[c-nsp] Question on mystery VOIP traffic
Jay Hennigan
jay at west.net
Thu Jul 10 09:58:08 EDT 2008
Steven Pfister wrote:
> I'm trying to track down the source of some strange traffic patterns in our network. All of our remote sites have VOIP from a remote PBX to a central PBX at our main facility. All of this was set up before I got here, and I have very little contact with it.
>
> In checking out the strange traffic, I notice that several of these sites show a rather large amount of outgoing (from the site) UDP traffic to the central site with port numbers usually in the 15k to 20k range, all involving addresses and interfaces associated with voice. The amount of data transferred seems to be fairly large (one of the larger sites is sending 5.5 to 6gb per day), and is usually fairly steady throughout the day, 24x7. One exception to that that I've seen, is at the beginning of last month, the 5.5gb seemed to be once a day rather than spread out, but that was only for the first week.
A single RTP stream (one phone call) using a G.711 codec us roughly 80
kbits per second, which if left off-hook all day would wind up at about
7 gigabits per day of RTP traffic. SIP, SCCP, MGCP or other signaling
would add a small amount for call setup/teardown, message lights, and
overhead.
A site with several users making and receiving phone calls during
business hours adding up to about 20 to 24 call-hours a day would
generate the same traffic.
If the PBX is streaming music-on-hold or other constant RTP of some sort
24/7 this would do it as well, as would rogue RTP streams from a call
that didn't tear down correctly.
The curious thing in your case is that the traffic is unidirectional
from the site. RTP is generally symmetrical.
Ethereal/Wireshark has the ability to capture and decode RTP and play it
back as audio (in stereo) if you need to dig into it.
--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service - http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV
More information about the cisco-nsp
mailing list