Ribbon
      Back to home
      1. Arkan Support Center
      2. Unified Communications & Cloud Services
      3. Ribbon

      Capture tcpdump to a ramdisk on a Ribbon EdgeMarc device

      Capture packets on an EdgeMarc / EdgeProtect for off-line analysis. Capture raw packets in a manner that a 3rd-party tool, such as Ethereal / Wireshark, can decode and display as a protocol trace.

      Step 1 - Create a ramdisk

       

      • Log in to CLI (root access)
      • Type: mkdir /var/ramdisk 
      • Type: mount -t tmpfs tmpfs /var/ramdisk -o size=16000k
      • Type: cd /var/ramdisk

      NOTE:
      Failure to mount the ramdisk may cause phone registration issues or instability issues with the EdgeMarc. You may be writing the files to the file-system itself and filing the available disk space on the router. As a result, you may lose access to the EdgeMarc 

      Step 2 - Initiate tcpdump commands


      See:  Using the tcpdump command for details on using the tcpdump command. 
       
       
      [The commands below apply to ALL platforms except the EdgeProtect / EdgeMarc 4750 and 7000 Series running version 14.1.0 or higher]  
      [Instruction for running the tcpdump commands on the 4750 and 7000 series can be found on Capture tcpdump to a ramdisk (for 4750 and 7000 series only)]
       
      Running tcpdump commands and capturing to a file
       

      To capture (only) SIP signaling on a single interface (assuming that the SIP signaling is on port 5060), without closing the CLI (ssh) session, as an example, type:

      # tcpdump -ni eth0 -s0 port 5060 -w /var/ramdisk/eth0.pcap

      To end the capture, press ctrl-c 
       

      OR

       
      To run the same command in the background, type:
       
      # tcpdump -ni eth0 -s0 port 5060 -w /var/ramdisk/eth0.pcap &
       
      To end the capture(s), type:

      # killall tcpdump
       

      Other examples:
       

      (A) To capture SIP signaling  (only) on both interfaces simultaneously to two separate files (from one SSH window), as an example, type:

      # tcpdump -i eth0 -s0 port 5060 -w /var/ramdisk/eth0.pcap & tcpdump -i eth1 -s0 port 5060 -w /var/ramdisk/eth1.pcap &

      • eth1, is the WAN interface

      • eth0, is the LAN interface (if you are using VLANS, substitute eth0 with the vlan that the ALG is listening to - example eth0.100) 

         

      (B) To capture RTP traffic (UDP) on both interfaces simultaneously to two separates files (from one SSH window), as an example, type:

      # tcpdump -i eth0 -s0 udp -w /var/ramdisk/eth0.pcap & tcpdump -i eth1 -s0 udp -w /var/ramdisk/eth1.pcap & 

       

      • This command is useful when capturing all udp traffic on the interface including audio traffic , H323 traffic. Used when capturing on the EdgeProtect.


       
      (C) To capture SIP signaling (only) both interfaces simultaneously to a single file (from one SSH window), as an example, type:

      # tcpdump -i any port 5060 -s 0 -w /var/ramdisk/any.pcap &

      •   this command is used to capture SIP signaling when the SIP-UA (FXS), SIP-GW (FXO) or PRI port on the EdgeMarc is involved in the call
         

      (D) To capture RTP traffic (UDP) on all interfaces (including FXS, FXO and PRI) simultaneously to a single file, type:

      # tcpdump -i any udp -s 0 -w /var/ramdisk/any.pcap &


      (E) To capture H323 registration (port 1719) signaling on any interface, simultaneously to a single file (from one SSH window), as an example, type:

      # tcpdump -ni any -s0 port 1719 -w /var/ramdisk/h323_reg_any.pcap
       
       
      (F) To capture H323 registration signaling on both interface, simultaneously to two separate files (from one SSH window), as an example, type:

      # tcpdump -ni eth0 -s0 port 1719 -w /var/ramdisk/H323_reg_eth0.pcap & tcpdump -ni eth1 -s0 port 1719 -w /var/ramdisk/H323_reg_eth1 &
      • eth1, is the WAN interface
      • eth0, is the LAN interface 
        (if you are using VLANS, substitute eth0 with the vlan that the ALG is listening to - example eth0.100)
       
      (G) To capture H323 registration and setup signaling on any interface, simultaneously to a single file (from one SSH window), as an example, type:

      # tcpdump -ni any -s0 port 1719 or port 1720 -w /var/ramdisk/H323_setup_any.pcap &
       
       
      (H) To capture H323 registration and setup signaling on both interface, simultaneously to a two separate files (from one SSH window), as an example, type:

      # tcpdump -ni eth0 -s0 port 1719 or port 1720 -w /var/ramdisk/H323_eth0.pcap & tcpdump -ni eth1 -s0 port 1719 or port 1720 -w /var/ramdisk/H323_eth1.pcap &


      (J) To capture all H323 traffic and RTP traffic on both interface, simultaneously to a two separate files (from one SSH window), as an example, type:

      # tcpdump -i eth0 -s0 udp -w /var/ramdisk/eth0.pcap & tcpdump -i eth1 -s0 udp -w /var/ramdisk/eth1.pcap &


      (K) To capture TLS handshake and protocol (typically TCP port 5061)

      # tcpdump -i any port 5061 -w /var/ramdisk/tls.pcap &

       
      • The "&" characters will background the capture tasks.
      • To end the capture, type: killall tcpdump
       

       

      Step 3 - Upload file to a PC for analysis

       

      Use either WinSCP,  FTP or inband Z-modem to download the capture(s) from the ramdisk
       

      ftp
      • Type: ftp public_ftp_server
      • Type: lcd /var/ramdisk
      • Type: mput *.pcap
       

      Winscp

      You can use SCP / Winscp to transfer the file over from the EdgeMarc to your desktop.
      Set the File Protocol to SCP
       

      z-modem

      See: EdgeMarc: lsz Command Support for details on inband z-modem transfer.

      • SSH/Telnet to CLI using a zmodem-capable application, such as windows Hyperterm
      • Type: cd /var/ramdisk
      • Type: lsz *.pcap