10-04-2021 08:34 AM
We are in need of Pulling PCAP's for the purposes of determining if an issue with QOS is related to our internal network or our SIP provider. The topology is SIP PHONE<--------->RTP<------------>((GE0/0/1)CUBE Gateway(GE0/0/0)<----SIP Provider.
Since we have no other means, we are setting up an embedded PCAP via the CUBE Gateway, trying to capture from/to the SIP phone and the Gateway. All of the captures that we have gotten have no RTP or voice component captured. We are following the basic commands but none of the the captures have any RTP or VOICE in them. We've tried using the Web interface and the IOS commands:
Here is an example of what we are using:
we are putting the IP address of the SIP phone in the "match ipv4" portion of the command in hope to only get data from this phone.
montior capture GigabitEthernet 0/0/1 both
monitor capture Pen1004 match ipv4 X.X.X.X/32 any
monitor capture Pen1004 start
Thanks for any help.
10-04-2021 12:24 PM - edited 10-04-2021 12:25 PM
I have my students do this in class, but using a different mechanism. Here is what they do:
1. Declare an access list to define the traffic to be captured. This is 'all traffic' ACL, but you can write the ACL to be more specific.
config t access-list 101 permit ip any any
2. Configure the capture:
ip traffic-export profile CUBE_Debug mode capture bidirectional incoming access-list 101 outgoing access-list 101 ! interface GigabitEthernet0/1 ip traffic-export apply CUBE_Debug size 10000000 end
3. Start the capture:
traffic-export interface g0/1 start
4. Place some calls.
5. Stop the capture:
traffic-export interface g0/1 stop
6. Copy the traffic off to a TFTP or FTP server:
traffic-export interface gi0/1 copy tftp://<ip.of.tftp.server>/sip.pcap
Others here may have better suggestions, but I know this works for us. Good luck!
Maren
10-04-2021 12:45 PM - edited 10-04-2021 12:45 PM
in addition to @Maren Mahoney 's response, if you are capturing signalling (SIP Messages) but not RTP, you may be setup for flow around media.
Also, i am not sure what you are troubleshooting from a QoS perspective, but most issues can be troubleshot without capturing packets.
10-04-2021 01:15 PM
10-04-2021 03:39 PM
Can you include the phone's IP address in the ACL rather than an 'any any'?
access list 101 permit ip any host <ip.of.phone> access list 101 permit ip host <ip.of.phone> any
Maren
10-05-2021 08:40 AM
10-06-2021 07:27 AM
I followed the commands per your response and included the IP address of the phone. The router is not liking the following portion
10-06-2021 07:58 AM
What router model and what IOS/IOS-XE is it running? Might be a version thing and you need a slightly different command.
Maren
10-06-2021 08:46 AM
10-06-2021 10:32 AM
Crap. My bad. I forgot that the traffic-export command is IOS and not IOS-XE. You were doing it mostly right in the first place.
Try this:
access list 101 permit ip any host <ip.of.phone> access list 101 permit ip host <ip.of.phone> any monitor capture Pen1004 interface GigabitEthernet 0/0/1 both monitor capture Pen1004 access-list 101 monitor capture point Pen1004 file location flash:Pen1004.pcap monitor capture Pen1004 start
That will save the capture directly to the flash (not filling up your buffer) and will also limit it to the one phone's IP address.
Maren
08-09-2024 08:33 AM
Hi
I'm doing the same thing here, and capturing a lovely amount of data, but for some reason (I'm using IOS-XE as well) I'm unable to export this to my tftp server.
I'm following the Cisco docs from https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html
But when I get to the bit where I do :-
monitor capture CAP export tftp://10.0.0.1/CAP.pcap
I get an error - Failed to Export : Failed to create export file.
I tried ip tftp source-interface g0/0/1 but this didn't help. Now I'm out of ideas.
08-12-2024 05:16 AM - edited 08-12-2024 05:16 AM
Did you use the exact command you wrote or was that a typo? The correct command is
monitor capture PCAP export tftp://x.x.x.x/PCAP.pcap
-or-
monitor capture PCAP export ftp://x.x.x.x/PCAP.pcap
Have you verified that the file transfer to the tftp/ftp server is working by transferring a different file?
Maren
08-12-2024 06:43 AM
Yes, I did use that exact command, as that was the exact command provided in the Cisco docs I linked to. (And I think that word in caps is just a word used to identify the name of the capture, so it can be pretty much anything, I think?).
Anyway, I got to the bottom of the problem, and it was simply that our TFTP server had been set up to prevent new files being created, as a security measure. So I simply created an empty file on the TFTP server, and the command then worked perfectly, as it was overwriting a file that was already there (allowed) rather than creating a new file (not allowed).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide