Wireshark抓包分析

1、 Polycom, Inc. All rights reserved. Carol.Z Polycom, Inc. All rights reserved.2Wireshark的安装云视频Wireshark的使用How to read H.323 message?网络设备对我们的影响How to capture?断线问题案例ALG故障案例 Polycom, Inc. All rights reserved.3 交换机镜像(Mirror + Wireshark) 设备本身抓包(下载后，使用Wireshark进行分析） RPAD抓包的方法 DMA抓包的方法 RPD抓包的方法 RMX抓包的方法 Po

2、lycom, Inc. All rights reserved.4Wireshark的安装云视频Wireshark的使用How to read H.323 message?网络设备对我们的影响How to capture?断线问题案例ALG故障案例 Polycom, Inc. All rights reserved.5 注意以下界面，一定要安装WINCAP。 Polycom, Inc. All rights reserved.6Wireshark的安装云视频Wireshark的使用How to read H.323 message?网络设备对我们的影响How to capture?断线问题案例

3、ALG故障案例 Polycom, Inc. All rights reserved.7 Filter Polycom, Inc. All rights reserved.8 Important things first: Wireshark will not usually recognize any VoIP calls in a capture unless call signaling (H.225.0, H.245, SIP/SDP) is also included inthe capture. Captures which do not include call signaling

4、 will list RTP as UDP packets; H.245 as TCP packets only. Polycom, Inc. All rights reserved.9 分析RTP StreamWireshark considers all out-of-order packets as being lost.Wireshark will NOT consider late-arriving packets asbeing lost if the packets are still captured in order, nomatter how late those pack

5、ets arrive.Jitter calculations done by Wireshark should be ignored. Polycom, Inc. All rights reserved.10 分析TCP Stream Polycom, Inc. All rights reserved.11Wireshark的安装云视频Wireshark的使用How to read H.323 message?网络设备对我们的影响How to capture?断线问题案例ALG故障案例 Polycom, Inc. All rights reserved.12 Polycom, Inc. All

6、 rights reserved.13 H.225 Admission Polycom, Inc. All rights reserved.14 H.225 Connect Polycom, Inc. All rights reserved.15 H.245 OLC & OLC ACK Polycom, Inc. All rights reserved.16 H.460.18 (Signaling) H.460.19 (Media) Polycom, Inc. All rights reserved.17Wireshark的安装云视频Wireshark的使用How to read H.323

7、message?网络设备对我们的影响How to capture?断线问题案例ALG故障案例 Polycom, Inc. All rights reserved.18 TCP layer issue UDP layer issue ALG Polycom, Inc. All rights reserved.19 TCP三次握手 发起断链 发起断链 Polycom, Inc. All rights reserved.20 HDX systems transmit H.245 RoundTripDelayRequest every 30 seconds. An H.323 system is no

8、t required to transmit H.245 RoundTripDelayRequest It is mandatory that a system which received H.245 RoundTripDelayRequest acknowledge the request with H.245 RoundTripDelayResponse If HDX does not receive RoundTripDelayResponse, it will terminate the H.323 call Polycom, Inc. All rights reserved.21W

9、ireshark的安装云视频Wireshark的使用How to read H.323 message?网络设备对我们的影响How to capture?断线问题案例ALG故障案例 Polycom, Inc. All rights reserved.22 接到反馈，MCU（103.10.87.227）呼出沈阳终端（61.161.147.105），每2小时有断线故障。 13:41 MCU呼出沈阳终端。 15:53 沈阳终端发生断线。 Polycom, Inc. All rights reserved.23 沈阳：可以看到13:41有端口号为10035以及10036两个TCP握手。 Polycom

10、, Inc. All rights reserved.24 两个小时候，MCU发出TCP KEEP ALIVE消息，总计发出了9次，但是每次都没有收到终端返回的响应。 所以MCU认为TCP已经断链，呼叫被结束。 Polycom, Inc. All rights reserved.25Wireshark的安装云视频Wireshark的使用How to read H.323 message?网络设备对我们的影响How to capture?断线问题案列ALG故障案列 Polycom, Inc. All rights reserved.26Outside Firewall Configuration

11、 Implement a WAN (untrusted) and LAN (trusted) configuration Configure 1:1 NAT Set interface mode to NAT Disable H.323 and SIP ALG (Application Layer Gateway) Disable any H.323 helper services on the firewall (for example, Cisco H.323 Fixup).Inside Firewall Configuration Implement a WAN (untrusted)

12、and LAN (trusted) configuration Disable H.323 and SIP ALG Set interface mode to Route Disable the port NAT. Disable any H.323 helper services on the firewall (for example, Cisco H.323 Fixup). Polycom, Inc. All rights reserved.27完成部署后，H323与SIP外网注册无问题。MCU呼叫外网终端（在某公司的内网），MCU可以接收到呼叫，但是点击应答后无响应，无法建立视频流，振

13、铃持续若干秒后断线。外网终端（在某公司的内网）呼叫MCU，提示无法连接。 Polycom, Inc. All rights reserved.28进行了相关抓包， 以下是在外网RPD的抓包，咱们收到的从RPAD发过来的FACILITY里面带的IP是202.106.51.251(路由器IP) Polycom, Inc. All rights reserved.29以下是RPD上的抓包，可以看到与网闸交互的ADMINCONFIRM完成后，没有从RPD发生SETUP消息至内网，说明与内网反馈的ADMISSION CONFIRM返回来的IP地址TCP建立肯定有问题。 可以看到ADMISSION CONFIRM里面带的IP地址是202.106.51.251，咱们已经了解到这个IP地址是个路由器的IP，按照理解应该是114.247.102.96（RPAD的外网NAT地址）才对，同场景1，也需要检查客户网络设备哪里更改了。 Polycom, Inc. All rights reserved.30向客户说明了我们的发现与我们怀疑网络设备开启了H.323 ALG功能。客户检查了防火墙上，发现有一