1
00:00:00,180 --> 00:00:05,280
In this video, I'm going to show you how to capture traffic, but in this example, it's going to be

2
00:00:05,280 --> 00:00:06,570
voice over IP traffic.

3
00:00:06,960 --> 00:00:14,010
In other words, we're going to capture traffic between virtual phones as shown here, as well as virtual

4
00:00:14,010 --> 00:00:15,660
phones and physical phones.

5
00:00:16,110 --> 00:00:21,120
I'm going to make calls between these two phones and then we're going to capture the traffic and then

6
00:00:21,120 --> 00:00:25,470
replay the voice call and we're going to use Wireshark for that.

7
00:00:25,770 --> 00:00:27,060
OK, so let's have a look at this

8
00:00:27,060 --> 00:00:28,860
practically, here's an example,

9
00:00:29,010 --> 00:00:33,070
I'm using GNS3 to run a virtual infrastructure.

10
00:00:33,690 --> 00:00:36,810
I've got two PCs, PC 1 and PC 2.

11
00:00:37,290 --> 00:00:39,960
These are Windows computers.

12
00:00:40,140 --> 00:00:43,410
So here's PC 2, here's PC 1.

13
00:00:43,890 --> 00:00:45,900
They are Windows 10 computers

14
00:00:45,900 --> 00:00:49,500
and I'm running IP phones on these computers.

15
00:00:49,500 --> 00:00:52,950
So these are older IP communicator phones.

16
00:00:53,340 --> 00:00:56,190
Don't worry too much about the technical details of the phones.

17
00:00:56,640 --> 00:01:00,520
Basically these allow me to make calls from one phone to the other.

18
00:01:02,870 --> 00:01:11,740
So as an example, I can set up a call from one phone to the other, I'm getting a lot of feedback here

19
00:01:11,740 --> 00:01:17,560
because these two phones are running on my single computer and you typically don't make a phone call

20
00:01:17,560 --> 00:01:19,060
from one phone to another.

21
00:01:19,060 --> 00:01:20,340
That's right next to each other.

22
00:01:20,650 --> 00:01:24,300
So the audio is going round and round and round between these two phones.

23
00:01:24,640 --> 00:01:30,850
But the point is, is that I can make a phone call and I'll be able to capture the voice traffic using

24
00:01:30,850 --> 00:01:31,570
Wireshark.

25
00:01:32,190 --> 00:01:35,530
I've also got a Cisco communications manager express router here.

26
00:01:36,010 --> 00:01:38,860
That's the router that's setting up the calls between the phones.

27
00:01:39,390 --> 00:01:42,970
Again, don't worry too much about this, typing 

28
00:01:43,000 --> 00:01:47,050
show run here allows me to see the running configuration of the router.

29
00:01:47,440 --> 00:01:51,910
I've got a DHCP pool configured to allocate IP addresses to phones.

30
00:01:53,370 --> 00:01:54,300
Scrolling down

31
00:01:55,600 --> 00:02:01,330
you can see the telephony service, this is the part that actually allows phones to communicate with

32
00:02:01,330 --> 00:02:01,870
the router.

33
00:02:02,230 --> 00:02:07,270
Now, what I want to point out here is notice the IP address of the router and notice the port

34
00:02:07,270 --> 00:02:10,210
number Port 2000 is the skinny protocol.

35
00:02:10,539 --> 00:02:16,360
That is a controlled protocol that sets up communication between the phones and the router.

36
00:02:16,780 --> 00:02:22,060
Basically, the router tells the phones about each other and sets up the call between the two phones

37
00:02:22,270 --> 00:02:23,680
using this port number.

38
00:02:23,920 --> 00:02:27,550
So to TCP Port 2000, I'll show you that in a moment

39
00:02:27,550 --> 00:02:31,840
when we run Wireshark captures, you can see the first phone has this number.

40
00:02:32,110 --> 00:02:38,020
This is the second phone's telephone number of various other telephone numbers configured here are details

41
00:02:38,020 --> 00:02:39,370
of the IP phones.

42
00:02:40,180 --> 00:02:42,730
So you can see Mac addresses and other information

43
00:02:43,810 --> 00:02:49,900
but again, we're not going to worry too much about the Call Manager Express or Cisco Unified Communications

44
00:02:49,900 --> 00:02:52,030
Manager Express router configuration.

45
00:02:52,940 --> 00:02:58,730
This is just to try and give you a bit of background about what's going on, show ephone shows us that

46
00:02:58,730 --> 00:03:00,050
we've got multiple phones.

47
00:03:00,050 --> 00:03:01,240
So here's ephone 1.

48
00:03:01,640 --> 00:03:02,660
It's registered.

49
00:03:03,080 --> 00:03:10,410
It has this telephone number 1000, here's ephone 2, it's registered with the router.

50
00:03:11,060 --> 00:03:14,000
This is the telephone number of the phone at the moment.

51
00:03:14,000 --> 00:03:16,300
Neither phone is making a phone call.

52
00:03:16,910 --> 00:03:19,190
So what I'm going to do is capture traffic on this link.

53
00:03:19,310 --> 00:03:27,080
So right-click start capture, GNS3 makes it really easy to capture packets using Wireshark because

54
00:03:27,080 --> 00:03:29,960
GNS3 has Wireshark integrated with it.

55
00:03:30,500 --> 00:03:35,420
So I can specify that I want to capture Ethernet traffic on this link and click OK.

56
00:03:37,350 --> 00:03:43,660
Wireshark starts automatically and as you can see here, I'm seeing a bunch of protocols like STP,

57
00:03:43,680 --> 00:03:47,600
DTP, so that's spanning tree, this is dynamic trunking protocol.

58
00:03:47,790 --> 00:03:50,220
This is EIGRP which is a routing protocol.

59
00:03:50,640 --> 00:03:59,340
But what I could do is Folta for skinny, skinny client control protocol or SCCP, is the communication

60
00:03:59,340 --> 00:04:04,200
protocol once again use between the phones and the router.

61
00:04:04,500 --> 00:04:06,660
So notice skinny client control protocol.

62
00:04:06,990 --> 00:04:09,930
You can see it's a TCP protocol.

63
00:04:10,770 --> 00:04:13,880
This is a message from the router to a phone.

64
00:04:14,190 --> 00:04:16,470
So the source code is 2000

65
00:04:17,730 --> 00:04:19,829
going to a random port number.

66
00:04:20,329 --> 00:04:26,400
Here's an example from the phone to the router, so notice source port is this destination

67
00:04:26,400 --> 00:04:27,450
port is 2000.

68
00:04:28,080 --> 00:04:31,190
This is the IP address of PC 2.

69
00:04:31,980 --> 00:04:36,480
I've put these two PCs in different subnets in this topology

70
00:04:37,550 --> 00:04:46,370
but so that you can see this notice IP config shows us that the IP address is 10.1.2.1.

71
00:04:47,510 --> 00:04:48,800
Just make that a bit bigger.

72
00:04:52,310 --> 00:04:54,770
So notice 10.1.2.1.

73
00:04:57,420 --> 00:05:02,340
The IP address on this side is 10.1.1.1.

74
00:05:07,080 --> 00:05:12,060
So notice 10.1.1.1, 10.1.2.1 the router

75
00:05:13,390 --> 00:05:14,590
has IP address

76
00:05:16,350 --> 00:05:23,940
10.1.1.254 so this is communication between PC 2 and the router.

77
00:05:24,880 --> 00:05:32,490
Notice TCP is the protocol used at layer 4, so IP at layer 3 source and destination IP address TCP

78
00:05:32,590 --> 00:05:38,230
at layer 4 we can see Source and Destination Port number, and this is the communication protocol between

79
00:05:38,230 --> 00:05:39,650
the phones and the router.

80
00:05:40,210 --> 00:05:42,430
OK, but that's probably not what you're interested in seeing.

81
00:05:44,420 --> 00:05:49,910
You probably interested in seeing UDP traffic now here we see some other traffic, some Dropbox's

82
00:05:49,910 --> 00:05:52,520
traffic, that's not really what I'm interested in.

83
00:05:52,880 --> 00:05:55,420
I'm interested in seeing telephony traffic.

84
00:05:55,880 --> 00:06:00,440
Now, when I go to telephony, VOIP calls in Wireshark.

85
00:06:00,440 --> 00:06:08,000
At the moment, I don't see any voice calls, but when I make a call from one phone to the other.

86
00:06:09,030 --> 00:06:11,160
So let's make a call

87
00:06:12,330 --> 00:06:13,740
from 1001.

88
00:06:18,090 --> 00:06:27,720
Let's make it a bit quieter to 1000, call is set up on this side I can answer the call and again, I'm going

89
00:06:27,720 --> 00:06:28,470
to get the feedback.

90
00:06:30,240 --> 00:06:30,630
Hello

91
00:06:30,660 --> 00:06:32,610
Hello, this is David.

92
00:06:32,610 --> 00:06:34,080
David Bombal, speaking.

93
00:06:35,130 --> 00:06:38,880
A lot of echo, but strange that I'm talking to myself

94
00:06:39,810 --> 00:06:45,300
but there you go, phone call from one phone to another.

95
00:06:53,060 --> 00:07:00,140
Now, what I'll do is mute the lines so we don't get all that feedback, but there's a call set up between

96
00:07:00,140 --> 00:07:00,800
the two phones.

97
00:07:02,090 --> 00:07:09,650
In Wireshark, telephony VoIP calls allows me to see that this is an active call, what I'll do now

98
00:07:09,650 --> 00:07:10,700
is end the call.

99
00:07:11,910 --> 00:07:15,390
So notice the call is ended and back in Wireshark.

100
00:07:16,760 --> 00:07:26,330
Telephony VoIP calls notice the call is completed, so skinny call from 1001 to 1000, so Wireshark

101
00:07:26,330 --> 00:07:29,840
is picking up that there was a call taking place on the network.

102
00:07:31,460 --> 00:07:39,170
Scrolling down, I see the UDP traffic, I see media, independent network transport, it's got it listed

103
00:07:39,170 --> 00:07:41,600
as mint, but this is actually incorrect.

104
00:07:41,630 --> 00:07:43,520
This is an incorrect classification.

105
00:07:44,150 --> 00:07:49,030
I know this is a call from this IP address to this IP address because

106
00:07:50,000 --> 00:07:59,300
VoIP calls tells me that I can see the IP address involved in the call, so I've got these two phones

107
00:07:59,300 --> 00:08:00,240
talking to each other.

108
00:08:00,980 --> 00:08:03,920
So what I'm going to do and this is the trick, right

109
00:08:03,920 --> 00:08:12,270
click decode as and don't use mint in this example, we're going to use RTP.

110
00:08:12,290 --> 00:08:16,640
So scrolling right down RTP real time protocol.

111
00:08:17,150 --> 00:08:22,850
I want to decode this traffic as RTP traffic and notice the difference.

112
00:08:23,210 --> 00:08:31,760
I can see that this is G7-11 Eulo, G7-11 is a codec used for encoding analog voice.

113
00:08:32,299 --> 00:08:40,370
When I'm speaking, this is an analog waveform, so I'm sending a voice into the air and that's an analog

114
00:08:40,370 --> 00:08:41,669
waveform in the air.

115
00:08:41,929 --> 00:08:48,320
So in this example, the IP phone, not the iPhone, but the IP phone is taking my analog voice, which

116
00:08:48,320 --> 00:08:51,860
is sent through the air and encoding it as 0s and 1s

117
00:08:52,250 --> 00:08:54,290
and that uses what's called a codec.

118
00:08:54,470 --> 00:08:57,440
We have a coder, de-codec, codec.

119
00:08:57,830 --> 00:09:00,140
The codec used here is G7-11.

120
00:09:00,410 --> 00:09:01,430
We have G7-11

121
00:09:01,430 --> 00:09:06,140
ulaw notice the u or alaw, ulaw is what you use in the USA

122
00:09:06,620 --> 00:09:09,110
alaw I like to remember is all of us.

123
00:09:09,560 --> 00:09:10,700
So that's not entirely true.

124
00:09:11,090 --> 00:09:13,700
It's people like me in the UK.

125
00:09:13,700 --> 00:09:20,150
We would generally use a law when making calls on a traditional telephony network like through British

126
00:09:20,150 --> 00:09:20,680
Telecom.

127
00:09:21,140 --> 00:09:27,410
But this is IP, these are Cisco IP phones, so they use ulaw by default.

128
00:09:27,410 --> 00:09:29,110
So G7-11 ulaw.

129
00:09:29,450 --> 00:09:33,620
There are different codecs such as G7-29, G 7-22.

130
00:09:33,920 --> 00:09:35,030
There are other codecs.

131
00:09:35,030 --> 00:09:37,970
But in this example, this is the codec that we're using.

132
00:09:38,510 --> 00:09:43,280
Now, you may not be interested in all of that detail, but notice here we've got real-time transport

133
00:09:43,280 --> 00:09:43,850
protocol.

134
00:09:44,210 --> 00:09:47,870
We can see the payload once again, notice G 7-11

135
00:09:48,740 --> 00:09:51,170
but probably what you want to do is the following.

136
00:09:51,320 --> 00:09:55,370
Go to telephony, go to RTP, RTP streams

137
00:09:56,450 --> 00:10:04,010
and notice here, we can see the source and destination streams now in Voice-Over-IP on Cisco phones as

138
00:10:04,010 --> 00:10:09,040
an example, they are two uni directional streams for a two way conversation.

139
00:10:09,470 --> 00:10:15,680
So if I'm talking to you and you're talking to me, there's a unidirectional stream for me to you, and

140
00:10:15,680 --> 00:10:19,370
then a different one from you to me, two different streams

141
00:10:19,670 --> 00:10:24,350
and that's why we see it as two streams here when troubleshooting voice-over-IP.

142
00:10:24,350 --> 00:10:27,620
As an example, you often need to troubleshoot one-way voice

143
00:10:27,630 --> 00:10:31,820
and the reason it's one way voice is because there are two unidirectional streams.

144
00:10:32,240 --> 00:10:37,580
If there's a firewall as an example, blocking your voice, getting to me, you'll be able to hear me

145
00:10:37,580 --> 00:10:40,010
but I won't be able to hear you again

146
00:10:40,010 --> 00:10:40,850
you need directional.

147
00:10:41,300 --> 00:10:44,420
So I'm going to select those two streams and I'm going to click analyze.

148
00:10:45,940 --> 00:10:52,750
So here's the output of that we can see as an example forward and reverse calls and we get information

149
00:10:52,750 --> 00:10:57,670
such as the maximum jitter, which is the variable delay in a voice call.

150
00:10:57,940 --> 00:11:04,200
If your jitters too high the voice quality degrades dramatically a whole bunch of information

151
00:11:04,420 --> 00:11:07,300
but what I want to do here is click play streams

152
00:11:07,600 --> 00:11:11,070
and now what I'll be able to do is play the audio stream.

153
00:11:11,290 --> 00:11:12,730
And again, I'm going to get the feedback.

154
00:11:14,440 --> 00:11:18,370
Hello, this is David almost speaking.

155
00:11:19,360 --> 00:11:23,090
A lot of echo a bit strange that I'm talking to myself.

156
00:11:24,760 --> 00:11:27,360
So notice there are two streams here.

157
00:11:27,580 --> 00:11:29,800
We've got two separate streams.

158
00:11:30,340 --> 00:11:33,610
The blue one is from phone 2 to phone 1.

159
00:11:33,940 --> 00:11:39,460
The gray one is from phone 1 to phone 2, hence getting a lot of replay.

160
00:11:42,030 --> 00:11:44,820
What I could do is just select one of the streams and click on the.

161
00:11:45,720 --> 00:11:49,920
So what I've got here is one stream only rather than two.

162
00:11:50,440 --> 00:11:51,780
Again, I'm going to get the feedback.

163
00:11:53,550 --> 00:11:54,030
Hello

164
00:11:54,070 --> 00:11:57,510
Hello, this is David Bombal speaking.

165
00:11:58,380 --> 00:12:05,960
So notice I am able to grab the audio stream off the wire and then replay it.

166
00:12:05,970 --> 00:12:07,470
I can replay both streams.

167
00:12:08,040 --> 00:12:13,050
It's a bit weird here because I'm talking to myself and there's only one person in the conversation.

168
00:12:13,590 --> 00:12:15,570
But what I could do is do another one.

169
00:12:16,460 --> 00:12:21,600
Let's actually do it in the reverse direction, so I don't make a call now from 1000 to 100

170
00:12:21,600 --> 00:12:21,980
1.

171
00:12:25,250 --> 00:12:28,220
Answer that testing

172
00:12:29,390 --> 00:12:30,650
this is called 2

173
00:12:31,580 --> 00:12:32,510
a lot of feedback.

174
00:12:34,010 --> 00:12:36,800
What I could do is disable

175
00:12:39,590 --> 00:12:43,100
the mike that disables the feedback 

176
00:12:46,400 --> 00:12:46,790
unmute that

177
00:12:48,960 --> 00:12:51,530
David talking to himself.

178
00:12:54,250 --> 00:12:54,610
I'll end the call.

179
00:12:56,890 --> 00:12:58,360
So scrolling down.

180
00:13:00,380 --> 00:13:05,600
You'll see the same UDP traffic again now going to telephony VoIP calls noticed they are two separate

181
00:13:05,600 --> 00:13:07,640
calls now, two separate calls.

182
00:13:09,000 --> 00:13:14,910
What I'm going to do now is do another capture, my wireshark crashed, so let's see

183
00:13:16,160 --> 00:13:17,840
if we can capture another voice call.

184
00:13:18,900 --> 00:13:21,270
So I'm going to filter for UDP again.

185
00:13:23,280 --> 00:13:28,350
And what I'll do in this example is make a call from 1000 to 1001.

186
00:13:33,210 --> 00:13:34,680
This is my second call.

187
00:13:35,700 --> 00:13:38,730
David Bombal speaking to himself

188
00:13:42,720 --> 00:13:47,850
end the local because of the feedback the call is ended.

189
00:13:49,160 --> 00:13:58,850
So back in Wireshark Telephony VoIP calls, we can see the call here, so we can see there's a VoIP call

190
00:13:59,840 --> 00:14:03,770
and then what I'll do is go to RTP, RTP streams.

191
00:14:04,730 --> 00:14:13,970
That's not picking it up because once again, I need to decode this traffic as RTP and not mint, so

192
00:14:14,480 --> 00:14:15,410
RTP, 

193
00:14:17,140 --> 00:14:24,040
click OK, G7-11 ulaw telephony RTP, RTP streams.

194
00:14:25,260 --> 00:14:28,650
We can see G7-11 ulaw click analyze.

195
00:14:29,790 --> 00:14:33,240
Click play streams, and there's our voice call.

196
00:14:34,490 --> 00:14:35,610
This is my second call.

197
00:14:36,980 --> 00:14:40,040
David Bombal speaking to himself.

198
00:14:41,780 --> 00:14:43,040
OK, so there you go.

199
00:14:43,760 --> 00:14:47,900
What I'll do at this point, actually, is save my capture so that you've got it.

200
00:14:48,440 --> 00:14:53,530
So I'll go back into gns3 because otherwise it doesn't work properly.

201
00:14:53,540 --> 00:14:54,530
Stop capture.

202
00:14:55,940 --> 00:14:58,310
File save

203
00:14:59,320 --> 00:15:05,140
and I'll say save RTP second call.

204
00:15:07,910 --> 00:15:14,570
OK, so there's an example of capturing voice over IP calls between two phones using Wireshark.

205
00:15:15,350 --> 00:15:20,870
Now, GNS3 makes us easy because I can simply capture on different links in the topology.

206
00:15:21,170 --> 00:15:24,470
In the real world, you would have to either use span.

207
00:15:24,980 --> 00:15:33,440
So span port or mirror a port if you want to use that term or inject a hub or another device into the network

208
00:15:33,440 --> 00:15:34,850
so that you can see the traffic.

209
00:15:35,930 --> 00:15:39,710
It does make this a lot easier because we don't have to worry with physical connections.

210
00:15:40,040 --> 00:15:42,770
We don't have to try and span ports.

211
00:15:43,010 --> 00:15:47,240
We can see the traffic very easily in this GNS3 topology.

212
00:15:47,790 --> 00:15:49,820
OK, but now let's look at physical phones.

213
00:15:49,820 --> 00:15:54,240
Can we capture voiceover IP calls between a physical phone and a virtual phone?

214
00:15:54,830 --> 00:15:55,910
Let's try and do that.