nProbe
nProbe copied to clipboard
ntop
nprobe RTP jitter question
We are testing nprobe’s rtp analytics and we are not able to interpret the values we are getting.
We have an RTP trace that we are sending to nprobe and generating in/out jitter metrics but the values are too high and not consistent with what wireshark analysis tool indicates.
I’m attaching the generated netflow and the RTP traffic trace used to feed nprobe. Please help us understand how can we interpret the data we are getting.
Thanks,
nf_test_0401_2.pcap.zip sip-rtp-l16.pcap.zip
From the sip-rtp-l16 pcap we get the following jitter values in wireshark:
"Source IP", "S.Port" , "Dest IP", "D.Port" ,"Max Jitter", "Mean Jitter"
1 "10.0.2.15", 26628, "10.0.2.20", 6000, 0.00835, 0.005456 2 "10.0.2.15", 24082, "10.0.2.20", 6000, 0.00991, 0.0055694 3 "10.0.2.15", 32682, "10.0.2.20", 6000, 8.73074, 8.7034059 4 "10.0.2.15", 31026, "10.0.2.20", 6000, 0.01264, 0.0064565
And in the firs flowset generated by nprobe we get:
In_jitter out _jitter
1 . 0.41 4294967 2 . 0.049 4294967 3 0.075 4294967 4 . 0.083 4294967
And similar values in the second flowset.
Please indicate how can we interpret these values. I'm attaching the pcap files used, the sip/rtp payload and the nprobe generated flows.
Thanks
sip-rtp-l16.pcap.zip nf_test_0405_1.pcap.zip
I have checked the jitter implementation in nProbe and it is based on https://tools.ietf.org/rfcmarkup?rfc=3550&draft=&url=#page-94
We have found a bug that might explain why the jitter was not computed correctly with dynamic payload. The fix has been committed and it will be available in overnight builds
Hello Luca,
I have try to test the nightly build with a trace containing RTP of a skype call. Wireshark identifies the RTP Payload type as DynamicRTP-Type-104 (104). When I use this trace with nprobe there are not flows with RTP information and in general, there are no flows describing the UDP flow of RTP. Is like nprobe is ignoring this specific RTP flow.
The command I'm using is: /usr/local/bin/nprobe -E 0:1000 -U 257 -n 10.100.20.100:9996 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IN_PKTS %IN_BYTES %L4_SRC_PORT %L4_DST_PORT %PROTOCOL %MPLS_LABEL_1 %MPLS_LABEL_2 %SRC_TOS %TCP_FLAGS %DST_TOS %FRAGMENTS %CLIENT_NW_LATENCY_MS %SERVER_NW_LATENCY_MS %APPL_LATENCY_MS %RETRANSMITTED_IN_BYTES %RETRANSMITTED_IN_PKTS %RETRANSMITTED_OUT_BYTES %RETRANSMITTED_OUT_PKTS %OOORDER_IN_PKTS %OOORDER_OUT_PKTS %L7_PROTO %L7_PROTO_NAME %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_LAST_TS %FIRST_SWITCHED %LAST_SWITCHED" -t 60 -w 500000 -i /root/skype_rtp_payload_0517.pcap -b 1
I'm attaching the pcap of the skype rtp trace and the resulting flows
skype_rtp_payload_0517.pcap.zip nprobe_nf_skype_rtp_0517.pcap.zip
thanks, Rodrigo
Hi Luca, one more question: The nprobe documentation indicates that the jitter values are: [NFv9 57626][IPFIX 35632.154] %RTP_IN_JITTER RTP jitter (ms * 1000) [NFv9 57627][IPFIX 35632.155] %RTP_OUT_JITTER RTP jitter (ms * 1000)
If the RFC indicates that the interarrival jitter is " An estimate of the statistical variance of the RTP data packet interarrival time, measured in timestamp units and expressed as an unsigned integer." Why are the netflow units as ms*1000?
thanks, Rodrigo
I have looked at the RTP traffic and while it seems RTP, it does not follow the standard. See also Wireshark 3.x to confirm this. As of the other question, Jitter is computed as in A.8 of http://www.faqs.org/rfcs/rfc3550.html where timestamps are in usec (ms * 1000)