leerzame sessie over VoIP


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Tcpdump/tethereal from another host and importing From the different perspective on jitter/latency, a binary search to find the culprit
  • To further complicate the issue, you might have NAT involved. NAT changes the source or the destination address of the packet in order to alter routing, or to hide devices behind a gateway. NAT often causes problems with VoIP network because of this change in address, especially when transiting the Internet. You must understand how the addresses are being changed, and adjust your capture filters accordingly depending on which side of the NAT gateway you’re on.
  • Filters for H.323 Or maybe by host? Sip/mgcp/etc ports?
  • Wireshark gave some information about the RTP traffic in the packet list pane, much like it did for the signaling traffic earlier. However, Wireshark knew the signaling traffic was SIP because it was using UDP port 5060. RTP does not have a defined port, so Wireshark uses the signaling details to figure out which port is being used for RTP, and then decodes the packets accordingly. What if you have a proprietary phone system that uses RTP, but has its own signaling? You can tell Wireshark to look more closely at UDP packets to determine if they are RTP by checking the “Try to decode RTP outside of conversations” box.
  • Fax/modem calls can’t have any loss… consider relaying
  • leerzame sessie over VoIP

    1. 1. <ul><li>Expose VoIP Problems With Wireshark </li></ul><ul><li>June 18, 2009 </li></ul><ul><li>Sean Walberg </li></ul><ul><li>Network Guy | Canwest </li></ul><ul><li>SHARK FEST '09 </li></ul><ul><li>Stanford University </li></ul><ul><li>June 15-18, 2009 </li></ul>
    2. 2. Without tools, VoIP is a black box
    3. 3. Wireshark lets you peek inside
    4. 4. VoIP is just another application
    5. 5. (but it has special requirements)
    6. 6. About Me
    7. 7. About You
    8. 8. The Agenda <ul><li>About VoIP </li></ul><ul><li>Capturing VoIP </li></ul><ul><li>Analyzing Signaling </li></ul><ul><li>Analyzing RTP </li></ul>
    9. 9. About VoIP Capturing VoIP Signaling RTP
    10. 10. The old way Local Loop
    11. 11. The old way Off Hook Dialtone
    12. 12. The old way Dialing Digits
    13. 13. The old way RING – 90v@20Hz
    14. 14. The old way
    15. 15. The VoIP way I’m calling x1234
    16. 16. The VoIP way Hey, 1234, you’re being called
    17. 17. The VoIP way Use x.x.x.x:xxxx Use y.y.y.y:yyyy
    18. 18. The VoIP way ZZZZZZ
    19. 19. So there are two parts to VoIP <ul><li>Signaling </li></ul><ul><ul><li>SIP </li></ul></ul><ul><ul><li>H.323 </li></ul></ul><ul><ul><li>MGCP </li></ul></ul><ul><ul><li>SCCP </li></ul></ul><ul><ul><li>Proprietary </li></ul></ul><ul><li>Voice (Bearer) </li></ul><ul><ul><li>RTP (G.711, G.722, G.729a,…) </li></ul></ul>
    20. 20. Jitter, Delay, and Loss, oh my!
    21. 21. Loss
    22. 22. Delay Never underestimate the bandwidth of a station wagon loaded with backup tapes. (the delay is a different matter)
    23. 23. Jitter
    24. 24. Jitter != Delay Jitter Delay
    25. 25. About VoIP Capturing VoIP Signaling RTP
    26. 26. Location, Location, Location
    27. 27. Just a simple network
    28. 28. The signaling traffic takes a different path from the RTP traffic
    29. 29. Or, it might do this
    30. 30. Same conversation, different perspectives Here you see inbound latency and jitter, but nothing on the outbound Here you see inbound latency and jitter, but nothing on the outbound
    31. 31. NAT changes the address Src=A Dst=B Src=C Dst=D The address changes within the cloud!
    32. 32. Set your capture filters
    33. 33. The Packet List window
    34. 34. Summaries are displayed here
    35. 35. By the way… If the signaling or the voice is encrypted, you won’t be able to decode it. Sorry.
    36. 36. Quality of Service for VoIP networks
    37. 37. Use color to show QoS problems View -> Coloring Rules
    38. 38. Add a column for DSCP Edit -> Preferences User Interface->Columns Signaling Tagged RTP Untagged RTP
    39. 39. Are you running a proprietary PBX? Edit -> Properties, Protocols -> RTP
    40. 40. Use the Packet Details pane to see what’s inside the packet
    41. 41. About VoIP Capturing VoIP Signaling RTP
    42. 42. The Role of Signaling <ul><li>Indicate to the remote end that a call is coming </li></ul><ul><li>Establish the codec to be used for voice </li></ul><ul><li>Establish the addresses of the endpoints </li></ul><ul><li>Get out of the way </li></ul><ul><li>Tear down the connection once it’s done </li></ul>
    43. 43. Back to Loss, Delay, and Jitter <ul><li>Jitter is usually a non-issue </li></ul><ul><li>Delay, within reason, is OK </li></ul><ul><ul><li>Clustering/Specific applications notwithstanding </li></ul></ul><ul><li>Loss isn’t great </li></ul><ul><ul><li>TCP retransmits at layer 4 </li></ul></ul><ul><ul><li>UDP retries at layer 7 </li></ul></ul>
    44. 44. Demos
    45. 45. About VoIP Capturing VoIP Signaling RTP
    46. 46. The properties of RTP <ul><li>RTP simulates the real time voice normally carried over a wire </li></ul><ul><li>4KHz voice bandwidth = 8KHz sampling rate (Nyquist) </li></ul><ul><li>8 bits/sample * 8KHz = 64,000bps (DS0) </li></ul><ul><li>A Codec (G.711u/A law, G.729, G.726, etc) </li></ul><ul><li>Most codecs use 20ms voice samples = 50pps </li></ul><ul><li>Even with compression, you have a fairly consistent packet rate, only the size changes </li></ul>
    47. 47. DTMF <ul><li>Compressing DTMF is bad </li></ul><ul><li>So many different ways to carry the digits out of band, look for them in traces </li></ul>
    48. 48. Three factors that affect voice quality Latency <= 150ms (one way) Jitter <= 20ms Packet loss <= 0.1%
    49. 49. Latency <= 150ms (one way) Hi, how are you? Hello? Oops, sorry, go ahead Fine, I oh hello, go ahead Path delay Serialization delay Jitter buffer, Transcoding delay
    50. 50. Packet Loss <= 0.1% Hi Bo *POP* How *POP*e you? Hi Bo How you?
    51. 51. Jitter <= 20ms Better late than never? No. May as well be lost.
    52. 52. Demos
    53. 53. Thanks! <ul><li>[email_address] </li></ul><ul><li>@seanwalberg </li></ul><ul><li>This presentation will be downloadable from </li></ul><ul><li>http://lovemytool.com and http://cacetech.com </li></ul>