[c-nsp] Question on mystery VOIP traffic

[Jay Hennigan]

Steven Pfister wrote:
> I'm trying to track down the source of some strange traffic patterns in our network. All of our remote sites have VOIP from a remote PBX to a central PBX at our main facility. All of this was set up before I got here, and I have very little contact with it.
> 
> In checking out the strange traffic, I notice that several of these sites show a rather large amount of outgoing (from the site) UDP traffic to the central site with port numbers usually in the 15k to 20k range, all involving addresses and interfaces associated with voice. The amount of data transferred seems to be fairly large (one of the larger sites is sending 5.5 to 6gb per day), and is usually fairly steady throughout the day, 24x7. One exception to that that I've seen, is at the beginning of last month, the 5.5gb seemed to be once a day rather than spread out, but that was only for the first week. 

A single RTP stream (one phone call) using a G.711 codec us roughly 80 
kbits per second, which if left off-hook all day would wind up at about 
7 gigabits per day of RTP traffic.  SIP, SCCP, MGCP or other signaling 
would add a small amount for call setup/teardown, message lights, and 
overhead.

A site with several users making and receiving phone calls during 
business hours adding up to about 20 to 24 call-hours a day would 
generate the same traffic.

If the PBX is streaming music-on-hold or other constant RTP of some sort 
24/7 this would do it as well, as would rogue RTP streams from a call 
that didn't tear down correctly.

The curious thing in your case is that the traffic is unidirectional 
from the site.  RTP is generally symmetrical.

Ethereal/Wireshark has the ability to capture and decode RTP and play it 
back as audio (in stereo) if you need to dig into it.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV