffic
2. Using the basic Wireshark tools
3. Digging into the signaling traffic
4. Analyzing the RTP traffic
About you
About me
1. Capture the VoIP
traffic
Location, Location, Location
Just a simple network
The signaling traffic takes a different path from the RTP traffic
Voice
Signaling
Or, it might do this
Voice
Signaling
Same conversation, different perspectives
Here you see B – A jitter, but not A - B
Here you see A – B jitter, but not B - A
NAT changes the address
Src=ADst=B
Src=CDst=D
The address changeswithin the cloud!
Set your capture filters
By the way…
If the signaling or the voice is encrypted, you won’t be able to decode it.
Sorry.
2. Use the basic tools
The Packet List window
Summaries are displayed here
Quality of Service for VoIP networks
Add a column for DSCP
Insert -> Preferences User Interface->Columns
Signaling
Tagged RTP
UntaggedRTP
Use color to show QoS problems
View -> Coloring Rules
Are you running a proprietary PBX?
Edit -> Properties, Protocols -> RTP
Use the Packet Details pane to see what’s inside the packet
3. Dig into the
signaling traffic
Signaling protocols
SIP (from the IETF) H.323 (from the ITU) MGCP IAX SS7 (Telco) GSM (Telco/Cell) SCCP (Cisco Skinny) Vendor specific
The role of signaling
Indicate to the remote end that a call is coming Establish the codec to be used for voice Establish the addresses of the endpoints Get out of the way Tear down the connection once it’s done
The 10,000 foot view of SIP
Statistics -> SIP
Demo – VoIP Call Statistics
4. Analyze the RTP
traffic
The properties of RTP
RTP simulates the real time voice normally carried over a wire
4KHz voice bandwidth = 8KHz sampling rate (Nyquist) 8 bits/sample * 8KHz = 64,000bps (DS0)
A Codec (G.711u/A law, G.729, G.726, etc) Most codecs use 20ms voice samples = 50pps Even with compression, you have a fairly consistent
packet rate, only the size changes
Three factors that affect voice quality
Latency <= 150ms (one way)
Jitter <= 20ms
Packet loss <= 0.1%
Latency <= 150ms (one way)
Hi, how are you? Hello? Oops, sorry, go ahead Fine, I oh hello, go ahead
Path delay
Serializationdelay
Jitter buffer,Transcodingdelay
Packet Loss <= 0.1%
Hi Bo *POP* How *POP*e you?Hi Bo How you?
Jitter <= 20ms
Better late than never? No.
Demo – RTP Statistics
Optional – IO Statistics
Optional – Other things you can do to monitor VoIP
That’s it!
Links related to this talk:
http://del.icio.us/seanw/sharkfest08
Links related to this talk:
http://del.icio.us/seanw/sharkfest08