expose voip problems with wireshark june 15, 2010 sean walberg vantage media shark fest ‘10

SHARKFEST ‘10 | Stanford University | June 14–17, 2010

Expose VoIP Problems With WiresharkJune 15, 2010

Sean WalbergVantage Media

SHARKFEST ‘10Stanford UniversityJune 14-17, 2010


VoIP is just another application


(but it has special requirements)


Without tools, VoIP is a black box


About Me


The Agenda

1. About VoIP2. Capturing VoIP3. Analyzing Signaling4. Analyzing RTP

About VoIPCapturing VoIPSignalingRTP


The old way

Local Loop


The old way

Off Hook Dialtone


The old way

Dialing Digits


The old way

RING – 90v@20Hz


The old way


The VoIP way

I’m ca

lling

x123

4


The VoIP way

Hey, 1234, you’re being called


The VoIP way

Use x.x.x.x:xxxxUse

y.y.y

.y:yy

yy


The VoIP way

ZZZZZZ


So there are two parts to VoIP

• Signaling– SIP– H.323– MGCP– SCCP– Proprietary

• Voice (Bearer) – RTP (G.711, G.722, G.729a,…)


(two and a half, really)

• Touch Tones are a problem unto themselves• 3212333222333 3212333322321


Network Conditions Affecting VoIP


Loss


Delay


Jitter


Jitter != Delay

Jitter

Delay

Loss

(This is from a program called smokeping)

SHARKFEST '09 | Stanford University | June 15–18, 2009

10, 10, 10, 10 Latency, no jitter

10, 11, 12, 11, 9, 10 Latency and jitter


Location, Location, Location


Just a simple network


The signaling traffic takes a different path from the RTP traffic


Or, it might do this


Same conversation, different perspectives

Here you see inbound latency and jitter, but nothing on the outbound

Here you see inbound latency and jitter, but nothing on the outbound


NAT changes the address

Src=ADst=B

Src=CDst=D

The address changeswithin the cloud!


Set your capture filters


The Packet List window


Summaries are displayed here


By the way…

If the signaling or the voice is encrypted, you won’t be able to decode it.

Sorry.


Quality of Service for VoIP networks


Add a column for DSCP

Edit -> Preferences User Interface->Columns

Signaling

Tagged RTP

UntaggedRTP


Are you running a proprietary PBX?

Edit -> Properties, Protocols -> RTP


The Role of Signaling

• Indicate to the remote end that a call is coming

• Establish the codec to be used for voice• Establish the addresses of the endpoints• Get out of the way• Tear down the connection once it’s done


Use the Packet Details pane to see what’s inside the packet


Back to Loss, Delay, and Jitter

• Jitter is usually a non-issue• Delay, within reason, is OK

– Clustering/Specific applications notwithstanding

• Loss isn’t great– TCP retransmits at layer 4– UDP retries at layer 7


Demos


The properties of RTP• RTP simulates the real time voice normally carried

over a wire• 4KHz voice bandwidth = 8KHz sampling rate (Nyquist)• 8 bits/sample * 8KHz = 64,000bps (DS0)

• A Codec (G.711u/A law, G.729, G.726, etc)• Most codecs use 20ms voice samples = 50pps• Even with compression, you have a fairly consistent

packet rate, only the size changes


DTMF

• Compressing DTMF is bad• So many different ways to carry the digits out

of band, look for them in traces (see demo)


Three factors that affect voice quality

Latency <= 150ms (one way)

Jitter <= 20ms

Packet loss <= 0.1%


Latency <= 150ms (one way)

Hi, how are you? Hello? Oops, sorry, go ahead Fine, I oh hello, go ahead

Path delay

Serializationdelay

Jitter buffer,Transcodingdelay

Transcodingdelay


Packet Loss <= 0.1%

Hi Bo *POP* How *POP*e you?Hi Bo How you?


Jitter <= 20ms

Better late than never? No. May as well be lost.


Demos


Thanks!

[email protected]

This presentation will be downloadable from the Sharkfest website.

expose voip problems with wireshark june 15, 2010 sean walberg vantage media shark fest ‘10

Documents