Categories
Networking Phone Systems Technology

Add DSCP column to WireShark

Tracking down Quality CoS and QOS issues with VoIP calls, having this column handy in WireShark captures is well, handy.

  1. Right click on one of the WireShark columns headers
  2. Click on Column Preferences
  3. Click Add + icon at the bottom
  4. Click on the New Column and change it the label to DSCP
  5. Make the Field Type to Custom
  6. Field name should be ip.dsfield.dscp
  7. Drag the column to an order you like
  8. Click OK.
Categories
Networking Phone Systems Technology

VoIP Wireshark Tips

Trying to export audio from Wireshark can be a pain. But if you practice a few habits, it is a lot easier. If you do a lot of network packet capturing and RTP playback using WireShark for quality troubleshooting in the VOIP field, you have came across the dreaded error “Codec is not supported, file is incomplete”.

You probably have also came across trying to play a stream but the stream is blank.

Also, if you are trying to quickly find out what DSCP is doing, or what country IP’s of a PBX are from, using these tricks can be the difference between frustration and or a lot of clicks or smooth sailing.

My Quick VoIP Tips

If you are really fluent and don’t need much direction, below are the things I do as a practice. If you need to learn what this stuff is and how to do it, read more below.

  • Always separate calls into separate files using prepare filter
  • Save audio to raw, import with Audacity and convert to mp3
  • Add DSCP as a column (see link)
  • Add Country iso from MindMax database (see link)

Separate Calls from Captures

I always separate calls from captures because not only does it make processing packets faster, but you can play streams that just wont even play when you have larger captures. Regardless of computer you are using.

The first image is what you see when you try and play stream on a large capture. Second image is what you see when you have done a prepare filter on the call, export visible, and reopened those exact same packets and clicked play stream again.

If you dont know how to do any of this, Ill walk you through it.

  1. Open your capture, click Telephony >> VoIP Calls
  2. Wait fo the “Recalculating statistics on all packets” to complete. you will see this on the bottom of WireShark.
  3. Now you should see the WireShark – VoIP Calls screen.
  4. Click on the call you want to listen to and click the Prepare Filter button. Wait for Filtering frame number to complete in bottom of WireShark
  5. Go back to the main WireShark screen, click Filter >> Export Specified Packets >> All Packets >> Displayed and name and save new file.
  6. Now open the new capture file, go back to Telephony >> VoIP Calls, you will see only one call, and chances are Play Streams will now show you your sound you want to play.

Codec is not supported, file is incomplete

This error from what I suspect has to do with some sort of buffer overflow not handled in WireShark export methods. Probably a memory limit in the programing converting RTP payload to au file type. Regardless of why, there is a trick to avoiding this. Couple simple steps. Without the Trick it is impossible to export long calls to audio.

  1. save the forward and reverse as raw
  2. import into Audacity
  3. Set to Stereo left and right
Saving Forward and Reverse to raw
  1. Open call capture in WireShark >> Telephony >> RTP >> RTP Streams
  2. Select both streams and click Analyze
  3. Click Save >> File Synchronized Forward Audio and change format to Raw
  4. Repeat for Reverse Audio
Import Raw Files into Audacity
  1. File >> Import >> Raw Data and select raw file you exported.
  2. Select Encoding >> U-Law, Channels >> 1 Channel (Mono), Sample rate 8000. (These settings may be different for your phone system, these are Switchvox settings)
  3. Import
  4. Repeat for both forward and reverse raw files.
Audacity Import Raw Settings

Set Left Right Pan

Finally just drag the sliders for left and right for each audio feed so you can clearly hear both forward and reverse audio.

Setting Forward Reverse Panning

Thats it for now. If I come up with some more tips, I will update this post. It is very likely that I may do something that is a tip to others but to me it’s just SOP. So feel free to ask me or suggest anything.

Categories
Networking Phone Systems Technology

Add Country to Wireshark Captures

This neat trick allows you to see the source and destination IP county. At least the country listed in the MaxMind databases. Keep in mind you could have a US IP address say from PureVPN connecting to you, and the user is actually in the country of Bolivia.

There are literally hundreds of thousands of IPs that are owned by VPN companies who will lease out VPN connections so anyone who pays including perps. The actors or perps can now pick and choose where they want to pretend to be from anywhere in the world. Most good hackers will use multiple VPN’s and multiple countries(you know on tv when McGeek say “Its gonna take a while gibs, they are bouncing off routers all over the place”. So you have to go pretty far down the rabbit hole to find the actual source. But this does give you insight into honest folks, and kiddie hackers.

Get the Database

  1. Create a account at https://www.maxmind.com/ for the GeoLit2
  2. Download the GZip for GeoLit2 Country
  3. I save my database folder on Google Drive File stream (you can use drive also, but I recommend don’t use the free drive), and mark it as offline. that way if any of my coworkers need to use it also, then can do the same.

Setup Wireshark

  1. Go to Wireshark >> Edit >> Preference >> Name Resolution and add the MaxMind database folder
Wireshark Preferences for MaxMind
  1. Now right click the Column header and select Column Preferences
  2. Add both columns for the ip.geoip.src_country_iso and ip.geoip.dst_country_iso and drag to the column order you want
How to edit columns in WireShark
Setup Columns in WireShark
  1. Finally you need to restart WireShark for this to take affect. NOTE you can see the countries for public static IP addresses in both live captures and files you newly open up.

Enjoy!