Howto:Pcap

From innovaphone wiki
Jump to navigation Jump to search

With remote PCAP, network traffic can be captured directly from another network device, instead of capturing the network traffic from the own device.

Remote PCAP

Requirements

You may also use newer builds, but make sure they are supported by our plugin DLL. See Versions below for a list of supported versions
  • To view the standard debug output of ISDN LAPD/Q.931 packets, you have to install the innovaphone plugin (innovaphone_win32.dll or innovaphone_win64.dll, depending on your installed wireshark version, 32 bit or 64 bit). To convert text log output (from the Maintenance/Tracing page) you can use log2pcap.exe.
To download both items, open the V6 application page, select the 6000055 folder and download the tools.zip.
Again, if you use newer builds, make sure you download the DLLs from the appropriate apps package (see Versions below)
To install a DLL version 1059 or previous, just copy it to your wireshark plugin directory and pay attention on your currently used version (e.g.: c:\programme\wireshark\plugins\1.12.0\). Note that you need to re-install the DLL each time you update wireshark
To install a DLL version 1060 or later, just copy it to your wireshark plugin epan directory and pay attention on your currently used version (e.g.: c:\programme\wireshark\plugins\2.6\epan\). Note that you need to re-install the DLL each time you update wireshark
PCAP ISDN example

Using Wireshark Legacy

Starting with version 2, wireshark has a new user interface. Unfortunately, we found this to be sluggish and buggy. For that reason, we strongly recommend to use wireshark's legacy version. It is available as an option (Wireshark 1, The classic user interface) in the installer's item selection. You also may want to associate the trace file extensions (.pcap, .pcapng etc.) with Wireshark Legacy instead of the standard version (also available in the setup dialogue).

Setting up the rpcap server

  • The rpcap server can be any innovaphone device.
  • The remote pcap server is disabled per default. To enable it, just go to Diagnostics->Tracing and check the "Enable" flag in the "Remote PCAP" group. If you are experiencing problems, also enable the trace flag with "config add PCAP /trace".
  • To capture all ip traffic (udp and tcp), enable the "IP (all tcp/udp traffic)" flag in the group "IP". Otherwise just enable all the trace flags on the modules you want to capture.

Capturing with wireshark

1.x.x - 1.7.x

Open your wireshark and the capture options dialogue. Choose "remote" from the dropdown list and Type "<IP-ADDRESS>/TRACE" into the host field.

It should look like this: (Screenshot from older Wireshark, v.1.2.2)

Wireshark capture options

Then just click on "Start" to start capturing.

>= 1.8.x

Open your wireshark and „Capture Options“->“Manage Interfaces“->“Remote Interfaces“. Add the IP address of your device.
The remote interface will be listed in your interface now and you can select it for capturing data.

Wireshark capture options


>= 2.0.0

Wireshark capture options

>= 3.0.0

With the latest innovaphone Firmware (e.g. 13r1 SR11), Wireshark is supported again if you use the latest wireshark DLL.

If you're running older firmware versions:

The innovaphone.dll is not supported currently with this Wireshark-version. Please do not upgrade to Wireshark 3.0 or up.


RCAP does not currently work with innovaphone devices in newer Wireshark versions. If you only want to pull general remote PCAPs with it, you can also try the Wireshark Pipe feature. For this you have to create a new pipe interface in Wireshark in the following format.

rpcap://[ip-address]/trace

During our tests we experienced some problems with it. Alternatively, you can add the pipe interface via the command line. First change to the Wireshark directory and replace [ip-address] with the innovaphone IP address.

C:\Program Files\Wireshark>wireshark -ni rpcap://[ip-address]/trace

>= 4.0.7

Wireshark doesn't support 32bit Windows builds anymore, so there is just a 64bit version of the DLL now.

Supported protocols

  • ISDN: LAPD L2/L3 with dissector innovaphone.dll (enable Diagnostics->Tracing TELX/PRIX/PPP)
  • AC DSP: dsp with dissector Ac49xPacketRecording.dll (enable Diagnostics->Tracing->VOIP DSP)
  • PPPoE: flag "/pcap" on module(s) PPPOE0/PPPOE1 enables pcap tracing
  • All TCP/UDP protocols which are supported by native wireshark dissectors or other dissectors which can be found searching the internet.

e.g.: SIP H.323 H.245

Enable the corresponding flags under Diagnostics->Tracing, if you only want to see specific UDP/TCP protocols. To see all, enable the "All TCP/UDP Traffic" flag under Diagnostics->Tracing.

PCAP Log

Another possibility to get a pcap log file is to open http://IP/log.pcap This file has a limited size just as the normal log file.

log2pcap

You need the tool log2pcap from the tools package, if you have a log.txt file, which contains pcap packets and you want to view them in wireshark. You can find the tool in the apps tool package (see above).

Usage:

  1. log2pcap.exe input1 input2 ... inputX
  2. drag&drop one or more files on the log2pcap.exe
  3. use an asterisk like "log2pcap c:\*.txt" to convert all txt files into pcap files. Things like c:\test*.txt are not supported.
  • The resulting file name is always inputx.pcap (e.g. log.txt is converted into log.txt.pcap).

Note: if you have a trace of a little endian box (e.g. IP3000, IP21) with V6 SR1 or SR2, you have to use the "-srlefix" switch (available since 08-1007):

log2pcap.exe input1 -srlefix

General Informations

Reading PCAP Traces

Non-IP Pcap packets

It will nevertheless show source and destination IP addresses. 127.0.0.1 stand in for the traced device. So if for example a Q.931 SETUP messages is sent from 127.0.0.0 to 127.0.0.1, then it is an incoming setup.

MAC: 00:90:33:00:00:00

Sometimes people wonder why a pcap 00:90:33:00:00:00 appears as source or destination mac address. The direction of the packets can be analyzed based on the Mac address.

We use the devices MAC adress as source only if a packet is sent
We use the devices MAC adress as destination only if a packet is received

The other field will be filled with 00:90:33:00:00:00

Disabling PCAP traces

You can disable the whole pcap tracing. Just configure a /disable-pcap to the CMD0 module. This can be useful if you do not want to see pcap traces in your log file.

Used ports

  • The debug traces are encapsulated in UDP packets with port 4.
  • The isdn traces are encapsulated in UDP packets with port 4.
  • The ac dsp traces are encapsulated in UDP packets with port 50001.
  • Wireshark uses port 2002 to connect to the running rpcap-server
  • rpcap packets are transfered over a dynamically assigned port between server and client

Additional Remote PCAP trace

You can trace the remote pcap protocol with adding the trace flag by "config add PCAP /trace" if you are experiencing connection issues.

Timestamps

Since V7 Hotfix 26 and V8 Hotfix 13, the ntp timestamp is used instead of the uptime in rpcap packages. In converted log files with log2pcap, uptime is still used.

Decode TURN Traffic as RTP

RTP Traffic encapsulated in TURN and encoded as STUN per default. You can change this behaviour as global setting in your Wireshark.
To activate RTP heuristic for TURN traffic go to "Analyze::Enabled Protocols" and enable the "rtp_stun" dissector.

Versions

Older versions can be downloaded from the respective tools package:

  • Wireshark 1.6.8: DLL Version 1043 - V6 6000043 Application Packet
  • Wireshark 1.11.1: DLL Version 1049
  • Wireshark 1.12.2: DLL Version 1055 - V6 6000054 Application Packet
  • Wireshark 2.0.x: DLL Version 1057 - V6 6000055 Application Packet
  • Wireshark 2.2.x: DLL Version 1058 - V6 6000056 Application Packet
  • Wireshark 2.4.x: DLL Version 1059 - V6 6000059 Application Packet
  • Wireshark 2.6.1: DLL Version 1060 - V6 6000061 Application Packet

Newer versions can be downloaded from the store (look for Wireshark DLLs in the Software tab):

  • Wireshark 3.2.x: DLL Version 1061
  • Wireshark 3.4.x: DLL Version 1066
  • Wireshark 4.0.x: DLL Version 1068
  • Wireshark 4.2.x: DLL Version 1069

Offline generation of PCAP Files

In version v12r1 and up, you can capture and store PCAP files without running Wireshark. This is done by setting the Write PCAP to URL property in Maintenance/Diagnostics/Tracing to an URL which points to a writeable WebDAV folder.

This is useful if you need to trace a device for a long time or if you cannot run Wireshark to capture the trace. However, it is not useful if the traced device restarts, as the last trace file will be incomplete then (due to buffered IO when writing the file).

When you remove the URL, the current trace file will be flushed and no further one will be created.

Using V13 File App

  • create a folder in the File App
  • share this folder with username and password
  • copy the URL from this folder
  • go to services/http/client on the innovaphone device for which you need a pcap and store the URL and access data here
  • store the same URL as "Write PCAP to URL" at maintenance/diagnostic/tracing

Attention: As soon as the URL was successfully deposited and "OK" was pressed, the trace is written into the folder. To end the trace, the URL can simply be removed and confirmed again with "OK".

Known Problems

  • Converting a log from a little endian box (like IP3000 and IP21) with firmware V6 SR1 or SR2 with the tool log2pcap will only work with log2pcap 08-1007 or higher and the switch "-srlefix", see log2pcap.
  • Ac49xPacketRecording.dll works only with 0.99.7. Higher versions of wireshark won't start, if this dll was copied to the dll folder!
  • Also some other dlls, contained in the tools package, won't work with each wireshark version. Just innovaphone.dll is always working.
  • Even though All TCP/UDP Traffic is turned on, packets sent to the box acting as rpcap provider to a port that is not handled by the box (that is, where no listening socket is active) will currently not be shown
  • If you use a 64-bit Windows Pc then you will need another innovaphone.dll, which is also contained in the latest tool package.
  • The custom IP header from captured innovaphone packets contains dummy values for TOS (0), id (0), fragment offset (0) and TTL (128)
  • After version 1.8.6 of wireshark the h225 packets are listed as malformed. So higher versions of wireshark could give troubles debugging the h.323 calls.
  • Couldn't set the capture buffer size!: if you're experiencing this error message, please start wireshark with the option "-B 1" to set the buffer size to 1 MB
  • Wrong time stamp when using PCAP-to-URL:
    • open the first frame of the trace and expand the 'innovaphone: DEBUG'-section
    • last line shows the correct time: 'Debug: YYYY-MM-DD HH:MM:SS' in this case
    • Click on 'Edit -> Time Shift...' in the menu or use the shortcut Ctrl+Shift+T
    • Tick 'Set the time for packet 1 to ...' and fill in the time found in the first frame
    • Click 'Apply'

Missing msvcr120.dll or "module not found"/"Das angegebene Modul wurde nicht gefunden"

You have to install the Visual C++ Redistributable Packages für Visual Studio 2013: http://www.microsoft.com/de-de/download/details.aspx?id=40784

Inconsistent timestamps with Write PCAP to URL

There are sporadically inconsistent timestamps where a newer packet might have an older timestamp than the previous packet (a fraction of a second).
This issue just happens with Write PCAP to URL and the default configuration. This issue has been fixed in the 14r1 release, so the workaround below is no longer needed.

If you use Wireshark for jitter analysis and consistent timestamps are important, you may do a configuration change:

  • disable the epoch-ts option on the PCAP module:
    • !config add PCAP /epoch-ts false
    • !config write
    • !reset
  • now the PCAP trace just contains the uptime beginning from 1970-01-01 but without any wrong timestamps
  • Wireshark offers an option to set the time on the first packet, so the time can be manually set to the file creation time (right click first packet -> move time -> second option and enter e.g. "2023-01-03 13:30:00")

Related Articles