One of the effective methods for troubleshooting network is to capture packets flowing through a network and to analyze them. Wireshark (previously called Ethereal) is widely used as a packet capturing tool. Here we will introduce an application example of Unified Communication (UC) related troubleshooting of Wireshark. (We omit the description of basic operation of Wireshark as many websites out there explain it) A Voice Playback Method from RTP Packets A problem related to the voice quality may occur in the UC network.Various cases of voice quality problem include dead air, one-way audio, sound interruption, large (small) volume, noise occurrence, and distortion of sound. The forensics method and the troubleshooting differ depending on the case. When an inquiry regarding the voice quality is received, first of all, conduct a detailed interview with the users to grasp what kind of problem is occurring. But the information collected from the interview can be ambiguous as it relies on user's subjective viewpoint and memory. There is a method to analyze RTP packets that is more accurate and objective forensics method. Now an analysis method of RTP packets using Wireshark will be explained. Note that we assume that the packet capture, which monitored a switch port connected to IP Phone and Voice GW as object of forensics, is already obtained. 1. Open the collected packet capture data in Wireshark. 2. Apply a filter with the terminal information (such as IP Address) of the forensics object to narrow the data to be analyzed. If a signaling packet (for example, H.323 or SIP) is included in the captured data, Wireshark automatically recognizes and handles UDP packets as RTP packets. In the above example, UDP is not decoded as RTP since the signaling packet is not included. 3. Decode UDP packets as RTP packets Select a UDP packet of the stream to analyze, and select "Decode As..." by right click. Select RTP from the "Decode As" window. This operation changes the display of Protocol from UDP to RTP. Select "RTP > Show All Streams" from the Telephony menu. Select the RTP stream of forensics object. Pressing the "Find Reverse" button selects the RTP stream of reverse direction that corresponds. Press the Analyze button to investigate the statistical information (such as Max delta, Max jitter and Lost RTP Packets) of the RTP packets of the Forward and Reverse direction. Press the "Save payload..." button to save the voice (payload) of each of the Forward Direction and Reverse Direction individually. In the above example, the payload is saved in the .au format. Open the saved voice file in the WAV file editor (such as Audacity) to analyze the voice data. The WAV file editor function enables the analysis of volume and frequency characteristics.
... View more
One of the effective methods for troubleshooting network is to capture packets flowing through a network and to analyze them. If the timing for a method to reproduce failure is known beforehand, a packet capture can be obtained easily. However, a problem can often occur less frequently or irregularly. To perform forensics on these problems, the packet capture needs to be continuously obtained over a long period of time. Here we will explain how to obtain the packet capture over a long period of time with Wireshark. A method to obtain packet capture over a long period of time Configure the setting to write the data directly on the disk to obtain capture over a long period of time with Wireshark. In consideration of the performance of the PC that performs analytical processing, the file to be written will be divided into multiple files (Use multiple files). The following setting is an example for dividing the captured file by 20 megabytes (Next file every). The ring buffer setting (Ring Buffer with) is set to 50 files as the capacity of the hard disk of the PC that implements capturing is limited. In this case, files are saved from file 1, file 2 ... to file 50, at which point it goes back to file 1 to save. Select "Capture > Options" from the menu bar. Packet capturing is initiated using the above settings. Multiple capture files are generated in the designated directory. A handling method for split capture file Wireshark recognizes the captured data as "File Set" if the collected file is opened by the PC for analysis. Multiple files may be used for details of Call (such as signaling, RTP) when analyzing the captured file. If you want to perform analytical processing as one file, files need to be merged. In the following example, divided capture files are merged into one file by the command (mergecap.exe) attached to Wireshark. (Format of the mergecap command: mergecap.exe Ingress file name 1 Ingress file name 2 -w Egress (merge) file name) The merged file is read into Wireshark again to perform analytical processing, such as signaling and RTP.
... View more
