 |  |  |  |  |  |  |  |  |
Chappell Seminars
TM
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
| Recent Blog Entries (RSS Feed) |
| [R] Recorded course available - included in All-Access Pass (additional recordings in production) |
| COURSE LIST (View Schedule) |
I always get that tingly excited feeling when I open up new trace files. It's not unlike
Last week I began my slide preparation for an upcoming set of projects related to
VoIP analysis. I find VoIP traffic fascinating - its duality - signaling separate from
voice - its trusting nature - using UDP - its frailty.
This VoIP project came up first in preparation for the VoIP labs for the Summit 09
training event. I wanted to include a lecture portion dealing with SIP and RTP
behavior and point out the cool new organization of telephony-related options in
Wireshark. I wanted to build some hands-on labs to allow students to identify the
likely points on a network that they'd look to isolate problems with the calls. I'm
energized with the process of preparing new lectures, new trace files and new
hands-on exercises for Summit 09.
But Summit 09 had to go on the back burner for a bit... another hand had been
dealt - by Microsoft.
The Microsoft Webinars (Oct 6th and Oct 28th)
I have presented two webinars for Microsoft to date - one wildly popular (where we
pulled in Microsoft's largest registration and attendance counts) and the other
nearly empty (seems the old Microsoft marketing engine had stalled on that one
and we didn't push it because it was open to partners only). If you want to catch
the upcoming Microsoft Partner Training events, check out Session 1 -
Introduction to Response Point/VoIP Troubleshooting with Wireshark which runs
on October 6th and Session 2 - Response Point/VoIP Troubleshooting with
Wireshark which runs on October 28th.
If you want to join me at the Summit 09 event on December 7-9th, check out the
Summit 09 Information Document.
No RTP? A Lousy Deal?!
When I began systematically opening the VoIP files in my folder, I hit the first
stumbling block of VoIP analysis. One of the first trace files I opened up did not
contain the SIP packets for a call setup so Wireshark didn't apply an RTP
dissector to the voice traffic - it just dumped me off at UDP. Hmmm... seems I
have a hand with no runs or matches.
I've talked about the process of "Decode As" in the past for interpreting traffic
traveling over non-standard ports. The same steps are quite common to use with
VoIP traffic. I right clicked on a packet in the trace file and selected Decode As. On
the right side, I chose one of the transport port numbers and selected RTP in the
protocol list. Voila! It's decoded as RTP!
The image below shows the traffic of an RTP stream that Wireshark decodes as
just UDP.
Wireshark didn't see the SIP call setup process and it decodes the voice traffic as
just UDP.
Viewing the RTP Streams
When Wireshark reached version 1.2, the menu bar was revised to include a
Telephony item. Once you force the RTP decode (if required), you can select
Telephony > RTP > Show All Streams.
Wireshark detected two RTP streams in my trace file once I forced the RTP
decode on the traffic.
As you can see from the figure above, Wireshark can now show me the RTP
streams in the trace file - one stream going in each direction. We can also see
that one of the streams has a 2.1% packet loss. Packet loss is ugly in VoIP
communications - when a call experiences serious packet loss, the conversation
quality suffers.
There's an example of a G.711 audio file with 10% packet loss at
VoIPTroubleshooter.com.
Playing the Hand That Was Dealt
Unlike gin or poker, we have to play the hand we were dealt in network analysis.
We can only make the hand stronger by filtering out traffic that is not relevant and
interpreting the possible causes for the packets that remain.
In the area of VoIP analysis, my favorite filter is sip || rtp and my favorite
feature is the RTP playback feature. I like to set the time column to Seconds Since
Previous Displayed Packet and export the trace file to csv format. In Excel I sort on
the source column first, the number column second and then graph out the time
column to show me the variance between packets (the jitter value). I could use
Wireshark's graphing capabilities to give me some of this information, but this is
one of the areas where a formal spreadsheet program really shines.
I exported the trace file to a csv format to graph out a portion of the jitter values.
VoIP at Summit 09
I'm anxious to get back to the Summit 09 preparations - to document all the tips
and tricks of VoIP analysis. I've put together a few lab exercises already, but I'm
keeping my eyes open for new hands to play - if you have any VoIP traces that I
could use in Summit 09, please send them to me (laura@chappellU.com).
Download the Summit Information Guide. All Access Pass members receive a
50% discount to Chappell Summit 09.
Last week I began my slide preparation for an upcoming set of projects related to
VoIP analysis. I find VoIP traffic fascinating - its duality - signaling separate from
voice - its trusting nature - using UDP - its frailty.
This VoIP project came up first in preparation for the VoIP labs for the Summit 09
training event. I wanted to include a lecture portion dealing with SIP and RTP
behavior and point out the cool new organization of telephony-related options in
Wireshark. I wanted to build some hands-on labs to allow students to identify the
likely points on a network that they'd look to isolate problems with the calls. I'm
energized with the process of preparing new lectures, new trace files and new
hands-on exercises for Summit 09.
But Summit 09 had to go on the back burner for a bit... another hand had been
dealt - by Microsoft.
The Microsoft Webinars (Oct 6th and Oct 28th)
I have presented two webinars for Microsoft to date - one wildly popular (where we
pulled in Microsoft's largest registration and attendance counts) and the other
nearly empty (seems the old Microsoft marketing engine had stalled on that one
and we didn't push it because it was open to partners only). If you want to catch
the upcoming Microsoft Partner Training events, check out Session 1 -
Introduction to Response Point/VoIP Troubleshooting with Wireshark which runs
on October 6th and Session 2 - Response Point/VoIP Troubleshooting with
Wireshark which runs on October 28th.
If you want to join me at the Summit 09 event on December 7-9th, check out the
Summit 09 Information Document.
No RTP? A Lousy Deal?!
When I began systematically opening the VoIP files in my folder, I hit the first
stumbling block of VoIP analysis. One of the first trace files I opened up did not
contain the SIP packets for a call setup so Wireshark didn't apply an RTP
dissector to the voice traffic - it just dumped me off at UDP. Hmmm... seems I
have a hand with no runs or matches.
I've talked about the process of "Decode As" in the past for interpreting traffic
traveling over non-standard ports. The same steps are quite common to use with
VoIP traffic. I right clicked on a packet in the trace file and selected Decode As. On
the right side, I chose one of the transport port numbers and selected RTP in the
protocol list. Voila! It's decoded as RTP!
The image below shows the traffic of an RTP stream that Wireshark decodes as
just UDP.
Wireshark didn't see the SIP call setup process and it decodes the voice traffic as
just UDP.
Viewing the RTP Streams
When Wireshark reached version 1.2, the menu bar was revised to include a
Telephony item. Once you force the RTP decode (if required), you can select
Telephony > RTP > Show All Streams.
Wireshark detected two RTP streams in my trace file once I forced the RTP
decode on the traffic.
As you can see from the figure above, Wireshark can now show me the RTP
streams in the trace file - one stream going in each direction. We can also see
that one of the streams has a 2.1% packet loss. Packet loss is ugly in VoIP
communications - when a call experiences serious packet loss, the conversation
quality suffers.
There's an example of a G.711 audio file with 10% packet loss at
VoIPTroubleshooter.com.
Playing the Hand That Was Dealt
Unlike gin or poker, we have to play the hand we were dealt in network analysis.
We can only make the hand stronger by filtering out traffic that is not relevant and
interpreting the possible causes for the packets that remain.
In the area of VoIP analysis, my favorite filter is sip || rtp and my favorite
feature is the RTP playback feature. I like to set the time column to Seconds Since
Previous Displayed Packet and export the trace file to csv format. In Excel I sort on
the source column first, the number column second and then graph out the time
column to show me the variance between packets (the jitter value). I could use
Wireshark's graphing capabilities to give me some of this information, but this is
one of the areas where a formal spreadsheet program really shines.
I exported the trace file to a csv format to graph out a portion of the jitter values.
VoIP at Summit 09
I'm anxious to get back to the Summit 09 preparations - to document all the tips
and tricks of VoIP analysis. I've put together a few lab exercises already, but I'm
keeping my eyes open for new hands to play - if you have any VoIP traces that I
could use in Summit 09, please send them to me (laura@chappellU.com).
Download the Summit Information Guide. All Access Pass members receive a
50% discount to Chappell Summit 09.
50% off Summit 09 Registration More info
Summit 09 50% off for
All Access Pass Members
All Access Pass Members
The Game of
Analysis
Analysis
ALL ACCESS PASS
includes Core 1, Core 2, Whiteboard
Videos, Ask Laura Videos, Trace File
Videos, Trace Files and access to all the
recorded Chappell Seminars.
[View the All Access Info PDF...]
Single membership; individual account
info@chappellU.com
includes Core 1, Core 2, Whiteboard
Videos, Ask Laura Videos, Trace File
Videos, Trace Files and access to all the
recorded Chappell Seminars.
[View the All Access Info PDF...]
Single membership; individual account
info@chappellU.com
$999
REGISTER FOR WEEKLY NEWS
The ultimate guide to
troubleshooting and
securing networks
with Wireshark
troubleshooting and
securing networks
with Wireshark
Copyright Chappell University
All Rights Reserved
Privacy Policy
All Rights Reserved
Privacy Policy
20+ years of analysis experience and 10+ -
Forward by Gerald Combs, Creator of
Wireshark
- Practical tips throughout
- Basic through advanced techniques
- Undocumented features
- Exporting for reporting tricks
- Find the needle in the haystack
- Analyze unruly applications
- Spot the cause of slow web browsing
- Identify WLAN problems
- Analyze and replay VoIP connections
- Reassemble traffic of all kinds
- Catch scanning/discovery processes
- Hundreds of sample traffic files to work on
- Chapter review/answer sections
- Real world case studies
- Tricks for command-line capture
- Remote capture solutions
- Decrypting SSL traffic
- Tips for capturing on switched nets
- Custom profile configurations included
- Security color filters included
- more...
Sign up for the newsletter to be notified of
the book release!
Forward by Gerald Combs, Creator of
Wireshark
- Practical tips throughout
- Basic through advanced techniques
- Undocumented features
- Exporting for reporting tricks
- Find the needle in the haystack
- Analyze unruly applications
- Spot the cause of slow web browsing
- Identify WLAN problems
- Analyze and replay VoIP connections
- Reassemble traffic of all kinds
- Catch scanning/discovery processes
- Hundreds of sample traffic files to work on
- Chapter review/answer sections
- Real world case studies
- Tricks for command-line capture
- Remote capture solutions
- Decrypting SSL traffic
- Tips for capturing on switched nets
- Custom profile configurations included
- Security color filters included
- more...
Sign up for the newsletter to be notified of
the book release!
