Wireshark Webinar
#
1
2
3
4
5
Question
Can you show us a capture between an IP480 and the HQ server VM?
Can you show us something in those example captures that would point to the source of the
problem?
Answer
See presentation
See presentation
The process for gathering captures will change some in connect with the introduction of ST switches.
Will Wireshare capture be the same on the new Connect product with security encryption?
Where can I find a list of MGCP connect/ disconnect messages within a capture?
INTEL NIC
https://en.wikipedia.org/wiki/Media_Gateway_Control_Protocol
Please phrase in the form of a question
In most situations the idea is to start captures at the appropriate locations, reproduce the issue, and then
stop the captures. This strategy will produce a manageable size capture.
6
7
What is an appropriate size/ time length for a capture?
Can you go through an example of specific ports being block/not opened? As well as showing that a
See presentation
specific port is open?
Jitter and packet loss in an RTP stream will show up in the TMSNCC logs under the GMST message for
that particular phone call. This is typically the most convenient way to view these types of issues.
Wireshark will annualize a selected RTP stream for jitter. Packet loss and jitter will also be noticeable
when you actually listen to the audio stream.
8
9
10
11
How can we see packet loss/ jitter?
Can we get a copy of the PowerPoint presentation to have all links and information available?
Yes
See ingate support documentation
In general to track audio issue two points of reference are needed. A single capture will likely allow you to
hear an issue but typically will not show you where audio issue is introduced over the network.
For an example a call starting from a phone at a remote site across the wan to another phone has choppy
audio one way. For this situation a capture of the traffic at the remote site before traffic it is placed on the
WAN and a capture from the other site after it is retrieved from the wan will allow a tech to see a point of
degradation.
12
13
http://support.shoretel.com/kb/view.php?t=Wireshark-Traces-Webinar-by-ShoreTel-Support
If a DVS is a managing server for an SG switch can you still run a packet capture to that switch from
HQ?
What about a virtualized Ingate Siparator, am I only limited by VM drive space so I can keep the
capture running constantly?
Is there any way to track static?
I've read using mirrored ports for packet capture...you may miss some packets that the switch
determines were errored/ bad and doesn't mirror...have you encountered this?
It is important to read and understand your network switch documentation.
1 of 2
Wireshark Webinar
#
14
Question
How can we verify QoS is running across switches for ShoreTel traffic?
15
16
17
What's preferred, D&M or Wireshark... or it depends on the issue and troubleshooting?
What do the different colors mean within Wireshark pcaps?
Answer about the virtual ingate pcaps. Physical and/or virtual Ingates have a maximum buffer. if that
buffer is overloaded this will cause the Ingate to reboot
18
So for port mirroring why would a "hub" not work?
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Are the Call ID's in the Wireshark captures the same Call ID values that are in the TMSNcc logs?
Can you get Wireshark to show the actual time?
Can you capture and listen to audio in the call?
Answer
There is a sub header under the IPV4 header called differentiated services field. This will list DSCP
values for example 0x2e: Expedited Forwarding
D&M offers great insight into call quality by giving industry slandered MOSS scores. Once you have
determined there is an issue that needs investigating switch to wireshark and gather two or more captures
of the same audio stream to see where issues are introduced into the network.
https://www.wireshark.org/docs/wsug_html_chunked/ChCustColorizationSection.html
Reference Ingate documentation
A hub is a layer one device that sends data from one port to all other ports. With a hub you can introduce
the possibility of network collisions and this will stop traffic on a network during the collision recovery
period.
Hubs and Switches work in physically different ways and operate a different layers within the OSI
models. With a hub every port is part of the same collision domain. It practical terms this means that
every packet sent and received on every port is broadcast to every other port. While yes you can
capture traffic if you plug a phone into one port and a PC into the second and the network into the third
you also introduce collisions. When a collision occur on the network there will be a pause to all traffic in
the given collision domain for a random period of time before transmission resumes.
Reference wireshark documentation
Yes see presentation
Do you have a suggestion on small 4-8 port managed switch by chance for customers who don't have
Most manufacturers make a good small switch.
their own managed switches?
Could you go back and refresh the where you launch the Wireshark directly from D&M tool.
See presentation
On the SA100/400 rolling capture, how long before the files are overwritten?
The maximum size file generated is 195,313 KB
D&M is used to upgrade 400 series phones and should show you if firmware is being applied. If you would
Can you show how on can determine if a IP400 series phone is getting the firmware download?
like to see this process via a capture the server sends the firmware to the phone via https
Is there a way in a Wireshark capture to determine if a phone has reached bandwidth saturation from
This situation would require TAC investigation
the LAN port of the phone experiencing audio issues?
What is the best way to determine if call quality issues of external calls are LAN related or from a
Call audio issues are troubleshoot with multiple captures from multiple points in the audio path. That allows
PRI? I apologize if this question is outside the scope of this discussion on Wireshark.
us to see where in the process audio issues are introduced.
When running a capture via D&M, which device and which port is actually being captured?
Within D&M you can capture on 400 series phones and Shore Gear switches.
Can you hear the audio if you capture traffic from a 400 series phone? I believe they use SRTP.
Rather than doing a PRI Trace that PSTN is dropping the call, how would you see that in a
Wireshark?
Is there a way to identify packets with a timestamp?
How can you tell ports are blocked?
Sometimes I have had certain laptops fail to see SIP messaging in a packet capture when they are
used to tap a mirrored port...while a separate laptop has no issue. Any ideas if this is OS or NIC
dependent?
How can you capture from vSAs, same as SA100/400?
Can you show the call flow Invite > 183 progression > ring back etc.?
Media encryption is not enabled by default in Shoretel so most of the time RTP is used not SRTP.
The ability to run a packet capture on the PSTN side of a PRI is not available in ST 14.2 and bellow. This
will be a part of ShoreTel Connect Onsite installations. Wireshark has build in tools to read ISDN
messaging.
Packets are timestamped automatically by Wireshark.
Capturing from both sides of the suspected block will show traffic that is sent but not received.
See manufacturers documentation
See presentation
See presentation
How do you determine if DTMF is being sent correctly from the ISP?
Will this video be on the home page at https://partners.shoretel.com/ or
https://www.shoretel.com/partners/overview ?
This depends on the trunk type. SIP trunks will show DTMF in the capture
38
When you were showing static on a call... can you prove that it is on the analog trunk or phone?
Plug in a butt set to the analog trunk and see if there is static on the line.
39
On occasion a remote capture on a p-series phone will not initiate within D&M. Can this be done
within a telnet or SSH session directly on the phone.
This is not a user accessible feature however it can be done with TAC Tier II help.
37
https://partners.shoretel.com/
2 of 2