This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Need help reviewing a wireshark log and find out why a SIP call was dropped

0

Hello, I do not the expertise to properly analyze a wireshar log- I hope someone could please help reviewing a WireShark log and find out why a SIP call was dropped: We have an application that uses Dialogic/HMP. This application requests outbound SIP calls to an Asterisk server. Suddenly, our HMP/app receives this message: IPERR_INVALID_PHONE_NUMBER and we have to reboot.

Could someone please, take a quick look ate the Wiresharlog and analyze why and who dropped a particular outbound call? I can supply the log and further info if needed. Thanks a lot

asked 10 Nov '15, 10:04

saveriobaq's gravatar image

saveriobaq
6112
accept rate: 0%

Can you upload the packet capture online and post a link? Dropbox for example.

(10 Nov '15, 15:13) Quadratic

Thanks a lot sindy and quadratic. Please download the pcapng file from https://drive.google.com/file/d/0B45IDDeIjT2edHpvXzIzdE5nRFU/view?usp=sharing

Please search from the bottom up for the number I was calling: 60999839104 you will see a 487 Request terminated message. Need to know what happen to this call.

Regards Saverio

(10 Nov '15, 16:38) saveriobaq

2 Answers:

0

OK, I can have a look at the SIP message exchange, but don't expect too much: Wireshark shows you what has happened but not why it has happened. To know why exactly the HMP's SIP stack has dropped the call, you'll need to see its logs, even if I eventually tell you what was wrong with some SIP message.

answered 10 Nov '15, 10:11

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

I've checked too and I agree with Rooster_50 that there is nothing odd in this particular call as compared to those calls in the capture which have the same calling and called and have not crashed your application.

So as I wrote initially, dive yourself into the HMP's log files which should explain you why HMP has sent to your application the exception (which, I agree, doesn't seem logical in combination with those totally harmless SIP messages).

If you use the HMP together with an E1 card and the SIP calls to Asterisk are triggered by incoming TDM calls, you might want to trace the TDM side simultaneously with running the wireshark to see whether something ugly does not come from the TDM side, as the last step before taking the adventure of reading HMP's logs.

(11 Nov '15, 00:45) sindy

Hi Saverio,
part of your capture is useful to illustrate a Wireshark bug I want to file. I cannot use my own capture which shows the same issue because is taken in production environment at a customer. Would you mind if I use part of your capture to file the bug? It would be the SIP message exchange of the crashed call and the RTP streams which use the same UDP port on the Dialogic side, i.e. the RTP of the crashed call itself and of two other ones.

Thank you
Pavel

(12 Nov '15, 02:11) sindy

0

The 487 Request Terminated is in response to the CANCEL request sent by the Client (10.5.232.150) terminating the session before a 200 response was received.

The finger is pointed at 10.5.232.150. Check your application logs for further details as to what happened.

answered 10 Nov '15, 19:40

Rooster_50's gravatar image

Rooster_50
23891218
accept rate: 15%