How are the alerts sent?
These alerts are sent to us via email from the address root@wireshark.evolveip.net
Example Email Alert
In the email body we see the message INVITE sip:+1441 and the capture is in Sw1.cap5815:19, etc. No need to worry about the capture file portion as Tier 1 Support does not have access to Sw1 to be able to pull the capture files. So, in order to troubleshoot we turn to OCOM/Palladion and need to try to find the call examples that contain an INVITE message going to +1441.
Notes and Tips Before Troubleshooting
ALERTS WILL NOT BE AN HOUR OR A DAY BEFORE THE EMAIL NOTIFICATION, KEEP THAT IN MIND WHEN TRYING TO FIND THE CALLS. You will need to look in both the Caller and Callee fields to try and find the calls, and here is some filtering options:
^ : Means anything that begins with that digit string that follows it
\ : Allows you to add the special character + into the filter field as long as you but it in front of the +.
Also, keep in mind you may have to filter the fields without the country code +1 at time as well.
Step 1: Filtering the Calls in OCOM/Palladion, using our Example
Filter Callee field for beginning +1441:
Filter Callee field for beginning 441:
Filter Caller field for beginning +1441:
Filter Caller field for beginning 441:
Step 2: Investigate the List
Trying these 4 filtering options should hopefully help you find the corresponding calls and should look like:
Now when you have the numbers in question you can investigate why the calls are failing; and if they're not failing then why so many are being placed. One of the most common occurrences is the making an outbound call on the ECS platform to a number that is unroutable, the system will continuously try to place the call to multiple carriers and while on the phone you hear nothing but silence. If you see the calls failing to a number, search the phone number in our LRN lookup to provided by AiTech (https://tools.aitech.net/lrn/) and see if there is any carrier associated with the number.
If there is any case where you cannot locate the set of calls that are causing the alert. Please engage Tier 2 and request if they can pull the capture file for you in Sw1. You will need to provide them the capture file details, for example Sw1.cap5815:19. When you get the get the capture file open it up in wireshark and filter it to the find the examples you are looking for: sip.Request-Line contains "INVITE sip:[DIGIT STRING IN ALERT]"
Step 3: Providing your findings:
When finished find the original email in which the alert came in on and reply all, be sure to be replying from our personal email as some people may have filtering enabled for emails that come from Support@evolveip.net. Also be sure to include the ticket number in the subject line so it can be tracked and logged into the ticket. Include any PCAPS or screenshots of what you have found as evidence or if you need some assistance understanding. IF you think the alert is fraudulent INTERCEPT THE USER SEAT OR LOCATION, RESET THE SIP AUTHENTICATION, RESET THE VOCIEMAIL PIN, AND RESET THE APPLICATION PASSWORD and engage Voice Engineering to confirm your findings; meaning if the alert is after hours you are to call the Voice Engineering on call. We need to act in speedy matter on real fraudulent behavior as the longer it happens the more money is being loss.
An example of how a reply should look. Please keep in mind all fraud is different and your investigation into the matter may not be as simple:
