Wireshark: Troubleshooting your VoIP Phone System

Posted by Natalie DeCario on August 7, 2013 at 10:18 AM
Natalie DeCario

Wireshark: Troubleshooting  your VoIP Phone SystemThis white paper was written by Randy Stegner, our Product Services Manager. He has extensive knowledge on Wireshark and various other tools and features that can help you get started or troubleshoot a VoIP phone system issue. Randy is also the main contributor to our Wiki site, where he writes in-depth articles on our how to utilize the feature in our BackOffice. Make sure you check it out!

Very few things in life work as expected 100% of the time. Whether a vehicle, a computer, or an appliance, at some point in its life cycle, these things are going to stop working. Invariable these times require a moment of troubleshooting to determine the cause of failure and initiate the subsequent repair or replacement. Some people have the luxury of hiring another individual to assess the situation and offer solutions while others must do their own investigative or troubleshooting work. Possessing the appropriate tools while troubleshooting is essential if one expects to be effective in the process. When a car’s check engine light illuminates, the mechanic must use the correct electronic reader if he hopes to determine which part needs replaced to extinguish the light. He could certainly guess at the problem and even begin replacing parts in hopes of hitting on the correct one, but that is neither efficient nor economical.

Just like a dishwasher or car is eventually going to exhibit less than desirable behavior, so too are phone systems. This may not necessarily mean one must replace the entire system or purchase expensive equipment. All that is necessary is the proper tool to delve into the problem, analyze the results, and take corrective action. Consider a dishwasher that fails to start the wash cycle. What is the first thing a repairman would do? He might first check to determine that the appliance is receiving the necessary current to power the machine. To do this, he may use a voltmeter to ensure voltage is being sent to the motor to power on the dishwasher. The main problem in this case could be something as simple as a frayed wire or even a tripped breaker. The point is simple: just because an undesirable symptom occurs, does not mean the product needs tossed. One simply needs a starting point and the necessary tools to effectively troubleshoot and resolve the issue.

So where does one begin troubleshooting a VoIP telephone system? The answer to this is rightly dependent on the symptom that is occurring; however, in many cases, troubleshooting a VoIP problem is much easier with a network packet analyzer tool. Just as everything that travels over the Internet, VoIP is also delivered in packets; more specifically SIP packets. SIP stands for Session Initiated Protocol and is basically an offer/accept model where one side makes an offer and the other side accepts that offer or requests different parameters. The dialogue continues until both sides agree on the parameters of the session. Once the session is agreed upon by both sides, the voice traffic is transferred via RTP packets. There are therefore times when it is necessary to view and analyze the packets within a VoIP call. How does one accomplish this?

One of the best available tools is Wireshark. Of course there are others as well but Wireshark is an open source utility that is capable of in-depth analysis of network packets. One simply needs to install the program on a computer on his or her network and capturing can begin in a few easy steps. With Wireshark one can write the packets that are captured to a file known as a PCAP (packet capture). It is then possible to open this file and view each individual packet to glean information that can be used to identify a problem.

There are many things to look for in packet captures when troubleshooting VoIP calls. Wireshark has an enormous number of configuration options and one could easily be overwhelmed when viewing a PCAP for the first time. Do not despair! A few tips will have you analyzing like a pro in short order. One of the first things you will notice when you open Wireshark is a filter box on the top left corner of the program. Intuitively, this box will be red if your filter syntax is unusable and green if you have usable syntax. The best thing you can do if you want to analyze a problem is capture all traffic flowing through your network and filter the results to an affected call afterward. When you capture all traffic, you will undoubtedly obtain http packets, udp packets and so forth. You can quickly look for only SIP packets by typing ‘sip’ in the filter box (without the single quotes). By typing ‘sip’ in the filter box and clicking ‘apply’, Wireshark will only display SIP packets. You can scroll through the results to look for a specific call and use additional filters to narrow results further. It is possible to have a capture containing hundreds of calls, filter this down to one call, and save just that one call as a separate PCAP.

It is possible to filter a single call in Wireshark because each VoIP call has a unique identifier known as Call-ID (this is created by the VoIP switch originating the call). When looking at SIP packets in Wireshark there are two major sections to look at; the message header and the message body. The message header contains the Call-ID; a right-click on that portion will open a context menu with allowances to filter by just this criteria. Remember that a VoIP call contains both SIP and RTP (media) packets so at times it will be necessary to add further syntax to the filter box to obtain the additional data for analysis. The message header contains various bits of information such as the IP address that originated the call, the number the call is from and the number the call is to, as well as the methods that can be used for the call. The message body contains information such as what IP address to connect audio to, the codecs that can be used, and the ports to use for audio.

There is simply too much information available in a PCAP to cover all of it in a writing such as this but understanding where to look provides the basis for the beginning steps of troubleshooting. If you own a VoIP business and you received a report of a one-way audio issue, your first step should be to set up a packet capture on the PBX handling the call. By using Wireshark, you can capture the traffic and isolate an affected call. By using the information previously mentioned you can quickly filter by ‘sip’ to limit the visible packets to only the basic information. Next, use the Call-ID to narrow results further. The final step is to add syntax to the filter that include the ports in use for the call. This process is easily accomplished in a matter of minutes and is akin to the analogy of using a voltmeter on the dishwasher that fails the initial start cycle. For illustrative purposes, this type of filter syntax looks like this: sip.Call-ID == "1141613068_29310721@4.55.42.227" or udp.port==12695 or udp.port==19008

Just like an inexperienced car mechanic would not isolate every possible issue on his first attempt, an inexperienced Wireshark user will likely not see the cause of an issue the first time looking at SIP packets. Nevertheless, by understanding the information contained in the message header and message body of a PCAP, one can easily see how truly useful Wireshark can be. The best way to become proficient in using Wireshark is to start with the basics. Begin by using a basic filter and add syntax as needed. Look at the information in the message header and message body and think about how that information pertains to VoIP calls. As you continue to work with Wireshark you will become more comfortable with it and understand how to use it to your advantage. You can also visit the VoIP Innovations wiki for a more in-depth article: http://wiki.voipinnovations.com/Wireshark.ashx

Tags: VI News, Downloads

New Call-to-action

Subscribe to Email Updates

Recent Posts