Onnowpurbo: New page: VoIP Calls Lea esta ayuda en español en http://wiki.wireshark.org/VoIP_calls_spanish To access the VoIP calls analysis use the menu entry "Telephony->VoIP Calls...". The current VoIP su...

2016-01-01T00:54:49Z

New page: VoIP Calls Lea esta ayuda en español en http://wiki.wireshark.org/VoIP_calls_spanish To access the VoIP calls analysis use the menu entry "Telephony->VoIP Calls...". The current VoIP su...

New page

VoIP Calls

Lea esta ayuda en español en http://wiki.wireshark.org/VoIP_calls_spanish

To access the VoIP calls analysis use the menu entry "Telephony->VoIP Calls...". The current VoIP supported protocols are:

SIP

H323

ISUP

MGCP

UNISTIM

with the corresponding RTP streams.

See VOIPProtocolFamily for an overview of the used VoIP protocols.

To try out this dialog, a small capture file containing a VoIP call can be found at SampleCaptures/rtp_example.raw.gz which contains an example H323 call including H225, H245, RTP and RTCP packets.

List VoIP calls

voip_calls_list.jpg

The VoIP calls list shows the following information per call:

Start Time: Start time of the call.
Stop Time: Stop time of the call.
Initial Speaker: The IP source of the packet that initiated the call.

From: For H323 and ISUP calls, this is the calling number. For SIP calls, it is the "From" field of the INVITE. For MGCP calls, the EndpointID or calling number. For UNISTIM the Terminal ID.

To: For H323 and ISUP calls, this is the called number. For SIP calls, it is the "To" field of the INVITE. For MGCP calls, the EndpointID or dialed number. For UNISTIM the dialed number.
Protocol: Any of the protocols listed above
Packets: Number of packets involved in the call.
State: The current call state. The possible values are
CALL SETUP: call in setup state (Setup, Proceeding, Progress or Alerting)

RINGING: call ringing (only supported for MGCP calls)
IN CALL: call is still connected
CANCELLED: call was released before connect from the originated caller
COMPLETED: call was connected and then released
REJECTED: call was released before connect by the destination side
UNKNOWN: call in unknown state

Comment: An additional comment, this is protocol dependent. For H323 calls it shows if the call uses Fast Start or/and H245 Tunneling.

Filtering a call

To prepare a filter for a particular call, just select the desired call and press "Prepare Filter" button. This will create a filter in the Main Wireshark windows to filter the packets related to this call. This is specially useful when you want to connect ISUP calls according to some CIC value.

VoIP calls Graph analysis

voip_calls_graph.jpg

To Graph analysis one or multiple calls from the VoIP List, select them from the list and then press the "Graph" button.

The Graph will show the following information:

Up to Ten columns representing an IP address each one.
All packets that belong to the same call are colorized with the same color
An arrow showing the direction of each packet in the calls
The label on top of the arrow shows message type. When available, it also shows the media codec.

The RTP traffic is summarized in a wider arrow with the corresponded Codec.

Shows the UDP/TCP source and destination port per packet.
The comment column has protocol dependent information:

H323:

Fast Start and H245 Tunneling ON/OFF for the packet.
The SETUP message shows the calling and called number

The RELEASE message shows the Q.931 Release cause code

SIP:
Shows if the packet is a "Request" or a "Staus" message.
The INVITE message also shows the "From" and "To" fields

ISUP:

The format is as follows: NetworkID-Originating Point Code -> NetworkID-Destination Point Code, CIC

MGCP:
The MGCP Endpoint ID, and if the packet is a "Request" or "Response" message.

UNISTIM:
Details of the message, and the sequence #.

RTP:
Number of RTP packets in the stream, the duration in seconds and the SSRC field.

When clicking a packet in the Graph, the selected frame will be selected in the Main Wireshark window.

Playing VoIP calls

Note: For the moment, this feature works only for G711 A-Law and G711 u-Law RTP streams (other codecs not implemented).

To play the RTP audio stream of one or multiple calls from the VoIP List, select them from the list and then press the "Player" button:

voip_calls_play1.jpg

Choose an initial value for the jitter buffer and then press the "Decode button". The jitter buffer emulated by Wireshark is a fixed size jitter buffer and can efficiently be used to reproduce what clients can effectively hear during the VoIP call.

You can now see all RTP streams available for the calls that you selected:

voip_calls_play2.jpg

Note that all RTP packets that are dropped because of the jitter buffer are reported ("Drop by Jitter Buff"), as well as the packets that are out of sequence (Out of Seq).

Pressing the "Play" button plays the RTP stream from within Wireshark. A progress bar indicates the position in the stream and is synchronized amongst all RTP streams that are played.

Discussion

The file rtp_example.raw.gz didn't worked for me, you may try to play this capture file VoIP call instead: SampleCaptures/SIP_CALL_RTP_G711

I think the list of supported protocols and features is not complete.

I have some videos on how to analyze VoIP calls using Wireshark.

==Referensi==

* https://wiki.wireshark.org/VoIP_calls

Wireshark: Menyadap VoIP - Revision history

Onnowpurbo: New page: VoIP Calls Lea esta ayuda en español en http://wiki.wireshark.org/VoIP_calls_spanish To access the VoIP calls analysis use the menu entry "Telephony->VoIP Calls...". The current VoIP su...