In this article, we will talk about the basics of capturing and analyzing SIP traffic generated by a 3CX PBX. The article is addressed to novice system administrators or ordinary users whose duties include telephony maintenance. For an in-depth study of the topic, we recommend that you go .
3CX V16 allows you to capture SIP traffic directly through the server's web interface and save it in the standard Wireshark PCAP format. You can attach a capture file when contacting technical support or download it for self-analysis.
If 3CX is running on Windows, you need to install Wireshark on the 3CX server yourself. Otherwise, the following message will appear when attempting to capture.
On Linux systems, the tcpdump utility is installed automatically when you install or upgrade 3CX.
Traffic capture
To start capturing, go to the interface section Main > SIP Events and select the interface on which you want to capture. You can also capture traffic on all interfaces at the same time, except for IPv6 tunneling interfaces.
In 3CX for Linux, you can capture traffic for the local host (lo). This capture is used to analyze SIP client connections by technology. .
The "Traffic Capture" button launches Wireshark on Windows or tcpdump on Linux. At this point, you need to quickly reproduce the problem, because. capture loads the processor and takes up enough disk space.
Pay attention to the following call parameters:
- The number from which the call was made, to which other numbers / participants in the call also called.
- The exact time the problem occurred according to the clock of the 3CX server.
- Call path.
Try not to click anywhere else on the interface other than the Stop button. Also, do not click on other links in this browser window. Otherwise, traffic capturing will continue in the background and cause additional load on the server.
Getting a capture file
The Stop button stops capturing and saves the capture file. You can download the file to your computer for analysis in the Wireshark utility or generate a custom file , which will include this capture and other debug information. Once downloaded or included in a support package, the capture file is automatically removed from the 3CX server for security purposes.
On the 3CX server, the file is located in the following location:
- Windows: C:ProgramData3CXInstance1DataLogsdump.pcap
- Linux: /var/lib/3cxpbx/Instance/Data/Logs/dump.pcap
To avoid increased server load or packet loss during capture, the capture period is limited to 2 million packets. After that, the capture will automatically stop. If you need a longer capture, use the separate Wireshark utility as described below.
Capturing traffic with Wireshark
If you are interested in a deeper analysis of network traffic, capture it manually. Download the Wireshark utility for your OS . After installing the utility on the 3CX server, go to Capture > Interfaces. All OS network interfaces will be shown here. Interface IP addresses can be displayed in the IPv6 standard. To see the IPv4 address, click on the IPv6 address.
Select the interface to capture and click the Options button. Uncheck Capture Traffic in promiscuous mode, and leave the rest of the settings unchanged.
Now you should reproduce the problem. When the issue is reproduced, stop capturing (Capture > Stop menu). You can select SIP messages in the menu Telephony > SIP Flows.
Traffic Analysis Basics - SIP INVITE Message
Consider the main fields of the SIP INVITE message, which is sent to establish a VoIP call, i.e. is the starting point for the analysis. Usually SIP INVITE includes from 4 to 6 fields with information that is used by SIP end devices (telephones, gateways) and telecom operators. Understanding the contents of the INVITE and the messages that follow it often helps determine the source of the problem. In addition, knowing the INVITE fields helps when connecting SIP operators to 3CX or combining 3CX with other SIP PBXs.
In an INVITE message, users (or SIP devices) are identified by their URI. Usually the SIP URI is the user's phone number + SIP server address. A SIP URI is very similar to an e-mail address and is written as sip:x@y:Port.
Request-Line-URI:
Request-Line-URI - The field contains the recipient of the call. It contains the same information as the To field, but without the user's Display Name.
Street:
Via - each SIP server (proxy) through which the INVITE request passes, adds its IP address and port on which the message was received to the top of the Via list. The message is then transmitted further along the route. When the final recipient responds to an INVITE request, all transit nodes "look" at the Via header and return the message to the sender via the same route. In this case, the transit SIP proxy removes its data from the header.
From:
From - header indicates the initiator of the request from the point of view of the SIP server. The header is formed in the same way as an e-mail address (user@domain, where user is the 3CX user extension and domain is the local IP address or SIP domain of the 3CX server). Like the To header, the From header contains a URI and optionally the user's Display Name. From the From header, you can understand exactly how this SIP request should be processed.
The SIP RFC 3261 standard stipulates that if a Display Name is not transmitted, the IP phone or VoIP gateway (UAC) must use the Display Name "Anonymous", for example, From: "Anonymous"[email protected]>.
to:
To - This header specifies the recipient of the request. This can be either the final recipient of the call or an intermediate link. The header usually contains the SIP URI, but other schemes are possible (see RFC 2806 [9]). However, the SIP URI must be supported in all implementations of the SIP protocol, regardless of the hardware manufacturer. The To header can also contain a Display Name, such as To: "First Name Last Name"[email protected]>).
Typically, the To field contains a SIP URI pointing to the first (next) SIP proxy that will handle the request. This does not have to be the final recipient of the request.
Contact:
Contact - The header contains a SIP URI that can be used to contact the sender of the INVITE request. This is a required header and must contain only one SIP URI. It is part of the two-way communication corresponding to the original SIP INVITE request. It is very important that the Contact header contain the correct information (including the IP address) at which the sender of the request expects a response. URI Contact is also used in further communications, after the connection session has been established.
allow:
Allow - the field contains a list of parameters (SIP methods) separated by a comma. They describe which SIP protocol features this sender (device) supports. Full list of methods: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE. More SIP methods are described .
Source: habr.com