Author Profile - Chris Greer is a Network Analyst for Packet Pioneer. Chris has many years of experience in analyzing and troubleshooting networks. He regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. When he isn’t hunting down problems at the packet level, he can be found teaching various analysis workshops at Interop and other industry trade shows. Chris also delivers training and develops technical content for several analysis vendors. He can be contacted at chris (at) packetpioneer (dot) com.
NOTE: This was written with the intent of using this feature for troubleshooting poor performance with VoIP.
Voice over the Internet Protocol is no longer an emerging service on the network. Many production environments have been using it for years, leveraging the greater flexibility and cost savings offered by this technology. This being the case, the need for tools and features to troubleshoot and resolve call setup and quality is increased. The latest versions of Wireshark have specific features built in to assist in resolving problems with VoIP, such as the call playback feature.
Why is this feature practical? If a call has audio gaps, echo, or other quality issues, call playback can help in determining where these problems originate, whether on the network or in a phone itself. For example, if a call sounds bad, the RTP stream (or whatever the delivery protocol is) can be captured just before it gets to the phone. If it sounds bad from the packet level on the wire, the phone itself can be ruled out as a part of the problem. The capture point can move closer to the source of the call, and the specific point on the network causing the poor performance may be isolated.
How can we do it with Wireshark? The most critical part of playing back a VoIP call is to capture it properly. Remember that after a call is established, most VoIP systems will transmit the actual call between the source and destination phones, but the call setup frames will be between the phones and a centralized call manager. Make sure when capturing that the analyzer is in the path of the call and at least one side of the call setup packets.
Using the Telephony menu option, select VoIP Calls. This will list all calls in the capture by call setup as well as by RTP Stream.
Select the call to be played back and click the Player button. Wireshark has a VoIP player built into it which can be accessed by touching the Decode button. The player will appear.
To replay a call, select the check box next to the call identifier and click the Play button. The captured call will replay. In order to play both sides of the call, use the shift key to select both directions of the call in the VoIP Call list. If both are selected and decoded, the call will play both streams back simultaneously, allowing you to hear the complete conversation.
NOTE: According to the support documentation, this feature works only for G711 A-Law and G711 u-Law RTP streams (as of yet other codecs are not implemented).Bye for now, "Cone of Silence" now activated.