VCAR: VoIP Call Anomaly Reporter (Free Tool)
“vcar” is a simple tool for Linux/Mac/Unix systems that can detect some anomalies in phone calls. It currently detects the anomalies described below. “Anomalies” are not errors, or violations of the SIP standard. They are just edge conditions that may confuse some SIP software.
SDP Connection Information Change
This occurs when one of the SIP signaling devices needs to reconnect the media stream that had already been setup. In particular, either the IP address may change or the RTP port may change. This is a completely-legal behavior whose behavior is described in RFC 3264, the SDP Offer-Answer Protocol.
However, some SIP stacks can have problems with this. For example, the Cisco AS5400 with IOS requires a special configuration to support connection info changes.
sdp-connection-info-change : Call-ID BW160440578220310634912045@65.91.52.5 sent from 165.91.52.5 to 65.91.52.76 changed SDP from 65.91.52.78,65.91.52.78:25310 to 65.91.52.78:25310 sdp-connection-info-change : Call-ID SD8t4ve01-5a4d5bbb93c08ed6f0e04c26c1153ca2-v3000i1 sent from 165.91.52.5 to 216.143.61.230 changed SDP from 65.91.52.13:25284 to 65.91.52.76:16936 sdp-connection-info-change : Call-ID BW160440578220310634912045@65.91.52.5 sent from 165.91.52.108 to 66.147.212.138 changed SDP from 165.91.52.108,65.91.52.108:22478 to 65.91.52.108:22478 sdp-connection-info-change : Call-ID 1980608226_127321204@4.55.4.163 sent from 65.91.52.5 to 216.143.61.229 changed SDP from 65.91.52.5:5000 to 65.91.52.45:27656 |
Failure After Provisional Response
This occurs when a non-100 provisional response is returned for a call, and then later the call fails with a response code other than 487 (Request Cancelled). For example, if a caller gets a 183 Session Progress response, and then later gets a 503 Service Unavailability response, then this type of anomaly would be detected.
|
Using vcar
- Download vcar here.
- Save vcar to your Linux/Unix/Mac machine, and make it executable. E.g.: “chmod 755 ecg-vcar-0.2″
- Run it, and provide the filename of a libpcap capture file (as generate by tcpdump, wireshark, etc.). Use the “–stats” flag to get some statistics after the file is analyzed.
Examples:
ecg-vcar-0.2 capturefile.pcap ecg-vcar-0.2 --help ecg-vcar-0.2 --stats capturefile.pcap
Final Stats
vcar can output some final statistics about what it say in the file. Use the “–stats” flag to get that output.
$ ./ecg-vcar-0.1 --stats bsprings_2_00056_20101214110341.pcap failure-after-progress: Call-ID 70066c58-cc347d6d-ef878d32@10.33.14.67 started in frame 25792 failed with 401 at time Dec 14, 2010 11:04:11.291672000 in frame 26294 but had an earlier call-progress indicator failure-after-progress: Call-ID 70066c58-cc347d6d-ef878d32@10.33.14.67 started in frame 25792 failed with 401 at time Dec 14, 2010 11:04:12.291592000 in frame 27219 but had an earlier call-progress indicator failure-after-progress: Call-ID BW1104213021412101296948723@165.91.52.5 started in frame 25993 failed with 400 at time Dec 14, 2010 11:04:30.099479000 in frame 43490 but had an earlier call-progress indicator sdp-connection-info-change : Call-ID 70066c58-cc347d6d-ef878d32@10.33.14.67 sent from 165.91.52.108 to 164.208.90.230 changed SDP from 10.33.2.61:2252 to 65.91.52.108:22398 sdp-connection-info-change : Call-ID 70066c58-cc347d6d-ef878d32@10.33.14.67 sent from 165.91.52.108 to 164.208.90.230 changed SDP from 65.91.52.108:22398 to 10.33.2.69:2222 failure-after-progress: Call-ID aecc1a9-9d77c8e-af84f94b@10.0.90.144 started in frame 105188 failed with 408 at time Dec 14, 2010 11:05:46.814755000 in frame 105821 but had an earlier call-progress indicator sdp-connection-info-change : Call-ID BW110556457141210979106786@165.91.52.5 sent from 164.208.90.230 to 65.91.52.108 changed SDP from 0.0.0.0:2234 to 10.0.90.144:2234 sdp-connection-info-change : Call-ID BW110556457141210979106786@165.91.52.5 sent from 164.208.90.230 to 65.91.52.108 changed SDP from 10.0.90.144:2234 to 0.0.0.0:2234 failure-after-progress: Call-ID 621713ef-fde05aa4-624514b1@10.0.90.144 started in frame 124474 failed with 408 at time Dec 14, 2010 11:06:22.138389000 in frame 124852 but had an earlier call-progress indicator failure-after-progress: Call-ID BW110710548141210909643780@165.91.52.5 started in frame 143009 failed with 400 at time Dec 14, 2010 11:07:23.721251000 in frame 158752 but had an earlier call-progress indicator sdp-connection-info-change : Call-ID BW110730539141210360082158@165.91.52.5 sent from 164.208.90.230 to 65.91.52.108 changed SDP from 0.0.0.0:2264 to 10.0.90.157:2264 failure-after-progress: Call-ID BW1108017171412101619436374@165.91.52.5 started in frame 178095 failed with 400 at time Dec 14, 2010 11:08:07.627004000 in frame 187435 but had an earlier call-progress indicator Stats: 411 distinct call-legs observed (as counted by unique Call-ID plus From header combinations) 303.863 seconds between earliest call start and latest call start 3 call-legs have SDP connection info change; 0.00729927% 6 call-legs have Failure after progress; 0.0145985% |
Capture File Must be Sorted!
vcar assumes that capture files are sorted chronologically. If detects frame timestamps that are moving back in time, it will report a “file-not-sorted-exception”.
Memory Requirements
vcar uses “tshark” and “awk” to analyze the state of calls through the capture. These both can consume a substantial amount of RAM. For example, a 239 MB capture file made up exclusively of SIP capture data required around 100 MB of RAM to process on a Mac OS X 10.6 machine using tshark 1.4.1 (64 bit) and the stock Mac OS X “awk” (version 20070501).
vcar Revision History
- 0.2 — Minor updates.
- 0.1 — Initial release, detecting failure-after-progress and sdp-connection-info-change.
Open Source
vcar is an open source script. Use it as the basis for your own exciting stateful call analyzers, or send us ideas for other VoIP call anomalies you’d like to detect.
