Monitor SIP traffic with Wireshark

I’ve been working on monitoring our SIP traffic on our phone system and have yet to find a comprehensive how-to on monitoring the traffic and filtering it utilizing Wireshark.

First, you must monitor the network traffic to get the needed information. I mirrored the ports that we needed on our switch (as far as I know, all switches can do this). Once I had the mirroring down, I began the capture while our system called our customers for their courtesy calls.

This ended up being a ton of data, but as it was capturing I filters by typing “SIP” into the filter section on Wireshark to verify the correct packets being captured. Once the capture had completed, I saved it and sorted by SIP again, which was a ton of data. We double checked which calls failed on our monitoring system and I was given a few calls (4) that I needed to find in the massive capture.

I started by cross-referencing times to the SIP by using a filter similar to:

(frame.time >= “Aug 23, 2013 16:03:00”) && (frame.time <= “Aug 23, 2013 16:04:00”) && sip

This gave me what I needed, but it was still quite a bit of data to sort though. Therefore, knowing that Wireshark could actually filter SIP, I entered this filter:

“SIP Contains xxxxxxxxxx”

With the xxxxxxxxxx containing the phone number. For example, we dial 8 out of our network, so this was similar to: “SIP Contains 815555555555” (making the phone number 8 1 (555) 555-5555) and this gave me all of the packets that contained that phone number. Allowing us to troubleshoot further down.

Hopefully this helps someone because it’s taken me the better part of the morning to find out.

Multipathing with VNXe3150

I recently had a VNXe 3150 installed and configured. Along with that purchase we had gone ahead and gotten a new Dell PowerConnect 5524 to go with our Dell PowerConnect 5424 so that we could have more redundancy. Recently, I got around to configuring the multipathing in our vSphere 5.1 environment. I thought that I would be able to unplug an ethernet cable from each SP and plug it into the new switch (after it was configured) and then unplug a link on our host and plug it into the new switch. However, this disconnected the datastore, which was not desirable in our environment.

After doing a ton of digging and thinking, I figured the issue was with the configuration of our SAN. While looking into the multipathing on our VMware side, I noticed that the iSCSI adapters were mapped to the same IP addresses.

Target (Before Multipathing)

As you can see, both were pointed to So, when I disconnected the cables indicated below, depending on the cable, it would have disconnected the datastore.

In order to resolve this, I had to work with both Unisphere software and VMware vCenter. First, I noticed in Unisphere that I had 4 iSCSI Servers all pointing to a different IP Address.

Existing iSCSI Servers Configuration

So, I needed to resolve this. I added in two more iSCSI servers, SPA and SPB. In SPA I added in two IP Addresses that would point to the eth interfaces. Below is the SPA setting.

SPA Network Settings

Once I got SPA made, I went ahead and created SPB.

I then had to move over to vSphere and configured the iSCSI port binding. I followed this excellent video:

After getting the port binding setup, I then had to add the new iSCSI targets using the ‘Dynamic Discovery’ on the edit iSCSI Initiator properties. Once those got added, I then had to configure my EMC SAN datastores to point to the new IP Addresses. This required me to create new datastores on the SAN. Since I didn’t have very much extra space and am not licensed to use Storage vMotion, I had to take quite a bit of downtime. I ended up changing one datastore at a time by migrating all VMs off of that datastore, deleting it in Unisphere and then recreating the datastore, making sure to select SPA or SPA iSCSI Server. Once I did that, I presented the LUN to my hosts, which picked up the datastore right away.

Each datastore was upgraded to VMFS 5 and the paths were setup to ‘Round Robin’. Making sure that each path was ‘Active’.

I then continued moving around the VMs until I got to vCenter, which was kind of tricky…

Once all of the datastores were re-added and the settings were configured properly, I disconnected the networking cable from my host (that wasn’t running VMs) and connected it to the new switch. It all worked and everything came back to Active/Active!Screen Shot 2013-08-12 at 10.48.04 AM

All three hosts are configured exactly the same are all working as required.

Moving vCenter without Storage vMotion

Having some issues with our storage, I had to create some new datastores and move virtual machines over to the new datastores. I thought it seemed easy enough, even having Essentials Plus licensing. I just took the server offline moved it and turned it back on. This worked for every server…except one…vCenter. I started searching around online and found some blogs pointing to utilizing SSH and the ‘vmware-cmd’ command. I typed that in, and got the error: “-sh: vmware-cmd: not found”

I then started to think, why not use both GUI and command line. I shutdown my vCenter server and unregistered by browsing into my datastore. After that I moved over to my SSH session with my ESXi host.

I used the command mv…

mv /vmfs/volumes/51926e41-5a58b725-cb40-782bcb19c270/vCenter /vmfs/volumes/5203e77b-392d6e9c-61a6-782bcb19c26c/vCenter

Screen Shot 2013-08-09 at 1.33.11 PM

I got the 51926e41-5a58b725-cb40-782bcb19c270 from vSphere Client, highlighted below.


After the move (mv) command, I added the vCenter server into the inventory and powered it up.

VCP 5 – My Take

I thought I would take this time to share some of my thoughts and resources for the VCP-DCV exam that I just passed! Overall, I thought it was a very good exam. It took me two tries to pass it, but I think failing the first time wasn’t a bad thing. After the first exam, I learned that the VCP is a legit certification. Having taken multiple Microsoft exams that I had no problem passing, the VCP was a bit more challenging to me. So, what did I use to study?

1. Took the required course.

2. Read ‘Mastering VMware vSphere 5’ by Scott Lowe. Link.

3. Built my home lab using VMWare Fusion for my Mac. This was a little bit of a challenge because of the resources were limited. I had to run slow vCenter Server Appliance and usually one VM. I had two hosts, one with limited resources and the other with enough to run a slow vCenter. I wouldn’t recommend this configuration, but I couldn’t justify buying a whole lab.

4. Downloaded the exam blueprint and reviewed that.

5. Took the VMware practice exam. Be careful not to get 100% because you can’t retake it.

6. Practice exam from Simon Long. Link.

7. Ran through practice labs on my “lab”.

One thing that I wish I would have been more knowledgable about was resource pools and shares.

Having basically only using vSphere 5.1 Essentials Plus, I thought that various portions of the exam were rather difficult. My problem was that I don’t have access to a large environment and do not get some of the higher end licensing (such as Auto Deploy and DRS).

My biggest advice, keep calm and take your time with the exam. The time goes pretty quick, so budget your time accordingly.