2. Motivation

In this complex and evolving scenario, VoIP traffic monitoring tools are very few, often integrated into packet sniffers such as ethereal [ethereal] [hollis] and used for finding issues (e.g. severe packet loss or incompatible codecs) in specific situations, rather than for permanently monitoring VoIP and non-VoIP traffic. Other tools such as Vomit [vomit] or RTP-tools [rtp-tools] are suitable for capturing voice communications but not for providing a comprehensive permanent monitoring tool. This has been the author motivation for this work, namely to develop an open source VoIP-aware traffic monitoring tool able to: • Provide long-term monitoring, contrary to what available VoIP monitoring tools do. • Handling standard VoIP protocols as well, as much as possible, proprietary protocols. • Decode calls, hence identify peers (who’s calling who) and client applications. This is useful for VoIP accounting, billing or fraud detection. • Provide VoIP metrics such as packet loss and latency, as well as voice quality. • Generate traffic trends in order to identify how VoIP traffic is changing over the time. In order to achieve the above goal, the author decided to use a dual approach: • Enrich ntop [ntop], a home-grown open-source passive traffic monitoring application, for making it VoIP traffic aware. • Develop some metrics suitable for monitoring key VoIP traffic characteristics and export them via Netflow [netflow] v9/IPFIX [ipfix], by means of nProbe [nprobe] an open-source netflow probe also developed by the author. This decision has been made because: • It allows users to exploit the available traffic analysis facilities provided by ntop, without having to run any specialized VoIP traffic analysis application. In this way VoIP traffic is not treated as first-class citizen but it is at the same level as other traffic (e.g. http or email). • It enables VoIP measurements computed by nProbe to be exported using the standard Netflow/IPFIX protocol, so that they can also be used by ntop and other commercial netflow applications such as Cisco NetFlow Collector. This is particularly important when open source solutions are deployed in an enterprise that is using an existing/ commercial management console The following sections describes the design and the implementation of the extensions to ntop and nProbe for monitoring VoIP traffic. 3. VoIP Basics As stated before there are three main VoIP protocol families, namely those based on: • standards protocols such as SIP/H.323/RTP [rtp]; • proprietary but well documented protocols such as Cisco skinny [skinny]; • proprietary protocols such as Skype. Note that the use of standard or known protocols does not always means that it is possible to monitor everything as protocols such as RTP, used to carry voice and video, may transport data encoded with proprietary codecs. This is true for instance for Google Talk whose voice is encoded with a proprietary codec. In general all the protocols are