Saturday, May 25, 2019

Troubleshooting and Analyzing SIP calls with Wireshark

    • Session Initiation Protocol (SIP)

    The Session Initiation Protocol (SIP) is the dominant signaling protocol used in VoIP these days. H.323 is another signaling protocol used for VoIP. However, it is not used for other purposes like file sharing, application sharing, or online gaming. It is mainly focused in areas of multimedia conferencing. It is less complex when compared to SIP. Cisco and Polycom (now, it's Poly) are the major players in the video conferencing industry. In addition to these legacy players, there is a new notable player - Zoom Video Communications, which is a cloud-based conferencing provider.

    * Refer to the following links about the differences between SIP and H.323.

    • SIP Call Flow

    In order for analyzing SIP packets, you need to understand basic call flows in a VoIP environment. I will mention only SIP call flow in this article because SIP is dominant and replacing H.323. Here is a basic SIP call flow and description of the SIP messages.

    <SIP Call Flow>

    Also, check this session initiation flow diagram in SIP at the following link.

    • SIP User Agent and SIP Servers

    There are some entities that help SIP in creating its network. In SIP, every network element is identified by a SIP URI (Uniform Resource Identifier) which is like an address. Following are the network elements:

    ▶ User Agent

    User agents are logically divided into two parts.

      1) User Agent Client (UAC) is requesting a service function.
      2) User Agent Server (UAS) is responding to a request.

    SIP is based on a client-server architecture where the caller’s phone acts as a client which initiates a call and the callee’s phone acts as a server which responds the call.

    ▶ Proxy Server

    It is the network element that takes a request from a user agent and forwards it to another user. Basically, the role of a proxy server is much like a router, where sits in between two user agents.

    SIP proxy servers that route messages to more than one destination are called forking proxies. SIP forking refers to the process of "forking" a single SIP call to multiple SIP endpoints. This is a very powerful feature of SIP. A single call can ring many endpoints at the same time. SIP forking allows a desk phone ring at the same time as a mobile, allowing a call to be taken from either device.

    There are two types of Proxy Servers:
    * Stateless Proxy Server
    A stateless proxy server simply forwards the message it receives. This type of server does not store any information of the call or transaction.

    * Stateful Proxy Server
    A stateful proxy server keeps track of every request and response that it receives. It can use the stored information in the future if required. It can retransmit the request if it does not receive a response from the other side.

    ▶ Registrar Server

    A server that accepts and handles SIP REGISTER requests. It is typically combined with the function of Location Server, a database that stores information about the current location of a SIP User Agent.
    Very often, a registrar functions as a location service. It is also very common for a registrar/location service to be co-located with the proxy server for the same domain.

    ▶ Redirect Server

    A SIP redirect server acts as the router at the VoIP traffic. It receives requests and looks up the intended recipient of the request in the location database created by the registrar.
    A redirect server is a user agent server that generates 3xx responses to requests it receives, directing the client to contact an alternate set of URIs.

    ▶ Location Server

    The location server provides the exact location of a caller (UA)'s possible locations to the redirect and proxy servers. It records and maintains the contact information of every UA. Only a proxy server or a redirect server can contact a location server.

    • Media Flows in Microsoft Teams

    There are excellent video sessions and slide decks you can download from Microsoft Ignite. These technical sessions give you best practices, recommendations, and working through the implementation scenarios with Microsoft Teams. As you may know, Microsoft Teams is replacing Skype for Business.

    • Analyzing SIP protocols with Wireshark

    When you face a VoIP problem like a call failure, no audio in SIP, you need to do a packet capture to analyze the SIP calls. Below is a good article you can start on how to analyze SIP calls in Wireshark. And I will continue to update useful tips and How-To articles related to SIP troubleshooting here.

    * Tip: Please refer 'Wireshark Display Filter Examples' for understanding the basics and the syntax of the Display Filters (also called Post-Filters).

    ▶ Display Filter Expression on Wireshark

    Display Filter SIP protocol
    Display Filter RTP stream
    Display Filter SIP or RTP
    Display Filter RTCP packets
    Display Filter DTMF packets
    Display Filter with IP address
    Display Filter with TCP source port (e.g. 55233)
    Display Filter with TCP destination port (e.g. 5060)
    Display Filter with UDP source port (e.g. 55233)
    Display Filter with UDP destination port (e.g. 5060)

    • Disable ALG

    What is ALG and how to disable it? I am sure you will have these questions when you are troubleshooting VoIP issues. ALG stands for Application Layer Gateway, which is responsible to do NAT on the Layer 7 packet (Invite and SDP).

    Most firewalls are capable of performing ALG on the SIP packets, and you do not have to do any additional configuration to enable this feature. As soon as the firewall identifies the traffic as an SIP application, it will invoke the ALG decoder and perform a Layer 7 NAT. Firewalls like Palo Alto Networks firewalls will take the media information and open up a pinhole or "Predict Session" to allow the media packets.

    Please see the details about SIP ALG and how to disable it on firewalls.

    No comments: