Sometimes when things are going crazy in a business VoIP network, it’s very hard to trace the root cause of the problem. Voice quality issues are one of the most important issues in VoIP which are very hard to locate. Packet analysis tools are a great source to identify such issues, going deeper inside network communication at packet level will reveal the cause of many problems. There are many important packet analysis tools which are used by Network and VoIP Engineers to rectify VoIP QoS issues. Some of the most common problems that can be easily resolved by using a packet sniffer or packet analysis tool are:
- Voice quality issues
- FAS, early media related issues
- Intermittent call failures
- VoIP interconnection issue
- Protocol, codec mismatch issues
- Identification of malicious network activity
- Identification of bandwidth utilization
Some of the most widely used Packet sniffing and analysis tools are Wireshark, OmniPeek, Snort, tcpdump, and snoop. Tcpdump and snoop are command line packet sniffing tools on Unix/Linux machines, which were widely used in pre-GUI era. tethereal and tshark are command line versions of Wireshark, available in many Unix/Linux machines. We will be using Wireshark and how we can use it to identify and resolve issues occurring on our PBX or VoIP Softswitch platform.
Wireshark is an open source network analysis and packet sniffing software, created by a collaboration of a very vast community of developers. Some estimates, it has 2.4 million lines of total codes, which makes it worth $ 94 million! Wireshark can be used for a variety of purposes, not limited to capture of packets on all physical and virtual interfaces of a system, analysis of UDP, TCP, and SSL streams capture of FTP, HTTP, HTTPS traffic and its analysis.
From OSI layers perspective, we can easily get hold of packet level details for the following layers:
- Application HTTP, SMTP, FTP, Telnet
- Presentation ASCII, MPEG, JPEG, MIDI
- Session NetBIOS, SAP, SDP, NWLink
- Transport TCP, UDP, SPX
All of the widely used protocols in VoIP telephony can be analysed with the help of Wireshark, like:
- GSM ,H.255,IAX2,SIP, LTE, RTP, SRTP,SCTP, H.323
We can also use Wireshark to plot many interesting VoIP call flows, IO graphs, for better representation and visualization of the communication between different nodes. These call flows are helpful to find out the problematic network nodes, IP subnets, and codecs. A sample VoIP call flow looks like this:
Most of the VoIP companies have direct access to their core servers, where they can take packet traces, mostly called SIP traces in case of any issue which is not traceable from simply tweaking the configurations on the GUI of the Pbx/Softswitch. Some of the companies use hosted PBX solutions, in that case, they can ask their service provider for the SIP traces, which can be utilized by their Engineering staff to analyze and trace the problem. Also, most of the companies during their VoIP Network deployment install dedicated servers to capture signaling logs. These records are very helpful for network audit, security and identification of different QoS problems.
I will end part one of this series with some great words of Chris Sanders, one of the leading information Security Expert from Mandiant:
All network problems stem from the packet level, where even the prettiest looking applications can reveal their horrible implementations, and seemingly trustworthy protocols can prove malicious. To better understand network problems, we go to the packet level. Here, nothing is hidden from us—nothing is obscured by misleading menu structures, eye-catching graphics, or untrustworthy employees. At this level, there are no true secrets (only encrypted ones). The more we can do at the packet level, the more we can control our network and solve problems. This is the world of packet analysis.
As we are working in the world of VoIP, we do need to know about the protocols that make this communication possible.
SIP is one of the fundamental building blocks of today modern VoIP communication, not only used for voice communications, but also for multimedia session establishment, instant messaging or some gaming session. Suppose we have a two SIP devises Alice and Bob. When Alice initiates a SIP call, an INVITE packet is sent to Bob, in return Bob reply with 100 Trying or 180 Ringing message back to Alice. The numbers (100, 180, etc.) that you are seeing are known as SIP methods. These SIP methods are used to convey different informational messages about the status of a particular call. After sending 1xx informational messages, Bob will send a 200 Ok message, which marks the establishment of a call and RTP stream is established after that instant. A particular SIP call is ended by sending a Bye message by either party, once a Bye message is sent the call will get stopped and RTP session dropped.
We have put together an easy to follow 4-page step-by- step PDF on Exploring the SIP building blocks.[OptinLink id=2]