On 11.08.2008, at 18:32, Jaap Keuter wrote:
Hi,
It would be helpful if you could tell us what type of PBX's these
are and by
what trunk protocol they're supposed to be linked. I guess you don't
know the
latter, but the PBX info shouldn't be a problem.
Thanx,
Jaap
Steven Pfister wrote:
Are there any kind of guides to troubleshooting VOIP problems (if
this really is a problem that I'm seeing) using Wireshark? I'm
trying to understand some strange network patterns that are going
on. We have several remote sites with their own PBXes that connect
to a PBX at the central site using VOIP. The VOIP setup was done
before I got here, and I've so far had fairly minimal contact with
it.
A lot of the remote sites seem to have a steady, 24x7 stream of udp
packets coming back to the central site. For the most part, the
source and destination port numbers seem to be in the 15000 to
20000 range, and I really can't see any kind of pattern to them.
It's a different set of numbers each time, and I don't really see
many repeats. Most of the udp packets are from the remote site to
the central site, but there are occasionally similar packets from
the central site to the remote site (the ones coming from the
remote site outnumber the ones going the other direction, though).
While this is going on, there are some tcp packets being exchanged.
Since I'm not really sure what's going on, this is hard to
describe, but it looks something like:
1. remote site sends central site an ack of some previous packet at
port 1720
This probably is H323 protocol
and the UDP packets are your rcp streams...
2. a lot of udp packets come through
3. about a minute later, the central site send the remote site a
keepalive, and the remote site sends one back
4. immediately after that, the central site sends the remote site
an ack of the packet from step 1
5. shortly after that, after some more udp packets, an ack from the
remote site to the central site of the packet in step 4 is sent
6. the cycle repeats from step 2
sounds simply like you see calls.
This going on fairly constantly, even when the sites are closed
(the majority of them are public school buildings). One site, a
maintenance building is sending out 5.5 to 6 gb/day.
This sounds like a problem if there's no one there
I really hope I'm not misreading what I'm seeing in Wireshark (I'm
still pretty new at it) and confusing the issue.
On the whole, everything is working fine. It's mostly that the
large amount of unidentified outgoing traffic is throwing off our
bandwidth reports, especially when the sites don't have their
normal amount of incoming traffic to hide what's going on.
Thank you!
Steve Pfister
Technical Coordinator,
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St.
Dayton, OH 45402
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister@xxxxxxxxxxxxx
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users