cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
775
Views
40
Helpful
9
Replies

Embedded PCAP

We are in need of Pulling PCAP's for the purposes of determining if an issue with QOS is related to our internal network or our SIP provider.  The topology is   SIP PHONE<--------->RTP<------------>((GE0/0/1)CUBE Gateway(GE0/0/0)<----SIP Provider.

 

Since we have no other means, we are setting up an embedded PCAP via the CUBE Gateway, trying to capture from/to the SIP phone and the Gateway.  All of the captures that we have gotten have no RTP or voice component captured.  We are following the basic commands but none of the the captures have any RTP or VOICE in them.   We've tried using the Web interface and the IOS commands:

 

Here is an example of what we are using:

we are putting the IP address of the SIP phone  in the "match ipv4" portion of the command in hope to only get data from this phone.

 

montior capture GigabitEthernet 0/0/1 both
monitor capture Pen1004 match ipv4 X.X.X.X/32 any
monitor capture Pen1004 start

 

Thanks for any help.

 

 

 

9 Replies 9

I have my students do this in class, but using a different mechanism. Here is what they do:

1. Declare an access list to define the traffic to be captured. This is 'all traffic' ACL, but you can write the ACL to be more specific.

config t
access-list 101 permit ip any any

2. Configure the capture:

ip traffic-export profile CUBE_Debug mode capture
 bidirectional
 incoming access-list 101
 outgoing access-list 101
!
interface GigabitEthernet0/1
 ip traffic-export apply CUBE_Debug size 10000000
end

3. Start the capture:

traffic-export interface g0/1 start

4. Place some calls.

5. Stop the capture:

traffic-export interface g0/1 stop

6. Copy the traffic off to a TFTP or FTP server:

traffic-export interface gi0/1 copy tftp://<ip.of.tftp.server>/sip.pcap

Others here may have better suggestions, but I know this works for us. Good luck!

Maren

 

 

Steven L
Spotlight
Spotlight

in addition to @Maren Mahoney 's response, if you are capturing signalling (SIP Messages) but not RTP, you may be setup for flow around media.

 

Also, i am not sure what you are troubleshooting from a QoS perspective, but most issues can be troubleshot without capturing packets.

Thanks for the reply.....
FYI we can see RTP traffic and SIP calls when we do ANY ANY captures, but since we only have the ability to do embedded captures within the CUBE gateway-this approach fills up our buffer within just a few seconds. What we need is to pull captures only from the user's phone that is currently having an issue as seen by the command snippet I provided..

Can you include the phone's IP address in the ACL rather than an 'any any'?

access list 101 permit ip any host <ip.of.phone>
access list 101 permit ip host <ip.of.phone> any

Maren

Maren,
I'll give this a try and give feedback.... Thanks

I followed the commands per your response and included the IP address of the phone.  The router is not liking the following portion Screenshot 2021-10-06 082521.jpg

What router model and what IOS/IOS-XE is it running? Might be a version thing and you need a slightly different command.

Maren

ISR4431
IOS-XE
isr4400-universalk9.16.09.02
I tried expanding the command using the help "?" but not seeing anything.

Crap. My bad. I forgot that the traffic-export command is IOS and not IOS-XE. You were doing it mostly right in the first place.

Try this:

access list 101 permit ip any host <ip.of.phone>
access list 101 permit ip host <ip.of.phone> any

monitor capture Pen1004 interface GigabitEthernet 0/0/1 both
monitor capture Pen1004 access-list 101
monitor capture point Pen1004 file location flash:Pen1004.pcap
monitor capture Pen1004 start

That will save the capture directly to the flash (not filling up your buffer) and will also limit it to the one phone's IP address.

Maren