I'm looking for a way to identify as many consumer VoIP users on my ISP network as possible using packet analysis.
My setup is like this:
On my core switch, all traffic going in and out of gigabit1 is SPAN'd to gigabit2, where I have a linux server connected.
Here's what I've been trying:
I ran tshark looking filtering for my networks and the standard SIP ports. Something like:
tshark -i eth0 -f "(net 1.2.3.4/24 or net 4.5.6.7/24) and (port 5060 or port 5061)" -w ./outfile
Ran this for over a week, then searched through the output file for a list of unique IPs.
I see a few SIP users this way, but not nearly as many as I should. Is there something wrong with this approach? It was my understanding that most major consumer VoIP products, such as Vonage, used SIP for signalling.
What (I think) I want:
I want to actually classify protocols, looking for SIP, RTP etc. If I install L7 Filter I can use iptables to mark the traffic I am interested in, but I don't know where I would go from there to get a list of unique IPs.
I am open to any suggestions.
Your best bet for monitoring the traffic is probably going to be sflow - have a look at your network equipment manufacturers' docs for configuring it on the switches. For aggregators, have a look at something like Argus or if you simple want to capture sflow data for process, see Inmon's sflow toolkit.
There are other protocols in use in the wild, with MGCP being phased out mainly, you may see SCCP or more likely some IAX trunks. Also, note that Skype uses an entirely proprietary P2P protocol.
I have used equipment like Packeteer's do analyse and prioritise this traffic in the past, but your description suggests to me that this is likely to not be commercially viable for you.
What makes you think that you have more users using VoIP than what you saw?
So the real question is what are you trying to track down? If it's a normal phone system I would second Zypher's suggestion of checking the PBX, if that's not an option I would suggest confirming that the devices in question are indeed using SIP. I supported an environment with Shoretel VOIP phones and found that while some conference phones ran SIP, the vast majority of the phones used MGCP.