First question here! Sorry if this has been covered - I couldn't find the answer anywhere.
I am looking for some advice on setting up a VoIP profile, to really get the most out of my captures.
I have been using Wireshark now for approx 3 months and am really starting to find my feet, but have a long way to go.
I am having to install & maintain hosted PBX systems (Gamma Horizon) and PBX onto SIP trunks. Any advice on columns, filtered traffic and things to look out for when it comes to dropped calls, one-way transmission etc.
Any help would be appreciated. Thanks in advance.
asked 05 Feb '15, 14:51
Often when a question is asked as generically as this it's difficult to answer. In a way you're really asking "How can I support a SIP-based VoIP network", which is a huge topic of its own.
Personally I find there's little benefit in customizing too much with profiles for something like SIP since the 'optimal layout' depends too much on what you're looking for in that moment. If you have a specific goal, the tools in Wireshark (like custom columns/sorting, or the different time field types) can help, but you need to start with a question.
As a 'default', I do set a custom colour rule for SIP traffic just so it stands out over the default for UDP (I make it purple), and I also include SIP errors in my catch-all 'something is wrong or at least cautionary' colour rule that I set above everything else, but those are the only SIP-specific things I would start with, where what columns I'd want to set would depend a lot on what I was trying to do (and why I was opening that packet capture file to begin with).
Now, for just 'validating a VoIP network', you need to develop a test plan, where Wireshark is just one tool that can be used within the scope of that plan. Examples of things you'd want to validate would be:
If you are looking at this as an "example call that didn't work", as with any signaling flow the key is to follow the call flow. Where did it break? For your question of what things should be watched out for, I can say with SIP that every vendor seems to do something differently and I've seen it break at just about every possible point, so that question is just too open-ended to answer. I've literally had a case where a UDP port number was dynamically changing for the RTP stream mid-call after a given number of seconds in a call, so there's no quick checklist to cover all the possible bases here - just follow the call flow and make sure your test plan includes all the use-cases you have for the service.
answered 07 Feb '15, 07:18