Community.cisco.com



To preform a packet capture (TCPdump) on a VCSIf TLS is on, we will need to capture the VCS debugs at the same time. (Ensure the call is not encrypted by turning TLS mode “off” unless otherwise requested)This can be done via the web page of your VCS. Navigate to: VCS > VCS Configuration > Protocols > SIP > Configuration: TLS Mode – OffPlease provide the Source IP (Endpoint & s/w), the VCS IP and the Destination IP (Endpoint & s/w)Port Span/ MirroringFor devices that cant run packet captures native or locally (for instance an MCU), you will need to perform a port span of the switch-port the device is connected to. For a Cisco switch, you can run the following as an example to take all traffic to and from a device (MCU) connected to Fa2/0/10 and also send (mirror) it to Fa2/0/5 (PC). You would then want a network analyzer or a PC running Wireshark connected to Fa2/0/5 to capture the mirrored traffic being sent to the device on Fa2/0/10. “Both” in the 1st command below specifies to capture transmit and receive packets. Please see the following link for more details on configuring SPAN.(must be in “config t” mode)My_Switch(config)# monitor session 1 source interface Fa2/0/10 bothMy_Switch(config)# monitor session 1 destination interface Fa2/0/5 Note: The PC that is connected to the destination port will have limited access as the switch is not listening to inbound requests on that port until monitoring is turned off. Remember to turn off the port span once doneMy_Switch(config)# no monitor session 1 source interface Fa2/0/10 bothMy_Switch(config)# no monitor session 1 destination interface Fa2/0/5On the Destination PC if using Wireshark to capture the traffic, you can use the following filter to not capture media from between ports 50000 to 59999. Change the media port range to reflect your capture.not (udp.port >= 50000 and udp.port <= 59999)TCPdump on VCSLog into the VCS using any SSH client on port 22, i.e. PuTTY.For MAC, you can use Terminal with the following command where “x” is the IP of the VCS:ssh root@xxx.xxx.xxx.xxxNote: In the example below, we used PuTTY.exe, a publically free downloadable application for Windows.When prompted for a user name, use root and provide the current root passwordOnce you are logged in, please issue the following commands. This will make a directory named traces in a safe location to store larger files. Note: If you do not do this, creating large files in the default login location may cause performance problems, a crash or reboot.cd /mnt/harddiskmkdir traces cd tracesTo perform the packet capture, issue the following command:tcpdump -w <filename>.pcap -s 0 -i any-w = Writes raw packets-s = Captures complete packets regardless of packet length0 = packet size to filter out (part of “-s” switch)-i = Specifies an interface (eth1, eth2 or any)any = all interfacesNote: You can rename “tcpdump1.pcap” to something more recognizable, i.e. “vcsc01.pcap” or “vcse01.pcap” to indicate if VCS control or Expressway.Recreate your issue and press CTL+C to stop the capture.For TCPdump without media: (To decrease file size if only signaling is needed)tcpdump not portrange 50000-59999 and not portrange 2776-2777 -w <filename>.pcap -s 0 -i anyNote: to verify the correct media ports to filter in the above command, log into the VCS and go to (VCS > Maintenance > Tools > Port Usage > Local inbound ports) Use the SCP protocol to retrieve the files from the VCS. Login using the root username and password.For MAC, use Terminal as the SCP protocol is installed by default. Below is an example of how to use it:scp root@vcsc.:/mnt/harddisk/traces/tcpdump1.pcap /Users/mlimbric/Documents/tracesNote: After you type the command part below, add a space after pcap and use Finder to find the folder where you want the pcap trace to transfer to. Next, drag the folder to the terminal window. It will automatically type the folder path for you, i.e. /Users/mlimbric/Documents/traces (a folder named traces under the Documents folder for the user mlimbric)The file location /mnt/harddisk/traces/ is limited to 2.9Gb of space. If the limit is reached, the VCS might go into maintenance mode, reboot or crash.On the VCS, you can run “df –h” to see how much space is available. As you will see, /mnt/base/ has the most free space~ # df -hFilesystem Size Used Avail Use% Mounted on/dev/sda6 955M 442M 465M 49% /devtmpfs 3.0G 256K 3.0G 1% /dev/dev/ram0 190M 23M 158M 13% /var/dev/ram1 1.5G 4.9M 1.4G 1% /tmp/dev/sda8 955M 587M 320M 65% /tandberg/dev/sdb2 11G 7.2G 2.9G 72% /mnt/harddisk/dev/tmp 1.5G 4.9M 1.4G 1% /tmp/dev/tmpstore 180K 14K 157K 9% /var/tmpstoreOnce you can validate the file has been copied to your local computer, you can delete the capture off the VCS with the following command while logged in as root during an SSH session.rm /mnt/harddisk/traces/tcpdump1.pcaporrm /mnt/harddisk/traces/*.*From WinSCP, you can right-click the .pcap file in the right window pane an select delete.Note: Remember to change the file name tcpdump1.pcap if you named it something elseIn the example below, we used WinSCP, a publically free downloadable application for Windows.After you are logged in, select the root folderIn the top right drop-down, select “/ <root>”. In the right windowpane from the root folder, navigate to /mnt/harddisk/traces. You should see the new “tcpdump1.pcap” file (or whatever you named it). In the left windowpane, navigate to a location on your PC where you would like to store the file (i.e. Desktop). In the right windowpane, select the “tcpdump1.pcap” file and drag it to the left windowpane and release it in the location on your PC where you would like to copy the file to. Once the file is on your PC, you can delete it off the VCS. Then please email it to me and be sure to cc "attach@" with the case number XXXXXXX" in the subject line. If the file is larger than 20Mb, you will need to log into the case online and upload it directly.***Please also be sure to provide the IP address of the VCS you took the packet capture from, and the source & destination IP addresses of the devices we are monitoring.TCPdump on TC7.1 and higher series EndpointsNote: Tandberg MXP and Classic endpoints cannot run packet captures. For these systems, you will need to port span. Starting on TC7.1, the “root” account has been locked and can only be accessed with assistance from TAC. As an added feature, you can now perform packet captures from the Web interface of the codec. Note: If longer captures are needed, you will need to enable the “remotesupport” user account and run the “tcpdump” commands with “sudo” sudo tcpdump -w <filename>.pcap -s 0For TCPdump without media: (To decrease file size if only signaling is needed)sudo tcpdump not portrange 2366-2486 -w <filename>.pcap -s 0 -i anyNote: to verify the correct media ports to filter in the above command, log into the endpoint and go to (Configuration > System Configuration > RTP Port Range)Navigate to Diagnostics > Log FilesFrom the “Extended logging” section, select “Include a full packet capture” for most issues (includes RTP media) and “Include a limited packet capture” for signaling only issues. By default, full captures will run for 3 minutes and limited will run for 10 minutes. This is to prevent the captures from filling up to much space in memory. Any captures that need to run for a longer period will need to be performed from the “remotesupport” user account with assistance from TAC or via a port span.Once the capture is running, you will need to click on “Stop extended logging” when finished.You should then have a file named “extendedlogging.pcap” available on the same page that contains the capture just taken. Click the link to download the file.TCPdump on TC7.1 and below series EndpointsPre TC4.x software, the root account by default is usually disabled and you will need to SSH into the unit with the admin account to enable it with the following command:systemtools rootsettings on <password>For <password>, add any password you want to assign for the root account (i.e. password1). You may need to provide the current admin or root password if prompted. Log out of the SSH session and log back in with the root account. Navigate to /mnt/base and create a new directory called traces by the following:cd /mnt/basemkdir traces cd tracesTo perform the packet capture, issue the following command:tcpdump -w <filename>.pcap -s 0-w = Writes raw packets-s = Captures complete packets regardless of packet length0 = (zero) packet size to filter out (part of “-s” switch)For TCPdump without media: (To decrease file size if only signaling is needed)tcpdump not portrange 2366-2486 -w <filename>.pcap -s 0 -i anyNote: to verify the correct media ports to filter in the above command, log into the endpoint and go to (Configuration > System Configuration > RTP Port Range)Note: You can name the file name tcpdump1.pcap to something more recognizable, i.e. “EX90.pcap” or “C40.pcap”Recreate your issue and press CTL+C to stop the capture.Use the SCP protocol to retrieve the files from the VCS (WinSCP for Windows). Login using the root username and password. Once verified a copy of the .pcap file is on your local PC, delete it from the endpoint. The file location /mnt/base/traces/ is limited to 1.5Gb of space. If the limit is reached, the endpoint might go into maintenance mode and reboot/ crash. You can run “df –h” to see how much space is available. As you will see, /mnt/base/ has the most free space[test-endpoint:]$ df -hFilesystem Size Used Avail Use% Mounted onnone 250M 1.0M 249M 1% /dev/shmnone 250M 136K 250M 1% /tmpnone 250M 5.8M 244M 3% /var/dev/mtdblock1 2.0G 599M 1.5G 30% /mnt/base/dev/loop0 7.5M 7.5M 0 100% /devel/dev/loop1 28M 28M 0 100% /extra/dev/loop2 43M 43M 0 100% /apps/dev/loop3 6.5M 6.5M 0 100% /sounds/dev/loop4 16M 1.2M 14M 9% /config/dev/loop5 16M 146K 15M 1% /user/dev/loop6 2.0M 21K 1.9M 2% /armuser/dev/loop7 7.8M 558K 6.9M 8% /uifs/dev/loop8 1.5M 1.5M 0 100% /webRemember to log back into the CLI as admin and disable the root account systemtools rootsettings off ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download