Performing a Wireshark trace of a Biamp VoIP device
This document describes the process of performing a packet capture of a Biamp VoIP device communications on a VoIP network. A program called Wireshark is a free, open-source packet analyzer that is used for network troubleshooting and analysis.
If a Biamp VoIP device is placed on a VoIP Network, but not registering with the Proxy Server, determining the point of failure can be difficult using the Biamp software alone. The registration process may be hindered by something beyond the VoIP card itself. Possible causes can include communications issues over the network or issues with the configuration of the Proxy Server. If this is the case, Wireshark can be used to help locate the point of failure.
Biamp Tesira VoIP cards support the option of using TLS encryption. If TLS in being used Wireshark cannot display the encrypted data for debugging. TLS must be temporarily disabled for the VoIP user account by the VoIP system admin while debugging is being performed, and re-enabled once all data has been collected.
Get Wireshark
Go to the Wireshark download site located at http://www.wireshark.org/download.html
Download the Wireshark installer and install Wireshark.
Mirror a port
To perform a Wireshark capture of the VoIP packet flow, the computer running the Wireshark program must be able to see all information going to and from the Biamp VoIP device. One way to do this is by configuring a mirrored port on a network switch, which essentially tells the switch to copy all of the traffic going to/from the VoIP device and send it to the PC. There are three different methods that can be used to mirror the VoIP network communications:
Method 1 - Via a Managed Switch
- The Biamp VoIP device will be connected to the VoIP Network using an Ethernet Switch. Typically the switches used in this setting will be managed switches and the functionality of the ports can be manipulated. If this is the case, contact an IT Administrator who is able to change the port settings of this switch and ask to be provided with a mirrored port of the Biamp VoIP port. Mirroring a port is a common method of monitoring of network traffic and is used on a managed switch to send a copy of packets seen on one switch port to a network monitoring connection on another switch port.
- Once port mirroring has been set up proceed to "Capture a Wireshark Trace".
Method 2 - Using a secondary Managed Switch
- If it is not possible to gain access to the main network switch of the VoIP system a secondary managed Ethernet switch can be used to monitor the network traffic to and from the Biamp VoIP device. The secondary switch in this case must have the ability to provide port mirroring.
- Setup the port mirroring in the managed switch. Every switch setup is a bit different and specific issues with setting up the mirrored port should be directed to the switch manufacturer.
- Connect the computer running Wireshark to the destination port of the managed switch. The destination port is defined as the port to which traffic is mirrored.
- Connect the Biamp VoIP device to the source port of the managed switch. The source port is defined as the port from which traffic is mirrored.
- Connect a feed from the main VoIP Ethernet switch to the Ethernet switch being used for the port mirroring.
- Proceed to "Capture a Wireshark Trace".
Method 3 - Through an Ethernet Hub
- If a managed switch is not available it is possible to use a true Ethernet hub to perform the Wireshark capture. An Ethernet hub is essentially an Ethernet repeater and any network traffic that is present is available on every port of the hub. (Note that an Ethernet Hub and an Ethernet Switch are two different things, and true Ethernet Hubs are no longer commonly available.)
- Connect a feed from the main VoIP Ethernet switch to the Ethernet hub.
- Connect the Biamp VoIP device to the Ethernet hub.
- Connect the computer running Wireshark to the Ethernet hub.
- Proceed to "Capture a Wireshark Trace".
Topology
The three methods of performing a Wireshark trace use slight variations on the following topology.
Capture a Wireshark trace
- Open Wireshark.
- In the Capture pull down menu select Options.
- Select the Network Interface Card of your computer that Wireshark should use to perform the capture.
Figure 1 – Select a NIC
- Ensure that the Capture Filter field is blank. Filtering the capture may exclude packets that are needed to solve the problem from the Wireshark trace.
Figure 2 – Clearing the Capture Filter
- Select Start on the bottom of the Capture Options Window to start the Wireshark Capture. You should now see a scrolling list of packets being displayed in the Wireshark window. If this list does not appear there may be a problem with the port mirroring process described previously in this document.
Figure 3 – Scrolling List of a Wireshark Trace
- With the Wireshark capture running, unplug the Biamp VoIP device from the switch for 5 seconds then plug back in. This will cause the VoIP device to start its registration over again while Wireshark documents the process.
- Depending on the specific nature of the problem it may be necessary to make a call to or from the VoIP device with Wireshark running in order to further troubleshoot.
- When all captures have been completed stop the current trace by selecting Stop from the Capture pull down menu.
Verifying the correct data was captured
To confirm the correct data has been captured, the use of the Wireshark filter field is required. By entering the word ‘sip’ (in lowercase), the SIP negotiation sequence between the Biamp VoIP device and the Proxy can be seen. Note that if no SIP messages are shown, the Wireshark capture has not been performed correctly and will need to be retaken using the correct settings. The most common reason for this is the port mirror being incorrectly configured.
- Choose File-->Save As to save a copy of the Wireshark capture to the computer.
- Proceed to the How to read a Wireshark trace of a Biamp VoIP device article to continue troubleshooting the system.
Privacy concerns
IMPORTANT - A Wireshark trace captures (or records) all of the packets sent to and from a VoIP endpoint. This means that it is possible to listen to the calls which have been captured from the Wireshark data. This can be an important part of troubleshooting for VoIP systems which are malfunctioning. You should not perform a Wireshark trace on client systems during sensitive calls as you will be recording the call, which can be a violation of many wiretapping laws if the participants are unaware of the recording being made. If you are troubleshooting cases where calls fail only intermittently and you need to take a long duration capture of all traffic for a VoIP card be sure to impress upon your clients that the calls are being recorded during that time period. You may need to provide clear notification to both parties on a call that captures are being made. Additionally, there may be a need to have signed Non-Disclosure Agreements for such cases. Be sure to discuss this with the client before making captures of their calls. Captures made of calls which do not contain private conversations, with full disclosure of the process, and specifically for troubleshooting problematic VoIP issues should not be a problem. |