Cisco CTS version 1.6 introduces utils network capture command, as you know this is a feature request for tcpdump to be accesible for users with no root access. (Available in 1.6.6)
In order to capture traffic from CTS when root access is available please execute the following:
1. Create remote account
admin:utils remote_account enable
Remote Support is now enabled
admin:
admin:utils remote_account create ciscotac 1
2. Login via SSH using remote account credentials
Login via SSH to Primary codec
3. Move to the following path
CTS:>pwd
/nv/log/
4. Create a new Directory to store our capture
CTS:>mkdir packet
* Creating the packet folder here may create a problem if we collect Logs from GUI afterwards, you may need to delete the folder after packet capture or creating the folder in different path
5. Start capture
CTS:>tcpdump -s 0 -i eth0 host 172.16.154.8 -w mycapture.pcap
* It is recommended to use filtering, if you plan to capture calls or other traffic which may generate big files, its recommended to span the switch port where CTS is connected
6. Reproduce the problem
7. Stop the capture
Type Control+C or add count limit to tcpdump command ( -c argument)
8. SFTP files to SFTP server (Minicore SFTP or FreeFTPd)
CTS:>sftp user@171.69.87.217
Connecting to 171.69.87.217...
The authenticity of host '171.69.87.21http://zed.cisco.com/confluence/pages/editpage.action?pageId=3552655977 (171.69.87.217)' can't be established.
RSA key fingerprint is 7c:3b:30:ff:6c:16:7b:03:c6:8c:95:9a:16:82:79:cb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '171.69.87.217' (RSA) to the list of known hosts.
gogasca@171.69.87.217's password:
Hello, I'm freeFTPd 1.0sftp>
sftp:> put mycapture.pcap
Uploading mycapture.pcap to /mycapture.pcap
mycapture.pcap 100% 772 0.8KB/s 00:00
sftp:>bye
8. If you are planning to collect files, make sure you delete the capture before you do that, since file is normally big*.
9. If no SFTP available collect capture file and rename it to be any log file already in the system (i.e nv/log/sysop/sysop00002.log in Sysop folder) be careful the file you select since can cause serious problems
Useful captures:
tcpdump -n -s 0 -i eth0 'udp and port 5060 and (host ip addr)' -vvvvvvv
tcpdump -s 0 -i eth0 host '( 172.16.154.8 and 172.16.181.39 )' -w mycapture.pcap -c 15000
tcpdump -s 0 -i eth0 'not port ssh and host 172.16.154.15' -w mycapture.pcap
* You may see packets 'dropped by kernel' (this is the number of packets that were dropped, due to a lack of buffer space, by the packet capture mechanism in the OS on which tcpdump is running, if the OS reports that information to applications; if not, it will be reported as 0).
No comments:
Post a Comment