Wireshark is on of my best friends. It never bitches or moans and does exactly what I want it to do. It is an incredibly versatile tool, and most of us don't really take the time to master it. I must admit I am no different. But how great would it be, if you could just spin up Wireshark, quickly put in some capture filters et voila! So start playing around with it.
As always I try to provide applied articles on my blog. Before I continue, this post is definitely not Cisco specific and can be applied to any endpoint/phone system using RTP and what ever IP signalling protocol. In this particular case, I was looking at a call quality issue. Predominately related to video being choppy and intermittent. Wireshark has the built in ability to analyse an RTP streams made up of many payloads/codecs.
My test scenario was a video enabled call between a Jabber client and a desk phone. Which makes using Wireshark a lot easier as it can be run locally and capture the RTP stream without setting up any remote switch port capturing etc. etc.
First thing you will need to set up is a capture filter. I find, not applying a capture filter, slows my local machine down too much. The filter I used was:
host 10.x.x.101 || tcp port 5060 || udp port 5060
So this filter means capture everything, to and from 10.x.x.101 OR tcp port 5060 OR tcp port 5060. Of course 5060 is SIP and 10.x.x.101 is the IP address of the remote desk phone. It is important that Wireshark captures the signalling traffic as well, in order for it to identify the RTP streams. Of course if you are capturing H323 or SCCP, or some other crappy protocol, you would need to change the port numbers accordingly.
So once you have applied the capture filter to the interface you will be capturing from, you will need to go to Telephony>RTP>Show all streams and you will be presented with a screen similar to Figure 1 below.
|Fig.1 - RTP streams Wireshark|
Delta is the difference between arrival of this packet vs. the arrival of the previous packet. It's all at the network layer and reflects the packet arrival at the capture interface (where it's timestamped). This variable will give you a good idea of the sort of delay/performance on the network layer.
If you click the "Analyze" button in Figure 1, after having selected an RTP stream this will give you even more option, such as graphic jittter, delta etc. It will even give you the option to play back the RTP stream!
I might actually dedicate a separate post on the meaning of Jitter, Delta and RTP delays. Who knows.
Namaste! Happy Sharking