Troubleshooting Lync Calls: Custom Parsers for Network Monitor

Lync Network Monitor Parsers: A Complete Guide for Troubleshooting

What they are

Lync Network Monitor parsers are protocol dissectors used by Microsoft Network Monitor (NetMon) or Message Analyzer to interpret and display Lync (now Skype for Business) signaling and media protocols—SIP (Session Initiation Protocol), SDP, RTP, RTCP, MS-SIP, MS-SIPUA, and proprietary Skype/Lync extensions. Parsers translate raw packet bytes into human-readable fields (messages, headers, call IDs, codecs, timestamps), making call signaling, registration, and media flows analyzable.

Why they matter for troubleshooting

• Visibility: Show SIP messages, responses, and headers that reveal call setup/teardown failures.
• Root cause: Expose mismatched codecs, SDP offer/answer problems, NAT traversal issues, or failed authentication.
• Timing: Reveal delays, retransmissions, or jitter by showing timestamps and sequence numbers.
• Media verification: Let you confirm RTP streams, SSRCs, payload types, and codec negotiation.
• Custom fields: Vendor-specific extensions (MS-SIP, presence) are decoded so you can troubleshoot Lync-specific features.

Typical parser types and what to look for

• SIP / MS-SIP: Call flow messages (INVITE, 200 OK, BYE), Contact/Via/From/To, Call-IDs, tags. Look for mismatched tags, missing headers, or unexpected 4xx–5xx responses.
• SDP: Media descriptions (m= lines), codecs, ports, and connection addresses. Check offer/answer mismatches and incorrect IPs/ports (NAT).
• RTP / RTCP: Payload types, SSRC, sequence numbers, timestamps, jitter, packet loss. Check for silence, out-of-order packets, or sequence gaps.
• TLS / DTLS: If signaling/media are encrypted, confirm handshake success and certificate validation errors (note: parsers won’t decrypt without keys).
• Proprietary Lync/Skype fields: Presence, conferencing, and media optimization fields that affect behavior.

How to get and install parsers

1. Use Microsoft-provided parsers shipped with Network Monitor or Message Analyzer (older versions).
2. Download updated parser packs from Microsoft or community sources (ensure version compatibility with your Lync/Skype for Business release).
3. Drop .parser files into NetMon’s parser directory or import into Message Analyzer. Restart the tool to load new parsers.

Practical troubleshooting workflow

1. Capture setup: Capture on appropriate interface(s) near client, server, or edge depending on issue scope. Include both signaling and media paths.
2. Apply parsers: Enable Lync/SIP/SDP/RTP parsers so frames are decoded into protocol trees.
3. Filter by call: Use SIP Call-ID, From/To URIs, or conversation filters to isolate a single call.
4. Follow dialog: Trace the SIP dialog: INVITE → 100/180/200 → ACK → RTP → BYE. Note errors or retransmits.
5. Inspect SDP: Verify negotiated codecs, IP:port pairs, and whether media was actually established.
6. Analyze RTP: Check sequence numbers, jitter, loss, SSRC changes, and RTCP reports to quantify media quality.
7. Cross-check endpoints: Correlate client logs (Snooper, UCCAPI logs) and server-side logs with parsed packets for full context.
8. Document findings: Record timestamps, packet numbers, and key fields for escalation.

Common issues and parser-based indicators

• One-way audio: RTP received only by one side; SDP contains private IP instead of public (NAT issue).
• Calls fail to establish: Missing or malformed 200 OK/ACK; 4xx/5xx responses; Authentication failures.
• Codec mismatch: SDP shows unsupported codec or no common payload types.
• High jitter/packet loss: RTP sequence gaps, high jitter values, frequent RTCP reports indicating loss.
• Re-INVITEs and mid-call changes causing drops: Multiple SDP renegotiations with conflicting ports.

Tips and gotchas

• Time sync: Ensure capture devices and endpoints are time-synced to correlate events.
• Capture both legs: For edge/NAT issues, capture on internal and external interfaces.
• Encrypted traffic: Parsers can parse TLS headers but not decrypt payloads without private keys. Use server-side logs or keying material when available.
• Message Analyzer deprecated: Microsoft retired Message Analyzer; for newer environments, Wireshark with SIP/SDP/RTP dissectors and Lync-specific plugins is often used.
• Parser versions: Use parsers matching your product version to ensure correct decoding of proprietary fields.

Quick reference filters (Network Monitor / Wireshark equivalents)

• SIP calls: sip or tcp.port==5061 (TLS) / udp.port==5060 (non-TLS)
• RTP streams: rtp or udp.port==
• SDP offers: sdp
• Filter by Call-ID: sip.Call-ID == “…”

Next steps

• Capture a problematic call following the workflow above and review SIP/SDP/RTP fields highlighted. If you share anonymized packet details or specific error messages, I can help interpret them step‑by‑step.