1. Page 1 of 18
NETW250 Week 3 iLab: Observing VoIP Protocols Using Wireshark
Your Name: Greg Pubill
Professor’s Name: Anthony Manno
Date: 1/25/2015
Task 2: Filter and Examine RTP Packets
6. In the Tree View section (i.e., the middle section), click on the plus box next to the Real-Time Transport
Protocol headerand expand it.
What’s the value of the Payload type field? _____ ITU-T G.711 PCMU (0)
What’s the value of the Sequence number field? _____ 13830
What’s the value of the Timestamp field? _____ 160
Capture a screenshot of the Wireshark window with RTP header details above,
and paste the image into the lab report here.
2. Page 2 of 18
7. Go back to the Packet List Section and select the next RTP packet. In the Tree View section, click on the plus
box next to the Real-Time Transport Protocol header and expand it.
What’s the value of the Payload type field? _____ITU-T G.711 PCMU (0)
What’s the value of the Sequence number field? _____13831 (Hint: this number should be one up the
previous sequence numbers; otherwise, you chose the wrong packet.)
What’s the value of the Timestamp field? _____320
Subtract the timestamp value from Step 6 from the timestamp value here to determine the unit of time
contained in each packet. _____160
The captured call in this iLab uses the default G.711 codec, which generates 8,000 samples every second.
Typically, the RTP timestamp clock rate is the same as the sampling rate. Therefore, the RTP timestamp
clock increments once for each byte or sample.
If each increment of the RTP timestamp clock (i.e., one unit) represents 1/8,000 of a second, how many
milliseconds of conversation are carried in each RTP packet? _____20ms (160 x 1/8ms)
Given the payload bit rate of G.711 codec as 8,000 bits per second, the payload size in milliseconds
calculated above can also be represented in _160____ bits or __20___ bytes.
Capture a screenshot of the Wireshark window with RTP header details above,
and paste the image into the lab report here.
3. Page 3 of 18
8. Go back to the Packet List Section and highlight any RTP packet. In the Tree View section, minimize all
headers by clicking on all minus boxes.
What’s the protocol header shown on top of Real-time Transport Protocol? ___UDP__
What’s the next protocol header shown above that? __IPv4___
9. In the same Tree View section, click on the plus box next to the Internet Protocol Version 4 header and expand
it.
What’s the value (in bytes) of the Header length field? _20 bytes____
What’s the value (in bytes) of the Total length field? _200____
Subtract from the total length: 20 bytes for IP header, 8 bits for UDP header, and 12 bytes for RTP header.
What’s the payload length in bytes? __160___
Does the payload length in bytes match the payload size in bytes in Step 6? __Yes___
Capture a screenshot of the Wireshark window with RTP header details above,
and paste the image into the lab report here.
4. Page 4 of 18
Task 3: Filter and Examine RTCP Packets
5. In the Tree View section below, click on the plus box next to the Real-rime Transport Control Protocol (Sender
Report) header and expand it.
What’s the RTP time stamp? __39616___
What’s the NTP time stamp? ____Aug 30, 2014 10:41:13.952569000 UTC_. The NTP time stamp is the
wall clock time when this Sender Report packet was sent.
What’s the value of the Sender’s packet count field? __247___. This is the number of packets sent since
starting transmission, up until the time this Sender Report packet was generated.
6. Click on plus boxes to expand the Source 1 header and SSRC contents.
What’s the value of the Fraction Lost field? __0 / 256___
What’s the value of the Interarrival jitter field? __4___
Each unit of the interarrival jitter value typically approximates 1/400 of a millisecond. If the value of the
interarrival jitter here is 1 (unit), what’s the interarrival jitter in milliseconds? __4 x 1/400 = 0.01ms___
Capture a screenshot of the Wireshark window with RTCP header details
above, and paste the image into the lab report here.
5. Page 5 of 18
7. Click through the rest of the RTCP Sender Report packet.
Does the packet loss ratio change? __NO___
Does the interarrival jitter value change? __YES___
Based on its codec, loss ratio, and interarrival jitter value, where did this captured call most likely occur: on
a private LAN or a public WAN? _private LAN____
Task 4: Filter and Examine SIP Messages
5. In the Tree View section, expand the Session Initiation Protocol header and then Message Header to locate the
following information. (Hint: To copy the value of a field directly from Wireshark, right-click on a field, choose
Copy, and then choose Value. Right-click in this document and paste the clipboard content here.)
Request line: __INVITE sip:3966@10.13.40.102:5060 SIP/2.0___
Via: SIP/2.0/UDP10.13.40.118:56808;
rport;branch=z9hG4bKPj12936935298743289f343633ac0b242d__
Max-Forwards: __70___
From: __"Mary Anderson" <sip:3883@10.13.40.102:5060>;___ tag =
__tag=5c9b25431a0e40d59608f11bf72643e2___
6. Page 6 of 18
To: __<sip:3966@10.13.40.102:5060>___
Call-ID: __bd1ef637da6343a9a8d2202d6d783f86___
Allow: ___PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY,
REFER, MESSAGE, OPTIONS__
Content-Type: __application/sdp___
7. Compare IP addresses in Step 6 to addresses in the From:, To:, and Via: fields in Step 5. What is the role
of the VoIP server in delivering this INVITE message?
The SIP server delivers the INVITE message for extension 3966 by resolving the extension number to
the terminal's IP address. The device on extension 3883 needs the SIP server as intermediary because it
has no knowledge of what IP address is assigned to that extension.
7. Page 7 of 18
8. The Max-Forwards field of the INVITE message contains an integer value that limits the number of hops a
request can make on its way to the destination proxy server. Its value decreases by 1 at each hop.
Remember that the time to live (TTL) value of an IP packet limits the number of hops an IP packet can make on
its way to the destination router. Here, what does a hop in the Max-Forwards field refer to? __SIP Servers or
proxies___
Capture a screenshot of the Wireshark window with SIP INVITE message
details above, and paste the image into the lab report here.
8. Page 8 of 18
9. In the same Tree View section, minimize Message Header by clicking on the minus box next to it. Click on the
plus box next to Message Body and then click on the plus boxnext to the Session Description Protocol header.
The SDP message contains a proposed description of the session.You should see several Media Attribute
values listed in the SDP header. Record the audio codec values from Media Attribute fields here.
_PCMU/8000, PCMA/8000, GSM/8000____
If you are not sure about the correct answer, locate the Media Description field above and you should see the
same list of audio codecs specified there (their names could be slightly different).
10. SIP response messages start with a status line instead of a request line as the INVITE method message does.A
status line consists ofthe protocol version,a numeric status code,and its corresponding textual phrase. The
code and phrase indicate the outcome of an attempt to serve a request.
Capture a screenshot of the Wireshark window with SDP header details above,
and paste the image into the lab report here.
9. Page 9 of 18
In the Packet List section, locate and highlight the 100 Trying message by looking in the Info column. The 100
Trying message indicates that the request has been received by the next-hop proxy or VoIP server and
unspecified actions are taking place (i.e., “Hey, wait here until I have more to tell you”).
In the Tree View section, expand Message Header and record the following information.
Status line: __SIP/2.0 100 Trying___
Via: __SIP/2.0/UDP 10.13.40.118:56808;rport=56808;
branch=z9hG4bKPj12936935298743289f343633ac0b242d___
To: ___<sip:3966@10.13.40.102:5060>__
From: __"Mary Anderson" <sip:3883@10.13.40.102:5060>;
tag=5c9b25431a0e40d59608f11bf72643e2___
Call-ID: __bd1ef637da6343a9a8d2202d6d783f86___
Capture a screenshot of the Wireshark window with 100 Trying message
details above, then paste the image into the lab report here.
10. Page 10 of 18
11. In the Packet List Section, locate and highlight the 180 Ringing message by looking in the Info column. The
180 Ringing message is used to generate an alerting message.
In the Tree View section, expand Message Header and record the following information.
Status line: __SIP/2.0 180 Ringing___
Via: __SIP/2.0/UDP 10.13.40.118:56808;rport=56808;
branch=z9hG4bKPj12936935298743289f343633ac0b242d___
To: ___<sip:3966@10.13.40.102:5060>; tag=1a3f3e4c__
From: __"Mary Anderson"<sip:3883@10.13.40.102:5060>;
tag=5c9b25431a0e40d59608f11bf72643e2___
Call-ID: __bd1ef637da6343a9a8d2202d6d783f86___
11. Page 11 of 18
12. In the Packet List Section, locate the 200 OK message that follows the previous 180 Ringing message by
looking in the Info column. The 200 OK message is generated to indicate that the request has succeeded.
In the Tree View section, expand Message Header and record the following information.
Status line: __SIP/2.0 200 OK___
Via: _SIP/2.0/UDP 10.13.40.118:56808;rport=56808;
branch=z9hG4bKPj12936935298743289f343633ac0b242d____
To: ___<sip:3966@10.13.40.102:5060>; tag=1a3f3e4c__
From: __"Mary Anderson"<sip:3883@10.13.40.102:5060>;
tag=5c9b25431a0e40d59608f11bf72643e2___
Capture a screenshot of the Wireshark window with 180 Ringing message
details above, and paste the image into the lab report here.
12. Page 12 of 18
Call-ID: __bd1ef637da6343a9a8d2202d6d783f86___
13. In the Packet List Section, locate and highlight the ACK message by looking in the Info column. The ACK
message confirms that a VoIP session now is established.
In the Tree View section, expand Message Header, and record the following information.
Request line: __ACK sip:3966@10.13.40.102:5060 SIP/2.0___
Via: SIP/2.0/UDP
10.13.40.118:56808;rport;branch=z9hG4bKPjaedc1b1bba454db1a14749595c905589__
Max-Forwards: __70___
Capture a screenshot of the Wireshark window with SIP 200 OK message
details above, and paste the image into the lab report here.
13. Page 13 of 18
From: __"Mary Anderson" <sip:3883@10.13.40.102:5060>;
tag=5c9b25431a0e40d59608f11bf72643e2
To: __<sip:3966@10.13.40.102:5060>; tag=1a3f3e4c
Call-ID: __bd1ef637da6343a9a8d2202d6d783f86___
14. The INVITE – 200 OK – ACK message sequence you observed in Steps 5, 12, and 13 is the three-way
handshake used to establish an SIP call session.The following values are used to uniquely identify this call:
Tag value (following From:) from Step 5: _tag=5c9b25431a0e40d59608f11bf72643e2____
Tag value (following To:) from step 11: __tag=1a3f3e4c___
Call-ID value from steps 5, 10, 11, 12, and 13: __bd1ef637da6343a9a8d2202d6d783f86___
Capture a screenshot of the Wireshark window with SIP ACK message details
above, and paste the image into the lab report here.
15. Page 15 of 18
15. In the Packet List Section, locate and highlight the BYE message by looking in the Info column. When one
party hangs up,a BYE request message is passed to the other party to indicate a terminated session.
In the Tree View section, expand Message Header and record the following information.
Via: __SIP/2.0/UDP 10.13.40.118:56808;rport;
branch=z9hG4bKPj78bba9326d764c8ab49c5c5e2eda398b___
To: __<sip:3966@10.13.40.102:5060>; tag=1a3f3e4c__
From: ___"Mary Anderson" <sip:3883@10.13.40.102:5060>;
tag=5c9b25431a0e40d59608f11bf72643e2__
Call-ID: __bd1ef637da6343a9a8d2202d6d783f86___
Capture a screenshot of the Wireshark window with SIP BYE message details
above and paste the image into the lab report here.
16. Page 16 of 18
16. In the Packet List Section of the Wireshark window, locate and highlight the 200 OK message sent in response
to this BYE message. It’s different from the 200 OK message (in response to the INVITE message) in Step 13.
In the Tree View section, expand Message Header and record the following information.
Via: __SIP/2.0/UDP 10.13.40.118:56808;rport=56808;
branch=z9hG4bKPj78bba9326d764c8ab49c5c5e2eda398b___
To: __<sip:3966@10.13.40.102:5060>; tag=1a3f3e4c__
From: __"Mary Anderson"<sip:3883@10.13.40.102:5060>; tag=5c9b25431a0e40d59608f11bf72643e2__
Call-ID: __bd1ef637da6343a9a8d2202d6d783f86___
Do the tag values and Call-ID value match those in Step 15? __YES___
17. Page 17 of 18
17. In the Packet List Section of the Wireshark window, try to locate the ACK message that could acknowledge the
previous 200 OK response (i.e., the 200 OK in response to the BYE message). Does it exist? __NO___
You have observed the INVITE – 200 OK – ACK three-way handshake during the call setup. What messages
are exchanged for tearing down a call session? __BYE and 200 OK___
Task 5: Examine the SIP Call Process
21. Take a screenshot ofthe message flow and attach it below.
Capture a screenshot of the Wireshark window with SIP 200 OK message
details above and paste the image into the lab report here.
18. Page 18 of 18
_
Capture a screenshot of the Wireshark window with the SIP message flow above,
and paste the image into the lab report here.