Saturday, May 25, 2019

Troubleshooting and Analyzing SIP calls with Wireshark

The Session Initiation Protocol (SIP) is the dominant signaling protocol used in VoIP these days. H.323 is another signaling protocol used for VoIP. However, it is not used for other purposes like file sharing, application sharing, or online gaming. It is mainly focused in areas of multimedia conferencing. It is less complex when compared to SIP. Cisco and Polycom (now, it's Poly) are the major players in the video conferencing industry. In addition to these legacy players, there is a new notable player - Zoom Video Communications, which is a cloud-based conferencing provider.

Refer the following links about the differences between SIP and H.323.

  • SIP Call Flow

In order for analyzing SIP packets, you need to understand basic call flows in a VoIP environment. I will mention only SIP call flow in this article because SIP is dominant and replacing H.323. Here is a basic SIP call flow and description of the SIP messages.

There are some entities that help SIP in creating its network. In SIP, every network element is identified by a SIP URI (Uniform Resource Identifier) which is like an address. Following are the network elements:

- User Agent: User agents are logically divided into two parts.
  1) User Agent Client (UAC) is requesting a service function.
  2) User Agent Server (UAS) is responding to a request.
SIP is based on a client-server architecture where the caller’s phone acts as a client which initiates a call and the callee’s phone acts as a server which responds the call.

- Proxy Server: It is the network element that takes a request from a user agent and forwards it to another user. Basically, the role of a proxy server is much like a router, where sits in between two user agents.
SIP proxy servers that route messages to more than one destination are called forking proxies. SIP forking refers to the process of "forking" a single SIP call to multiple SIP endpoints. This is a very powerful feature of SIP. A single call can ring many endpoints at the same time. SIP forking allows a desk phone ring at the same time as a mobile, allowing a call to be taken from either device.

- Registrar Server:

- Redirect Server:

- Location Server:

* SIP INVITE: This message

* Status 100 Trying:


Also, there are excellent video sessions and slide decks you can download from the Microsoft Ignite. These technical sessions give you best practices, recommendations, and working through the implementation scenarios with Microsoft Teams. As you may know, Microsoft Teams is replacing Skype for Business.

  • Analyzing SIP protocols with Wireshark

When you face a VoIP problem like a call failure, no audio in SIP, you need to do a packet capture to analyze the SIP calls. Below is a good article you can start on how to analyzer SIP calls in Wireshark. And I will continue to update useful tips and How-To articles related to SIP troubleshooting here.

* Tip: Please refer 'Wireshark Display Filter Examples' for understanding basics and the syntax of the Display Filters (also called Post-Filters).

Display Filter Expression on Wireshark
Display Filter SIP protocol
Display Filter RTP stream
Display Filter SIP or RTP
Display Filter RTCP packets
Display Filter DTMF packets
Display Filter with IP address
Display Filter with TCP source port (e.g. 55233)
Display Filter with TCP destination port (e.g. 5060)
Display Filter with UDP source port (e.g. 55233)
Display Filter with UDP destination port (e.g. 5060)

  • Disable ALG?

What is ALG and how to disable it? I am sure you will have these questions when you are troubleshooting with VoIP issues. ALG stands for Application Layer Gateway, which is responsible to do NAT on the Layer 7 packet (Invite and SDP). Most firewalls are capable of performing ALG on the SIP packets, and you do not have to do any additional configuration to enable this feature. As soon as the firewall identifies the traffic as SIP application, it will invoke the ALG decoder and perform a Layer 7 NAT. Firewalls like Palo Alto Networks firewalls will take the media information and open up a pinhole or "Predict Session" to allow the media packets.

Please see the details about SIP ALG and how to disable it on firewalls.

No comments: