Scribd Logo
Hochladen

Willkommen bei Scribd!

  • How To Analyze SIP Calls in Wireshark

    Hochgeladen von

    laliaga30
    263 Ansichten9 Seiten
    This document provides guidance on how to analyze SIP calls using Wireshark by: 1. Filtering packets using expressions like "sip", "rtp", or specific call IDs 2. Viewing call information and flow sequences in the VOIP Calls list 3. Examining important SIP headers like From, To, and Contact and SDP parameters 4. Filtering and analyzing RTP streams to check for issues like codec, timing, or lost packets 5. Decoding UDP packets to RTP manually if necessary and playing back audio streams.

    Originalbeschreibung:

    How to Analyze SIP Calls in Wireshark

    Originaltitel

    How to Analyze SIP Calls in Wireshark

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    DOCX, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    This document provides guidance on how to analyze SIP calls using Wireshark by: 1. Filtering packets using expressions like "sip", "rtp", or specific call IDs 2. Viewing call information and flow sequences in the VOIP Calls list 3. Examining important SIP headers like From, To, and Contact and SDP parameters 4. Filtering and analyzing RTP streams to check for issues like codec, timing, or lost packets 5. Decoding UDP packets to RTP manually if necessary and playing back audio streams.

    Copyright:

    © All Rights Reserved
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    263 Ansichten9 Seiten

    How To Analyze SIP Calls in Wireshark

    Hochgeladen von

    laliaga30
    This document provides guidance on how to analyze SIP calls using Wireshark by: 1. Filtering packets using expressions like "sip", "rtp", or specific call IDs 2. Viewing call information and flow sequences in the VOIP Calls list 3. Examining important SIP headers like From, To, and Contact and SDP parameters 4. Filtering and analyzing RTP streams to check for issues like codec, timing, or lost packets 5. Decoding UDP packets to RTP manually if necessary and playing back audio streams.

    Copyright:

    © All Rights Reserved
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 9

    How to Analyze SIP Calls in Wireshark

    Eric Jiang
    Thursday at 07:59

    Follow

    When we face a problem like a call failed or no audio in SIP, usually we need to get the PCAP
    dump file and check the packets. This article is about how to use Wireshark to analyze SIP calls.

    1. Filter Expression of Wireshark


    PCAP dump file contains all the protocols travel the network card, Wireshark has expressions to
    filter the packets so that can display the particular messages for the particular protocol. There is
    some common string list below:

    Filter Description

    sip filter SIP Protocol

    rtp filter RTP stream

    rtcp filter RTCP packets

    rtpevent filter DTMF packets

    ip.addr use IP address to filter packets, e.g. ip.addr==192.168.5.150 or ip.addr!=192.168.5.150

    udp.srcport filter packets depend on the UDP source port, e.g. udp.srcport==10000

    filter packets depend on the UDP destination port, e.g. udp.destport==20000 or udp.srcport=
    udp.dstport
    || udp.destport==20000

    dns filter DNS protocol


    wireshark have plenty of filters for sip protocol

    most common use is sip.Method and sip.Call-ID.

    use sip method to filter sip messages: sip.Method == INVITE

    use call-id to filter one particular sip call: sip.Call-ID==20badbbf750c497a80d63ebb8a74a213

    We can also filter with some special parameter in the packet through the option 'Prepare a Filter',
    select the parameter you want and click right click then you can see the menu display.
    See more details about how to use Wireshark, please click Wireshark Wiki.

    2. SIP Call analysis


    1) List SIP calls
    Use the menu entry 'Telephony > VOIP Calls', then you can see the SIP call list.

    We can see the information below:

     The Start Time and Stop Time of each call.


     Initial Speaker is the IP Address of Caller.
     Caller ID and Callee ID in the From and To URI.

    Select the calls you want to check, then we can see the invalid option Flow Sequence become
    available. Click the Flow Sequence button we can see the graph of this call with some details:

     SIP signaling flow between different UA.


     Direction, source and dest port of RTP stream.
     Codec of the RTP stream.
    2) Filter one SIP call
    In SIP protocol, we can use call-id, from-tag, to-tag to identify a call. Usually, SIP entity will
    generate the random call-id string for each call, so we can mark one sip call with the call-id
    parameter.

    See the following figure about the SIP call filtered by Call-ID.
    3) SIP headers
    Enable display raw for SIP message so that we don't need to expand every sip header or SDP
    parameters.

    There are two parts in the sip INVITE request, SIP headers, and SDP.

    Just list some import sip headers here:

     From: Caller URI


     To: destination of the call
     Contact: the address for the subsequent request

    Also some import parameters in SDP:

     media line: m=audio 4000 RTP/AVP 123 8 0 101


     media direction: a=sendrecv
     codec: a=rtpmap:123 opus/48000/2
     ptime: a=ptime:20
    3. RTP analysis
    When we have a voice issue, we could check the following problem with Wireshak:

     Is the RTP stream exist?


     Is the RTP stream send and receive on the right IP address and port?
     Is the RTP stream be decoded in the right codec?
     Is the RTP stream be sent with right ptime?

    1) Filter RTP stream


     Use 'rtp' as the expression to filter RTP packets.
     On the sip call flow graph, we can check RTP direction and codec.
     Use the menu 'Telephony > RTP > RTP Streams'.

    We can see all the RTP streams display and we can see some information of these RTP
    streams, like source port and dest port, SSRC, payload, max delta, lost percentage of the
    packets and jitter.
    But how could we know which stream is the one we want to check?

     On the SIP call flow graph, we can see the source and dest port of one RTP stream
     The media line of the SDP message in INVITE or 200OK sip messages

    2) Decode UDP packets to RTP


    As we know RTP usually uses UDP transport, when the sip call flow in the PCAP file is
    incomplete the Wireshark may not parse the UDP packets to RTP streams. we can decode the
    UDP packets to RTP manually.
    3) Play RTP stream
    For now, Wireshark only supports playing pcmu and pcma codec.

     Select and Play Stream in the call list

     Play one RTP stream, in the RTP Streams list, Analyze > Play Streams
    We can see the RTP player after click the Play Streams button.

    About how to get PCAP file you can refer to the link: How to Get PCAP Dump Capture

    Das könnte Ihnen auch gefallen