Capture VOIP traffic to check for packet loss

edit

Some routers also allow you to capture packets on an interface. We primarily use pfSense and capture from the command line but I know Sonicwall and Cisco ASA routers also have packet capturing built in. We make it a priority that if any of our clients use VoIP lines or hosted phones that we make sure they have a router with packet capturing in it. In pfSense we use the command "tcpdump -i re0 -w trace($Interface).cap portrange 5000-5100" where $Interface is usually either WAN or LAN. That port range is overly broad as it's only 5060-5062 but I never know if they are going to make changes. This only grabs SIP and not RTP. If you want to grab RTP as well, find the portrange being used and add that in as well.

If your router doesn't have that capability (I advise you upgrade if it doesn't) you can use a hub (we have 100mb hubs on hand just for this) or a switch with port mirroring to sit between the router and the modem. You'll need a computer with wireshark running to sniff the packets but it's just as effective. If you don't have a router and just use a modem, put it between the modem and switch.

Also, check your modem. Your router should have a firewall built in so the firewall can be turned off in the modem and all ALG (especially SIP ALG) functions disabled. What we do with Spectrum Arris modems is; if you have a dynamic public IP then set the modem in bridge mode, if you have a static public IP put the modem in RIP w/o NAT, and if there is no router set it in RIP+NAT.

1-way audio and failing to set up a call is normally a NATting issue. In my experience that is normally because you are double-NATted or you have SIP ALG turned on somewhere.

"VoIP" consists of the call control (or signaling), which in your case is SIP, and the media, which in your case is RTP.

To check whether your network is responsible for the issue or not, you need to capture at your uplink or as close to it as possible, and the simplest capture filter is host x.x.x.x where x.x.x.x is the IP address of your SIP provider's server. See the Wireshark capture setup manual to find out what hardware and setup you need to get a copy of the traffic to the capturing machine.

Some router models as well as some IP phone models have embedded capturing capabilities.

You haven't stated whether your SIP phones register with your PBX or directly with your SIP provider, and if there is a PBX, whether it registers with the SIP provider or is statically configured.

If you cannot access external lines at all, packet loss is an unlikely cause; if it happens from time to time but you don't experience audio problems once the call establishes, packet loss is also an unlikely cause. If some calls set up and some don't and for those which do the remote party complains about audio quality, packet loss may be the reason.

Capturing on the uplink should show you whether your phones or PBX send INVITE to the SIP provider or not; if you can see only one INVITE immediately responded with a 100, the packet loss may happen inside your network (between the phone and the uplink), so capturing next to the IP phone should show several INVITEs before a 100 comes back.

Similarly, if you can see several INVITEs before a 100 comes back on the uplink, the INVITEs or the 100s get lost outside your network.