Skip to end of metadata
Go to start of metadata

Download PDF Document

2018-08-16

For All Mediatrix Units

v. 43.0.1125


1 Packet Captures

Packet captures are data packets intercepted when passing through a specific computer network.

Captured packets can be sent to a specific location where they can be analysed. The content of the capture can therefore be used to diagnose and troubleshoot network problems and determine if network security policies are being followed.

There are two different ways to perform a packet capture:

  • With the pcapture CLI command (not a Cli service command) available only via the CLI. This method displays the captured packet directly in the CLI or allows streaming the captured packet to a SSH tunnel to a remote Wireshark client.
  • With the PCaptureStart Nlm service command. This is a muse command, it can be executed via SNMP, a script, and the CLI. This is also the command used when performing packet captures via the Web page. This method sends the captured file to the service FILE or to a HTTP server via a standard HTTP upload.


1.1 Starting a Network Capture

Context

This method is performed with the PCaptureStart command of the Nml service.

If you are not familiar with the meaning of the fields and buttons, click Show Help, located at the upper right corner of the Web page. When activated, the fields and buttons that offer online help will change to green and if you hover over them, the description will be displayed.

Steps

  1. Go to System/Packet Capture.
  2. In the Packet Capture Configuration section, complete the fields as follows:
    1. Max Numebr of Frames: Specifies the maximum number of frames after which the packet capture is automatically stopped. 0 means no limit.
    2. Max number of seconds: Specifies the maximum number of seconds after which the packet capture is automatically stopped. 0 means no limit.
    3. Filter: For more details on filters, refer toFilter Examples
    4. Link Name: Select the name of the link interface to capture
    5. URL: The URL format must follow this syntax: protocol://[user[:password]@]hostname[:port]/[path/]filename

    Note

    The Link Name can be, for example, ETH1.

    Note

    If the protocol is FILE, the captured trace is saved locally to the unit. For example, a if the URL is "file://my_trace.pcap" saves a capture file with the name "my_trace.pcap" in the Mediatrix unit, which can be downloaded under Management/File.

  3. Click Apply.
  4. Click Apply & Start Capture.

    Note

    Remember to click Apply & Stop Capture when you have enough packets captured.

Result

Packets going trough the specified filter will be captured and sent to the specified URL.

1.1.1 Exporting a Capture File Locally to the Mediatrix Unit

Context

If you are not familiar with the meaning of the fields and buttons, click Show Help, located at the upper right corner of the Web page. When activated, the fields and buttons that offer online help will change to green and if you hover over them, the description will be displayed.

Steps

  1. Go to Management/File.
  2. In the Internal files table, click the name of the file you have given to your capture.
  3. Save your capture file.

Result

The capture will be saved at the chosen location.

1.1.2 Filter Examples

  • Filter: port 5060
    • Captures all traffic on (either source or destination) port 5060 (SIP)
  • Filter: port 5060 and host 192.168.0.99
    • Captures all traffic on port 5060 and source or destination IP 192.168.0.99
  • Filter: port 5060 and dst host 192.168.0.99
    • We can enter “dst” or “src” before “host” (or “port”) to specify the destination or source host (or port
  • Filter: not broadcast and not multicast
    • Filter out the broadcast and multicast traffic

1.2 Starting a Network Capture on a Specific VLAN

Before You Start

The Vlan must first be created. Refer to Creating a VLAN.

Context

This method is performed with the PCaptureStart command of the Nml service.

If you are not familiar with the meaning of the fields and buttons, click Show Help, located at the upper right corner of the Web page. When activated, the fields and buttons that offer online help will change to green and if you hover over them, the description will be displayed.

Steps

  1. Go to System/Packet Capture.
  2. In the Packet Capture Configuration section, in the Link Name field, enter the name of the VLAN for which you want to capture packets. This corresponds to the chosen Ethernet port followed by name given in the VlanId field of the VLAN Configuration table (Network/VLAN), when the Vlan was created (for example eth1.100)

    Note

    For the URL, if you choose the FILE transport protocol, it means that the file will be accessible under Management/File.

  3. Click Apply.
  4. Click Apply & Start Capture.

    Note

    Remember to click Apply & Stop Capture when you have enough packets captured.

Result

A capture will be started, and only the traffic going through the specified VLan will be captured.

1.2.1 Creating a VLAN

Context

If you are not familiar with the meaning of the fields and buttons, click Show Help, located at the upper right corner of the Web page. When activated, the fields and buttons that offer online help will change to green and if you hover over them, the description will be displayed.

Steps

  1. Go to Network/VLAN.
  2. In the VLAN Configuration table, from the Link selection list, select the Ethernet link the vlan will use.
  3. Complete the VlanId and the Default User Priority fields as required.
  4. Click located at the end of the newly created Vlan.
  5. Click Apply.

    Note

    Do not forget to enable the VLan under Network/Interfaces


1.3 Starting a Network Capture Remotely On Windows

Context

This method is performed using the pcapture command of the CLI.

Before You Start

  • You must know the IP address of the unit running the DGW software.
  • The Mediatrix unit must be running a DGW v2.0.39.689 firmware or higher.
  • You must have a PC running Wireshark.

Steps

  1. From the PC, download the plink utility: plink utility .
  2. Save the plink utility in the same folder as the Wireshark executable is located.
  3. Open a command line interface (e.g. cmd.exe).
  4. Go to the Wireshark folder where the utility was saved.
  5. Enter
    plink.exe -pw "PASSWORD" USERNAME@IP_ADDRESS "pcapture -raw -i any" | wireshark -k -i -
    and replace the password, username, and IP address according to your setup.

    Note

    any is to make a capture on all ETH ports, including VLans (for example ETH1.10 where ) . But it is possible to choose the port, either ETH1, ETH2, ETH5, ETH1-4, ETH2-5, WAN, or LAN depending on the type of unit.

Result

The pcapture command will be executed in the CLI and the result will be sent to a new Wireshark window on the PC running the Wireshark.

1.3.1 Examples of pcapture Commands for Windows

Capture from the uplink interface of the Mediatrix unit, and filtering out the broadcast and multicast traffic.
plink.exe -pw "1234" public@192.168.0.100 "pcapture -raw -i eth1 not broadcast and not multicast" | wireshark -k -i -
Capture from the uplink interface of the Mediatrix unit, the packets of the VLan for which the VlanId is 100 only.
plink.exe -pw "1234" public@192.168.0.100 "pcapture -raw -i eth1.100" | wireshark -k -i -
Capture from the uplink interface of the Mediatrix unit, the packets going through the Ethernet port eth1, but using RTP only.
plink.exe -pw "1234" public@192.168.0.100 "pcapture -raw -i eth1 -t rtp " | wireshark -k -i -
Capture from the uplink interface of the Mediatrix unit, the packets going through the Ethernet port eth1, but using port 5060 only (either source or destination).
plink.exe -pw "1234" public@192.168.0.100 "pcapture -raw -i eth1 port 5060 " | wireshark -k -i -
Capture from the uplink interface of the Mediatrix unit, the packets going through the Ethernet port eth1, but using port 5060 as the source only.
plink.exe -pw "1234" public@192.168.0.100 "pcapture -raw -i eth1 src port 5060 " | wireshark -k -i -
Capture from the uplink interface of the Mediatrix unit, the packets going through the Ethernet port eth1, but using port 5060 as the destination only.
plink.exe -pw "1234" public@192.168.0.100 "pcapture -raw -i eth1 dst port 5060 " | wireshark -k -i -
Capture the packets going through the Ethernet port eth1, for traffic for which the source or the destination is the unit with the 00:90:F8:07:5A:6D MAC address.
plink.exe -pw "1234" public@192.168.0.100 "pcapture -i eth1 ether host 00:90:F8:07:5A:6D " | wireshark -k -i -
Capture the packets going through the Ethernet port eth1, for traffic for which the source or the destination is the units whit the 10.5.128.11 or host 10.5.128.4 IP addresses.
plink.exe -pw "1234" public@192.168.0.100 "pcapture -i eth1 host 10.5.128.11 or host 10.5.128.4  " | wireshark -k -i -

1.4 Starting a Network Capture Remotely On MacOS or Linux

Context

This method is performed using the pcapture command of the CLI.

Before You Start

  • The Mediatrix unit must be running a DGW v2.0.17.285 firmware or higher.
  • You must know the IP address of the unit running the DGW software.
  • You must have a PC running Wireshark.

Steps

  1. Open a command line interface.
  2. Enter: and replace the password, username, and IP address according to your setup.
    ssh USERNAME@IP_ADDRESS "pcapture -raw -i any" | wireshark -k -i -

    Note

    any is to make a capture on all ETH ports. But it is possible to choose the port, either ETH1, ETH2, ETH5, ETH1-4, ETH2-5, WAN, or LAN depending on the type of unit.

Result

The pcapture command will be executed in the CLI and the result will be sent to a new Wireshark window on the PC running the Wireshark.

1.4.1 Examples of pcapture Commands on MacOs and Linux

Capture from the uplink interface of the Mediatrix unit, and filtering out the broadcast and multicast traffic.
ssh public@192.168.0.100 "pcapture -raw -i eth1 not broadcast and not multicast" | wireshark -k -i -
Capture from the uplink interface of the Mediatrix unit, the packets of the VLan for which the VlanId is 100 only.
ssh public@192.168.0.100 "pcapture -raw -i eth1.100" | wireshark -k -i -

Forces capture to interpret all packets as rtp packeta. Typically, this is used with a filter that only keeps rtp packets.

ssh public@192.168.0.100 "pcapture -raw -i eth1 -T rtp " | wireshark -k -i -

Capture only rtp packets, going through the Ethernet port eth1, but using port 5006 only (either source or destination)

pcapture -raw -i -T rtp eth1 port 5006
Capture from the uplink interface of the Mediatrix unit, the packets going through the Ethernet port eth1, but using port 5060 only (either source or destination).
ssh public@192.168.0.100 "pcapture -raw -i eth1 port 5060 " | wireshark -k -i -
Capture from the uplink interface of the Mediatrix unit, the packets going through the Ethernet port eth1, but using port 5060 as the source only.
ssh public@192.168.0.100 "pcapture -raw -i eth1 src port 5060 " | wireshark -k -i -
Capture from the uplink interface of the Mediatrix unit, the packets going through the Ethernet port eth1, but using port 5060 as the destination only.
ssh public@192.168.0.100 "pcapture -raw -i eth1 dst port 5060 " | wireshark -k -i -
Capture the packets going through the Ethernet port eth1, for traffic for which the source or the destination is the unit with the 00:90:F8:07:5A:6D MAC address.
ssh public@192.168.0.100 "pcapture -i eth1 ether host 00:90:F8:07:5A:6D " | wireshark -k -i -
Capture the packets going through the Ethernet port eth1, for traffic for which the source or the destination is the units whit the 10.5.128.11 or host 10.5.128.4 IP addresses.
ssh public@192.168.0.100 "pcapture -i eth1 host 10.5.128.11 or host 10.5.128.4  " | wireshark -k -i -

2 Available Documentation

For more details, refer to the Mediatrix Documentation .

3 Copyright Notice

Copyright © 2018 Media5 Corporation.

This document contains information that is proprietary to Media5 Corporation.

Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.

This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.

Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.