cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1524
Views
40
Helpful
12
Replies

Embedded PCAP

We are in need of Pulling PCAP's for the purposes of determining if an issue with QOS is related to our internal network or our SIP provider.  The topology is   SIP PHONE<--------->RTP<------------>((GE0/0/1)CUBE Gateway(GE0/0/0)<----SIP Provider.

 

Since we have no other means, we are setting up an embedded PCAP via the CUBE Gateway, trying to capture from/to the SIP phone and the Gateway.  All of the captures that we have gotten have no RTP or voice component captured.  We are following the basic commands but none of the the captures have any RTP or VOICE in them.   We've tried using the Web interface and the IOS commands:

 

Here is an example of what we are using:

we are putting the IP address of the SIP phone  in the "match ipv4" portion of the command in hope to only get data from this phone.

 

montior capture GigabitEthernet 0/0/1 both
monitor capture Pen1004 match ipv4 X.X.X.X/32 any
monitor capture Pen1004 start

 

Thanks for any help.

 

 

 

12 Replies 12

I have my students do this in class, but using a different mechanism. Here is what they do:

1. Declare an access list to define the traffic to be captured. This is 'all traffic' ACL, but you can write the ACL to be more specific.

config t
access-list 101 permit ip any any

2. Configure the capture:

ip traffic-export profile CUBE_Debug mode capture
 bidirectional
 incoming access-list 101
 outgoing access-list 101
!
interface GigabitEthernet0/1
 ip traffic-export apply CUBE_Debug size 10000000
end

3. Start the capture:

traffic-export interface g0/1 start

4. Place some calls.

5. Stop the capture:

traffic-export interface g0/1 stop

6. Copy the traffic off to a TFTP or FTP server:

traffic-export interface gi0/1 copy tftp://<ip.of.tftp.server>/sip.pcap

Others here may have better suggestions, but I know this works for us. Good luck!

Maren

 

 

Steven L
Spotlight
Spotlight

in addition to @Maren Mahoney 's response, if you are capturing signalling (SIP Messages) but not RTP, you may be setup for flow around media.

 

Also, i am not sure what you are troubleshooting from a QoS perspective, but most issues can be troubleshot without capturing packets.

Thanks for the reply.....
FYI we can see RTP traffic and SIP calls when we do ANY ANY captures, but since we only have the ability to do embedded captures within the CUBE gateway-this approach fills up our buffer within just a few seconds. What we need is to pull captures only from the user's phone that is currently having an issue as seen by the command snippet I provided..

Can you include the phone's IP address in the ACL rather than an 'any any'?

access list 101 permit ip any host <ip.of.phone>
access list 101 permit ip host <ip.of.phone> any

Maren

Maren,
I'll give this a try and give feedback.... Thanks

I followed the commands per your response and included the IP address of the phone.  The router is not liking the following portion Screenshot 2021-10-06 082521.jpg

What router model and what IOS/IOS-XE is it running? Might be a version thing and you need a slightly different command.

Maren

ISR4431
IOS-XE
isr4400-universalk9.16.09.02
I tried expanding the command using the help "?" but not seeing anything.

Crap. My bad. I forgot that the traffic-export command is IOS and not IOS-XE. You were doing it mostly right in the first place.

Try this:

access list 101 permit ip any host <ip.of.phone>
access list 101 permit ip host <ip.of.phone> any

monitor capture Pen1004 interface GigabitEthernet 0/0/1 both
monitor capture Pen1004 access-list 101
monitor capture point Pen1004 file location flash:Pen1004.pcap
monitor capture Pen1004 start

That will save the capture directly to the flash (not filling up your buffer) and will also limit it to the one phone's IP address.

Maren

 

Simon Edwards
Level 1
Level 1

Hi 

I'm doing the same thing here, and capturing a lovely amount of data, but for some reason (I'm using IOS-XE as well) I'm unable to export this to my tftp server.

I'm following the Cisco docs from https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html

But when I get to the bit where I do :-

monitor capture CAP export tftp://10.0.0.1/CAP.pcap

I get an error -   Failed to Export : Failed to create export file.

I tried  ip tftp source-interface g0/0/1 but this didn't help.  Now I'm out of ideas.

Did you use the exact command you wrote or was that a typo? The correct command is

monitor capture PCAP export tftp://x.x.x.x/PCAP.pcap
-or-
monitor capture PCAP export ftp://x.x.x.x/PCAP.pcap

Have you verified that the file transfer to the tftp/ftp server is working by transferring a different file?

Maren

Yes, I did use that exact command, as that was the exact command provided in the Cisco docs I linked to. (And I think that word in caps is just a word used to identify the name of the capture, so it can be pretty much anything, I think?).

Anyway, I got to the bottom of the problem, and it was simply that our TFTP server had been set up to prevent new files being created, as a security measure. So I simply created an empty file on the TFTP server, and the command then worked perfectly, as it was overwriting a file that was already there (allowed) rather than creating a new file (not allowed).