Sniffin’ the VOIP traffic
Source: asteriskblog.com
This time we will install a network protocol analyzer to watch the traffic on our LAN from initiating and connecting a SIP call.
The Wireshark open source project was formerly known as Ethereal. I used to work for a great company called Cybera as a programmer, and I was always fascinated by networking. I’d bug the network engineers for any information I could, and play around with Ethereal to try to understand what they were talking about.
If you’re working under windows, download the installer. For our Ubuntu or Debian friends, it’s available under the standard free apt archives.
There’s one little trick you need to be aware of during the install.
Make sure you select WinPCAP as part of the installed goods.Complete the install and start the program. Minimize it for the time being.
Launch your VMWare server and the Trixbox instance, log in, and you’ll notice the IP address shown after you log in. Mine is 192.163.1.93.
Run over to another box on your LAN and make sure you can ping this address, as detailed in my last post.
If you don’t see ‘Logged In’ in the faux LCD window, most likely you’ll need to update the IP address that the phone needs for Asterisk.
Click the little Menu button juuuust to the left of the green phone button. Select System Settings->Sip Proxy->Default.
Make sure that the IP address for Domain/Realm, SIP Proxy, and Outbound proxy are all set to the IP address of the Asterisk Trixbox server you just started via VMWare.
Remeber, Nerd Vittles set us up with 500 and 501 as 2 extensions to use with these phones. Dial 501 from the 500 phone or vice versa. I launched mine just now and I can hear the kids, dog, and my wife doing fun stuff. Frankly at this point I have to sit back and marvel at the processes running to make this possible. It just blows my mind.
Now comes the hackin’ part. As the SIP call is in progress, flip back to Wireshark.
From the main window, select Capture->Interfaces.
I can see one of the listed network interfaces dealing with a lot of traffic. Choose that one and press the capture button.
Let wireshark capture at least 5 or so seconds of traffic. So far, on mine, the vast majority of this VOIP traffic is of the UDP variety. Click Stop and wireshark will dump it all into its analysis window.
Every line that says OICQ Protocol represents one UDP (User Datagram Protocol) VOIP packet traversing the network. As a side note, it appears that Wireshark has made the assumption for us that these packets are really part of a chat protocol popular in China, which, of course, is not correct.
Right click on one, and select ‘Open in new window’. Go down to the bottom and look at the ‘data’ section of the packet. This data section represents the actual digitized voice of the VOIP call. It’s interesting to me that the protocol used is UDP, which is one of the two major types of IP packets, the other being TCP. UDP is a connectionless protocol, which means that the client generating the traffic simply puts the packet on the wire without regard to checking to see if the recipient actually received it. This also implies that the recipient has to collect the correct UDP packets and reorder them to form a meaningful conversation. I wonder what role the SIP ’stack’ in asterisk plays in this function. I suppose we’ll find out here at Asteriskblog!
Well, I hope you’ve found that illuminating, and I’m sure we’ll be referring to this tool to diagnose our further work in Asterisk. Please contact me if you have any questions.
