My customer is doing an Avaya VOIP pilot. I am looking at traces in Wireshark to build my troubleshooting skills. I have found much documentation on VOIP, but little that focuses on protocol analysis and how the various protocols work together.
I can see H.323 in the trace, but some packets contain TPKT, Q.931 and H.225 while others do not.
Wireshark Statistics->RTP->Show All Streams shows 15 streams while Statistics->VOIP Calls shows only 1 call.
Can anyone point me at some good sources of information on how to understand VOIP at this level?
Generally the VOIP traffic can be broken down into 2 parts... Control traffic and Audio Stream traffic.
This may not be how Avaya specifically does it, but in plain vanilla VoIP you should see SIP (Session Initiation Protocol) going back and forth at around port 5060 to exchange information such as Message Waiting Indicator, Phone Registrations, and the like. When you place a call, you should also see SIP traffic setting up the call and exchanging the information for the Audio Streams to begin transmitting. The audio packets won't give you a whole lot to look at in Wireshark since it's just encoded audio data.
Edit: By the way, you shouldn't necessarily have to break out Wireshark to troubleshoot VoIP. Most often the VoIP server or endpoint should give you some troubleshooting information or debug diagnostics as things are happening that are way more valuable (and make a lot more sense) than Wireshark data.
Try "Voice over IP Fundamentals" by Jonathan Davidson, James Peters, Manoj Bhatia, Satish Kalidindi, Sudipto Mukherjee.
You probably also want to learn about Quality of Service (QoS), as this will become important when VoIP-ing over congested lines.