Description
This article explains the usage of Wireshark to help view or understand the VOIP flow.
Scope
FortiGate.
Solution
The command to capture voip traffic in CLI:
diagnose sniffer packet any 'host x.x.x.x' 6 0 l <----- Where x.x.x.x is a public IP. This way it captures both LAN and WAN segments when NAT is applied.
Additional filters can be used, such as:
diagnose sniffer packet any 'host x.x.x.x and port 5060' 6 0 l <----- Only SIP control session, no RTP.
diagnose sniffer packet any 'host x.x.x.x and host y.y.y.y' 6 0 l <----- When no NAT is applied.
diagnose sniffer packet any 'host x.x.x.x and (port 5060 or portrange 30000-40000)' 6 0 l <----- When the RTP port range is known.
This output can be converted to PCAP using any free tool (for example - Sniftran), or a GUI Packet capture can be used.
Once the packet for VOIP is captured using the sniffer, a similar output as below will be seen:
Port is the port number used for VOIP traffic eg: 5060 or can also be another custom port.
Select the 'Telephony' tab on the menu bar and select VOIP calls:
A new window opens as per below select a packet and then select 'Flow sequence':
The Flow sequence of the VOIP packet traffic is as per below:
This is a useful tool that can help in understanding the SIP packet flow process.
FortiGate GUI can also be used to perform the packet capture as below.
However, the CLI packet capture presents an additional advantage - the converter can add labels to the interfaces, for a better view and faster analysis.
On versions 7.2.X and above:
On versions 7.0.x and below (not recommended as the interface can't be set to 'any' and only one side is captured):
