Mike's PBX Cookbook

PCAP Tools for Linux

PCAP Tools for Linux is a packet capture utility (sniffer) which can be useful to network engineers or snoopers. It is pre-installed on CS1K Rel.6/7.5 linux-base systems, and can be used to view SIP (and UNISTIM) messages, or to diagnose network problems.

Get Wireshark (freeware), if you haven't already, from: http://www.wireshark.org/download.html
Once installed, goto Preferences > Protocols > UNISTIM and set the UNISTIM UDP port to 5000.
This will help you interpret Nortel/Avaya phone messages.

UNIStim (Unified Networks IP Stimulus) is a proprietary Nortel (now Avaya) VOIP protocol. Further information: here, or here.

Login to a CS1K Linux base element (the UCM) with either admin or admin2.

Use pcap config to set options such as ELAN or TLAN (default) monitoring, and the capture file size.

Unharden nettools, and start packet capture:

[admin@ss0 ~]$ harden nettools on
You are trying to set Hardening policy 'network tools' in less secure state.
Do you want to proceed? (Y/N) [Y]? y
Network tools are enabled.
[admin@ss0 ~]$ pcap start
Starting PCAP: 
       PCAP is stopped 
       Configuration file validated                        [PASSED]
       PCAP is starting 
PCAP successfully started                                  [  OK  ]
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1

While running, all network traffic will be stored in a capture file.
When ready, stop the capture, and harden nettools again:

[admin@ss0 ~]$ pcap stop
Stopping PCAP: 
       pcap is stopping                                    [  OK  ]
58 packets captured
PCAP successfully stopped                                  [  OK  ]
[admin@ss0 ~]$ harden nettools off
Network tools are disabled. 

Download the capture file from: /var/opt/nortel/dfoTools/pcap (via SFTP), and open it in Wireshark. I use Transmit, a popular Mac OS X FTP/SFTP client, or WinSCP on Windows to do this. Note that capture files cannot be retrieved while PCAP is running.
To display only the telephony traffic, enter unistim in the filter box, and hit apply.

Wireshark on OSX

Home » Voip » Wirepcap