Transcript A-3 (Walberg) VoIP Troubleshooting - SharkFest

Expose VoIP Problems With Wireshark
June 15, 2010
Sean Walberg
Vantage Media
SHARKFEST ‘10
Stanford University
June 14-17, 2010
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
VoIP is just another application
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
(but it has special requirements)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Without tools, VoIP is a black box
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
About Me
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
The Agenda
1.
2.
3.
4.
About VoIP
Capturing VoIP
Analyzing Signaling
Analyzing RTP
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
About VoIP
Capturing VoIP
Signaling
RTP
The old way
Local Loop
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
The old way
Off Hook
Dialtone
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
The old way
Dialing Digits
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
The old way
RING – 90v@20Hz
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
The old way
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
The VoIP way
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
The VoIP way
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
The VoIP way
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
The VoIP way
ZZZZZZ
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
So there are two parts to VoIP
• Signaling
– SIP
– H.323
– MGCP
– SCCP
– Proprietary
• Voice (Bearer)
– RTP (G.711, G.722, G.729a,…)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
(two and a half, really)
• Touch Tones are a problem unto themselves
• 3212333222333 3212333322321
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Network Conditions Affecting VoIP
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Loss
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Delay
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Jitter
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Jitter != Delay
Loss
Jitter
Delay
(This is from a program called smokeping)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
10, 10, 10, 10
Latency, no jitter
10, 11, 12, 11, 9, 10
Latency and jitter
SHARKFEST '09 | Stanford University | June 15–18, 2009
About VoIP
Capturing VoIP
Signaling
RTP
Location, Location, Location
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Just a simple network
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
The signaling traffic takes a
different path from the RTP traffic
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Or, it might do this
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Same conversation, different
perspectives
Here you see inbound
latency and jitter, but
nothing on the outbound
Here you see inbound
latency and jitter, but
nothing on the outbound
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
NAT changes the address
Src=C
Dst=D
Src=A
Dst=B
The address changes
within the cloud!
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Set your capture filters
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
The Packet List window
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Summaries are displayed here
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
By the way…
If the signaling or the voice is encrypted,
you won’t be able to decode it.
Sorry.
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Quality of Service for VoIP
networks
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Add a column for DSCP
Signaling
Tagged RTP
Untagged
RTP
Edit -> Preferences
User Interface->Columns
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Are you running a proprietary PBX?
Edit -> Properties, Protocols -> RTP
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
About VoIP
Capturing VoIP
Signaling
RTP
The Role of Signaling
• Indicate to the remote end that a call is
coming
• Establish the codec to be used for voice
• Establish the addresses of the endpoints
• Get out of the way
• Tear down the connection once it’s done
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Use the Packet Details pane to see
what’s inside the packet
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Back to Loss, Delay, and Jitter
• Jitter is usually a non-issue
• Delay, within reason, is OK
– Clustering/Specific applications notwithstanding
• Loss isn’t great
– TCP retransmits at layer 4
– UDP retries at layer 7
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Demos
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
About VoIP
Capturing VoIP
Signaling
RTP
The properties of RTP
• RTP simulates the real time voice normally carried
over a wire
• 4KHz voice bandwidth = 8KHz sampling rate (Nyquist)
• 8 bits/sample * 8KHz = 64,000bps (DS0)
• A Codec (G.711u/A law, G.729, G.726, etc)
• Most codecs use 20ms voice samples = 50pps
• Even with compression, you have a fairly consistent
packet rate, only the size changes
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
DTMF
• Compressing DTMF is bad
• So many different ways to carry the digits out
of band, look for them in traces (see demo)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Three factors that affect voice
quality
Latency <= 150ms (one way)
Jitter <= 20ms
Packet loss <= 0.1%
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Latency <= 150ms (one way)
Jitter buffer,
Transcoding
delay
Transcoding
delay
Path delay
Serialization
delay
Hi, how are you?
Hello? Oops, sorry, go ahead
Fine, I oh hello, go ahead
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Packet Loss <= 0.1%
Hi Bo *POP* How *POP*e you?
Hi Bo
How
you?
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Jitter <= 20ms
Better late than never? No. May as well be lost.
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Demos
SHARKFEST ‘10 | Stanford University | June 14–17, 2010
Thanks!
[email protected]
This presentation will be downloadable from the
Sharkfest website.
SHARKFEST ‘10 | Stanford University | June 14–17, 2010