Howto:Pcap: Difference between revisions

With remote PCAP, network traffic can be captured directly from another network device, instead of capturing the network traffic from the own device.

Remote PCAP

Requirements

• You should have installed the latest wireshark Stable release 1.12.X - Wireshark Download

You may also use newer builds, but make sure they are supported by our plugin DLL. See Versions below for a list of supported versions

• To view the standard debug output or ISDN LAPD/Q.931 packets, you have to install the innovaphone plugin (innovaphone_win32.dll or innovaphone_win64.dll, depending on your installed wireshark version, 32 bit or 64 bit). To convert text log output (from the Maintenance/Tracing page) you can use log2pcap.exe.

To download both items, open the V6 application page, select the 6000055 folder and download the tools.zip.

Again, if you use newer builds, make sure you download the DLLs from the appropriate apps package (see Versions below)

To install the DLL, just copy it to your wireshark plugin directory and pay attention on your currently used version (e.g.: c:\programme\wireshark\plugins\1.12.0\). Note that you need to re-install the DLL each time you update wireshark

• Open the example pcap file with lapd and q.931 packets to check your current installation. It should look like this, if you have the innovaphone_winXX.dll correctly installed:

PCAP ISDN example

Using Wireshark Legacy

Starting with version 2, wireshark has a new user interface. Unfortunately, we found this to be sluggish and buggy. For that reason, we strongly recommend to use wireshark's legacy version. It is available as an option (Wireshark 1, The classic user interface) in the installer's item selection. You also may want to associate the trace file extensions (.pcap, .pcapng etc.) with Wireshark Legacy instead of the standard version (also available in the setup dialogue).

Setting up the rpcap server

• The rpcap server can be any innovaphone device.
• The remote pcap server is disabled per default. To enable it, just go to Diagnostics->Tracing and check the "Enable" flag in the "Remote PCAP" group. If you are experiencing problems, also enable the trace flag with "config add PCAP /trace".
• To capture all ip traffic (udp and tcp), enable the "IP (all tcp/udp traffic)" flag in the group "IP". Otherwise just enable all the trace flags on the modules you want to capture.

Capturing with wireshark

1.x.x - 1.7.x

Open your wireshark and the capture options dialogue. Choose "remote" from the dropdown list and Type "<IP-ADDRESS>/TRACE" into the host field.

It should look like this: (Screenshot from older Wireshark, v.1.2.2)

Wireshark capture options

Then just click on "Start" to start capturing.

>= 1.8.x

Open your wireshark and „Capture Options“->“Manage Interfaces“->“Remote Interfaces“. Add the IP address of your device.
The remote interface will be listed in your interface now and you can select it for capturing data.

Wireshark capture options

>= 2.0.0

Like 1.8.x

Wireshark capture options

Supported protocols

• ISDN: LAPD L2/L3 with dissector innovaphone.dll (enable Diagnostics->Tracing TELX/PRIX/PPP)
• AC DSP: dsp with dissector Ac49xPacketRecording.dll (enable Diagnostics->Tracing->VOIP DSP)
• PPPoE: flag "/pcap" on module(s) PPPOE0/PPPOE1 enables pcap tracing

• All TCP/UDP protocols which are supported by native wireshark dissectors or other dissectors which can be found searching the internet.

e.g.: SIP H.323 H.245

Enable the corresponding flags under Diagnostics->Tracing, if you only want to see specific UDP/TCP protocols. To see all, enable the "All TCP/UDP Traffic" flag under Diagnostics->Tracing.

PCAP Log

Another possibility to get a pcap log file is to open http://IP/log.pcap This file has a limited size just as the normal log file.

log2pcap

You need the tool log2pcap from the tools package, if you have a log.txt file, which contains pcap packets and you want to view them in wireshark. You can find the tool in the apps tool package (see above).

Usage:

1. log2pcap.exe input1 input2 ... inputX
2. drag&drop one or more files on the log2pcap.exe
3. use an asterisk like "log2pcap c:\*.txt" to convert all txt files into pcap files. Things like c:\test*.txt are not supported.

• The resulting file name is always inputx.pcap (e.g. log.txt is converted into log.txt.pcap).

Note: if you have a trace of a little endian box (e.g. IP3000, IP21) with V6 SR1 or SR2, you have to use the "-srlefix" switch (available since 08-1007):

log2pcap.exe input1 -srlefix

General Informations

Reading PCAP Traces

Non-IP Pcap packets will nevertheless show source and destination IP addresses. 127.0.0.1 stand in for the traced device. So if for example a Q.931 SETUP messages is sent from 127.0.0.0 to 127.0.0.1, then it is an incoming setup.

Disabling PCAP traces

You can disable the whole pcap tracing. Just configure a /disable-pcap to the CMD0 module. This can be useful if you do not want to see pcap traces in your log file.

Used ports

• The debug traces are encapsulated in UDP packets with port 4.
• The isdn traces are encapsulated in UDP packets with port 4.
• The ac dsp traces are encapsulated in UDP packets with port 50001.
• Wireshark uses port 2002 to connect to the running rpcap-server
• rpcap packets are transfered over a dynamically assigned port between server and client

Additional Remote PCAP trace

You can trace the remote pcap protocol with adding the trace flag by "config add PCAP /trace" if you are experiencing connection issues.

Timestamps

Since V7 Hotfix 26 and V8 Hotfix 13, the ntp timestamp is used instead of the uptime in rpcap packages. In converted log files with log2pcap, uptime is still used.

Versions

• Wireshark 1.6.8: DLL Version 1043 - V6 6000043 Application Packet
• Wireshark 1.11.1: DLL Version 1049
• Wireshark 1.12.2: DLL Version 1055 - V6 6000054 Application Packet
• Wireshark 2.0.x: DLL Version 1057 - V6 6000055 Application Packet
• Wireshark 2.2.x: DLL Version 1058 - V6 6000056 Application Packet
• Wireshark >=2.4.0: NOT SUPPORTED

Known Problems

• Converting a log from a little endian box (like IP3000 and IP21) with firmware V6 SR1 or SR2 with the tool log2pcap will only work with log2pcap 08-1007 or higher and the switch "-srlefix", see log2pcap.
• Ac49xPacketRecording.dll works only with 0.99.7. Higher versions of wireshark won't start, if this dll was copied to the dll folder!
• Also some other dlls, contained in the tools package, won't work with each wireshark version. Just innovaphone.dll is always working.
• Even though All TCP/UDP Traffic is turned on, packets sent to the box acting as rpcap provider to a port that is not handled by the box (that is, where no listening socket is active) will currently not be shown
• If you use a 64-bit Windows Pc then you will need another innovaphone.dll, which is also contained in the latest tool package.
• The custom IP header from captured innovaphone packets contains dummy values for TOS (0), id (0), fragment offset (0) and TTL (128)
• After version 1.8.6 of wireshark the h225 packets are listed as malformed. So higher versions of wireshark could give troubles debugging the h.323 calls.
• Couldn't set the capture buffer size!: if you're experiencing this error message, please start wireshark with the option "-B 1" to set the buffer size to 1 MB

Missing msvcr120.dll or "module not found"/"Das angegebene Modul wurde nicht gefunden"

You have to install the Visual C++ Redistributable Packages für Visual Studio 2013: http://www.microsoft.com/de-de/download/details.aspx?id=40784

Related Articles