Howto:Pcap

From innovaphone-wiki

Revision as of 10:27, 16 August 2019 by Slu (Talk | contribs)
Jump to: navigation, search

With remote PCAP, network traffic can be captured directly from another network device, instead of capturing the network traffic from the own device.

Contents

Remote PCAP

Requirements

  • You should have installed the latest wireshark Stable release 1.12.X - Wireshark Download
You may also use newer builds, but make sure they are supported by our plugin DLL. See Versions below for a list of supported versions
  • To view the standard debug output or ISDN LAPD/Q.931 packets, you have to install the innovaphone plugin (innovaphone_win32.dll or innovaphone_win64.dll, depending on your installed wireshark version, 32 bit or 64 bit). To convert text log output (from the Maintenance/Tracing page) you can use log2pcap.exe.
To download both items, open the V6 application page, select the 6000055 folder and download the tools.zip.
Again, if you use newer builds, make sure you download the DLLs from the appropriate apps package (see Versions below)
To install a DLL version 1059 or previous, just copy it to your wireshark plugin directory and pay attention on your currently used version (e.g.: c:\programme\wireshark\plugins\1.12.0\). Note that you need to re-install the DLL each time you update wireshark
To install a DLL version 1060 or later, just copy it to your wireshark plugin epan directory and pay attention on your currently used version (e.g.: c:\programme\wireshark\plugins\2.6\epan\). Note that you need to re-install the DLL each time you update wireshark
PCAP ISDN example
PCAP ISDN example

Using Wireshark Legacy

Starting with version 2, wireshark has a new user interface. Unfortunately, we found this to be sluggish and buggy. For that reason, we strongly recommend to use wireshark's legacy version. It is available as an option (Wireshark 1, The classic user interface) in the installer's item selection. You also may want to associate the trace file extensions (.pcap, .pcapng etc.) with Wireshark Legacy instead of the standard version (also available in the setup dialogue).

Setting up the rpcap server

  • The rpcap server can be any innovaphone device.
  • The remote pcap server is disabled per default. To enable it, just go to Diagnostics->Tracing and check the "Enable" flag in the "Remote PCAP" group. If you are experiencing problems, also enable the trace flag with "config add PCAP /trace".
  • To capture all ip traffic (udp and tcp), enable the "IP (all tcp/udp traffic)" flag in the group "IP". Otherwise just enable all the trace flags on the modules you want to capture.

Capturing with wireshark

1.x.x - 1.7.x

Open your wireshark and the capture options dialogue. Choose "remote" from the dropdown list and Type "<IP-ADDRESS>/TRACE" into the host field.

It should look like this: (Screenshot from older Wireshark, v.1.2.2)

Wireshark capture options
Wireshark capture options

Then just click on "Start" to start capturing.

>= 1.8.x

Open your wireshark and „Capture Options“->“Manage Interfaces“->“Remote Interfaces“. Add the IP address of your device.
The remote interface will be listed in your interface now and you can select it for capturing data.

Wireshark capture options
Wireshark capture options


>= 2.0.0

Wireshark capture options
Wireshark capture options

>= 3.0.0

The innovaphone.dll is not supported currently with this Wireshark-version. Please do not upgrade to Wireshark 3.0 or up.

Supported protocols

  • ISDN: LAPD L2/L3 with dissector innovaphone.dll (enable Diagnostics->Tracing TELX/PRIX/PPP)
  • AC DSP: dsp with dissector Ac49xPacketRecording.dll (enable Diagnostics->Tracing->VOIP DSP)
  • PPPoE: flag "/pcap" on module(s) PPPOE0/PPPOE1 enables pcap tracing
  • All TCP/UDP protocols which are supported by native wireshark dissectors or other dissectors which can be found searching the internet.

e.g.: SIP H.323 H.245

Enable the corresponding flags under Diagnostics->Tracing, if you only want to see specific UDP/TCP protocols. To see all, enable the "All TCP/UDP Traffic" flag under Diagnostics->Tracing.

PCAP Log

Another possibility to get a pcap log file is to open http://IP/log.pcap This file has a limited size just as the normal log file.

log2pcap

You need the tool log2pcap from the tools package, if you have a log.txt file, which contains pcap packets and you want to view them in wireshark. You can find the tool in the apps tool package (see above).

Usage:

  1. log2pcap.exe input1 input2 ... inputX
  2. drag&drop one or more files on the log2pcap.exe
  3. use an asterisk like "log2pcap c:\*.txt" to convert all txt files into pcap files. Things like c:\test*.txt are not supported.
  • The resulting file name is always inputx.pcap (e.g. log.txt is converted into log.txt.pcap).

Note: if you have a trace of a little endian box (e.g. IP3000, IP21) with V6 SR1 or SR2, you have to use the "-srlefix" switch (available since 08-1007):

log2pcap.exe input1 -srlefix

General Informations

Reading PCAP Traces

Non-IP Pcap packets

It will nevertheless show source and destination IP addresses. 127.0.0.1 stand in for the traced device. So if for example a Q.931 SETUP messages is sent from 127.0.0.0 to 127.0.0.1, then it is an incoming setup.

MAC: 00:90:33:00:00:00

Sometimes people wonder why a pcap 00:90:33:00:00:00 appears as source or destination mac address. The direction of the packets can be analyzed based on the Mac address.

We use the devices MAC adress as source only if a packet is sent
We use the devices MAC adress as destination only if a packet is received

The other field will be filled with 00:90:33:00:00:00

Disabling PCAP traces

You can disable the whole pcap tracing. Just configure a /disable-pcap to the CMD0 module. This can be useful if you do not want to see pcap traces in your log file.

Used ports

  • The debug traces are encapsulated in UDP packets with port 4.
  • The isdn traces are encapsulated in UDP packets with port 4.
  • The ac dsp traces are encapsulated in UDP packets with port 50001.
  • Wireshark uses port 2002 to connect to the running rpcap-server
  • rpcap packets are transfered over a dynamically assigned port between server and client

Additional Remote PCAP trace

You can trace the remote pcap protocol with adding the trace flag by "config add PCAP /trace" if you are experiencing connection issues.

Timestamps

Since V7 Hotfix 26 and V8 Hotfix 13, the ntp timestamp is used instead of the uptime in rpcap packages. In converted log files with log2pcap, uptime is still used.

Decode TURN Traffic as RTP

RTP Traffic encapsulated in TURN and encoded as STUN per default. You can change this behaviour as global setting in your Wireshark.
To activate RTP heuristic for TURN traffic go to "Analyze::Enabled Protocols" and enable the "rtp_stun" dissector.

Versions

  • Wireshark 1.6.8: DLL Version 1043 - V6 6000043 Application Packet
  • Wireshark 1.11.1: DLL Version 1049
  • Wireshark 1.12.2: DLL Version 1055 - V6 6000054 Application Packet
  • Wireshark 2.0.x: DLL Version 1057 - V6 6000055 Application Packet
  • Wireshark 2.2.x: DLL Version 1058 - V6 6000056 Application Packet
  • Wireshark 2.4.x: DLL Version 1059 - V6 6000059 Application Packet
  • Wireshark 2.6.1: DLL Version 1060 - V6 6000061 Application Packet
  • Wireshark 3.0.0: not supported

Download the tools package

Known Problems

  • Converting a log from a little endian box (like IP3000 and IP21) with firmware V6 SR1 or SR2 with the tool log2pcap will only work with log2pcap 08-1007 or higher and the switch "-srlefix", see log2pcap.
  • Ac49xPacketRecording.dll works only with 0.99.7. Higher versions of wireshark won't start, if this dll was copied to the dll folder!
  • Also some other dlls, contained in the tools package, won't work with each wireshark version. Just innovaphone.dll is always working.
  • Even though All TCP/UDP Traffic is turned on, packets sent to the box acting as rpcap provider to a port that is not handled by the box (that is, where no listening socket is active) will currently not be shown
  • If you use a 64-bit Windows Pc then you will need another innovaphone.dll, which is also contained in the latest tool package.
  • The custom IP header from captured innovaphone packets contains dummy values for TOS (0), id (0), fragment offset (0) and TTL (128)
  • After version 1.8.6 of wireshark the h225 packets are listed as malformed. So higher versions of wireshark could give troubles debugging the h.323 calls.
  • Couldn't set the capture buffer size!: if you're experiencing this error message, please start wireshark with the option "-B 1" to set the buffer size to 1 MB

Missing msvcr120.dll or "module not found"/"Das angegebene Modul wurde nicht gefunden"

You have to install the Visual C++ Redistributable Packages für Visual Studio 2013: http://www.microsoft.com/de-de/download/details.aspx?id=40784

Offline Generation of PCAP Files

In version v12r1 and up, you can capture and store PCAP files without running Wireshark. This is done by setting the Write PCAP to URL property in Maintenance/Diagnostics/Tracing to an URL which points to a writeable WebDAV folder.

This is useful if you need to trace a device for a long time or if you cannot run Wireshark to capture the trace. However, it is not useful if the traced device restarts, as the last trace file will be incomplete then (due to buffered IO when writing the file).

When you remove the URL, the current trace file will be flushed and no further one will be created.

Related Articles

Personal tools