There are multiple ways to capture packets on a network but since not all the networks are created equal, this post will focus in the two most common elements of any Cisco UC deployment; an IP Phone and CUCM.
Collecting a packet capture from a Cisco IP Phone.
1- Connect the phone to the switch and the computer doing the capture as normal.
2- Enable Span to PC port.
On Call Manager Administration go to Device > Phone > Select the appropriate phone.
Set Span to PC Port as enable.
Save and Apply Config so the phone can retrieve the new configuration file.
3- Start collecting files using Wireshark.
For more information check this video, in future posts we will dissect a packet capture step by step.
4- Disable Span to PC port.
For security reasons, disable this feature once troubleshooting and/or packet capture is completed.
Collecting a packet capture from a CUCM
Due to the huge number of packets this could collect, it is recommended to limit the capture with the correct filter.
1- Login to CUCM command line interface (CLI).
Theirs is only one command here, utils network capture but endless filter options.
2- Set the correct filters.
The below examples are not an exhaustive list of all the possible options but rather a guideline on how to use this command, please refer to the documentation for all the options.
- file fname : send output to a file, platform/cli/fname.cap.
- port num : limits capture to a specific port number (either source or destination port).
- host prot addr : limits capture to traffic to and from a specific host. Options for prot [IP | arp | rarp | all ], and addr should be in IPv4 or hostname format. If host is used, src or dest should not be provided.
utils network capture eth0 – captures IP packets on the specified Ethernet interface.
utils network capture eth0 file MYCAPTURE – captures on eth0 and save the capture as MYCAPTURE.pcap.
utils network capture eth0 file MYCAPTURE port 5060 – MYCAPTURE.pcap will only contain packets with port 5060 (SIP).
utils network capture eth0 file MYCAPTURE port 5060 host all 10.2.3.4 – MYCAPTURE.pcap will only contain packets from and to 10.2.3.4 with port 5060 (SIP).
NOTE: Press Control-C to stop capturing packets.
3- Download the file.
To transfer the file to a SFTP from CLI use the command: file get activelog platform/cli/MYCAPTURE.pcap
To download using RTMT go to Trace & Log Central > Collect Files > Packet Capture Logs.
NOTE: Using RTMT will download all the files available on the specific server(s) during the defined time window.