AU-9 (Walberg) Expose VoIP Problems with Wireshark
-
Upload
hoangnguyet -
Category
Documents
-
view
216 -
download
1
Transcript of AU-9 (Walberg) Expose VoIP Problems with Wireshark
![Page 1: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/1.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Expose VoIP Problems With WiresharkJune 18, 2009
Sean WalbergNetwork Guy | Canwest
SHARKFEST '09Stanford UniversityJune 15-18, 2009
![Page 2: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/2.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Without tools, VoIP is a black box
![Page 3: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/3.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Wireshark lets you peek inside
![Page 4: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/4.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
VoIP is just another application
![Page 5: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/5.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
(but it has special requirements)
![Page 6: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/6.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
About Me
![Page 7: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/7.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
About You
![Page 8: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/8.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
The Agenda
1. About VoIP2. Capturing VoIP3. Analyzing Signaling4. Analyzing RTP
![Page 9: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/9.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
About VoIPCapturing VoIPSignalingRTP
![Page 10: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/10.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
The old way
Local Loop
![Page 11: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/11.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
The old way
Off Hook Dialtone
![Page 12: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/12.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
The old way
Dialing Digits
![Page 13: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/13.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
The old way
RING – 90v@20Hz
![Page 14: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/14.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
The old way
![Page 15: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/15.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
The VoIP way
I’m ca
lling x
1234
![Page 16: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/16.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
The VoIP way
Hey, 1234, you’re being called
![Page 17: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/17.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
The VoIP way
Use x.x.x.x:xxxxUse y.
y.y.y:
yyyy
![Page 18: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/18.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
The VoIP wayZZZZZZ
![Page 19: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/19.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
So there are two parts to VoIP
• Signaling– SIP– H.323– MGCP– SCCP– Proprietary
• Voice (Bearer) – RTP (G.711, G.722, G.729a,…)
![Page 20: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/20.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Jitter, Delay, and Loss, oh my!
![Page 21: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/21.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Loss
![Page 22: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/22.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Delay
Never underestimate the bandwidth of a station wagon
loaded with backup tapes.
(the delay is a different matter)
![Page 23: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/23.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Jitter
![Page 24: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/24.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Jitter != Delay
Jitter
Delay
![Page 25: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/25.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
About VoIPCapturing VoIPSignalingRTP
![Page 26: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/26.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Location, Location, Location
![Page 27: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/27.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Just a simple network
![Page 28: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/28.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
The signaling traffic takes a different path from the RTP traffic
![Page 29: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/29.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Or, it might do this
![Page 30: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/30.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Same conversation, different perspectives
Here you see inbound latency and jitter, but nothing on the outbound
Here you see inbound latency and jitter, but nothing on the outbound
![Page 31: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/31.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
NAT changes the address
Src=ADst=B
Src=CDst=D
The address changeswithin the cloud!
![Page 32: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/32.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Set your capture filters
![Page 33: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/33.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
The Packet List window
![Page 34: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/34.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Summaries are displayed here
![Page 35: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/35.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
By the way…
If the signaling or the voice is encrypted, you won’t be able to decode it.
Sorry.
![Page 36: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/36.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Quality of Service for VoIP networks
![Page 37: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/37.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Use color to show QoS problems
View -> Coloring Rules
![Page 38: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/38.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Add a column for DSCP
Edit -> Preferences User Interface->Columns
Signaling
Tagged RTP
UntaggedRTP
![Page 39: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/39.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Are you running a proprietary PBX?
Edit -> Properties, Protocols -> RTP
![Page 40: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/40.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Use the Packet Details pane to see what’s inside the packet
![Page 41: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/41.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
About VoIPCapturing VoIPSignalingRTP
![Page 42: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/42.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
The Role of Signaling
• Indicate to the remote end that a call is coming
• Establish the codec to be used for voice• Establish the addresses of the endpoints• Get out of the way• Tear down the connection once it’s done
![Page 43: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/43.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Back to Loss, Delay, and Jitter
• Jitter is usually a non-issue• Delay, within reason, is OK
– Clustering/Specific applications notwithstanding• Loss isn’t great
– TCP retransmits at layer 4– UDP retries at layer 7
![Page 44: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/44.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Demos
![Page 45: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/45.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
About VoIPCapturing VoIPSignalingRTP
![Page 46: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/46.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
The properties of RTP
• RTP simulates the real time voice normally carried over a wire
• 4KHz voice bandwidth = 8KHz sampling rate (Nyquist)• 8 bits/sample * 8KHz = 64,000bps (DS0)
• A Codec (G.711u/A law, G.729, G.726, etc)• Most codecs use 20ms voice samples = 50pps• Even with compression, you have a fairly consistent
packet rate, only the size changes
![Page 47: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/47.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
DTMF
• Compressing DTMF is bad• So many different ways to carry the digits out
of band, look for them in traces
![Page 48: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/48.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Three factors that affect voice quality
Latency <= 150ms (one way)
Jitter <= 20ms
Packet loss <= 0.1%
![Page 49: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/49.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Latency <= 150ms (one way)
Hi, how are you? Hello? Oops, sorry, go ahead Fine, I oh hello, go ahead
Path delay
Serializationdelay
Jitter buffer,Transcodingdelay
![Page 50: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/50.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Packet Loss <= 0.1%
Hi Bo *POP* How *POP*e you?Hi Bo How you?
![Page 51: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/51.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Jitter <= 20ms
Better late than never? No. May as well be lost.
![Page 52: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/52.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Demos
![Page 53: AU-9 (Walberg) Expose VoIP Problems with Wireshark](https://reader035.fdocuments.us/reader035/viewer/2022081323/586e28191a28ab84588bfa79/html5/thumbnails/53.jpg)
SHARKFEST '09 | Stanford University | June 15–18, 2009
Thanks!
[email protected]@seanwalberg
This presentation will be downloadable fromhttp://lovemytool.com and http://cacetech.com