There are situations where having the ability to do packet captures in various places is required to troubleshoot an issue properly. This article is meant to provide essential guidance on properly taking a packet capture.

Basic definition

A Packet Capture (pcap) contains raw networking data and is typically used for troubleshooting. When you take a packet capture, you are storing the real-time Network traffic to a file so it can be analyzed later or by someone that doesn't have access to that Network.

When is a packet capture needed?

Packet captures on the customer's Network are typically required when we believe there is an issue on the customer's end. SkySwitch only has visibility on packets as they enter and leave our Network, but we do not have visibility into the Customer's Network.

When the issue is on the customer premise, packet captures are useful to determine who is at fault for the problem (Phone, Firewall, Modem, ISP, etc.).

What tool do you recommend to take and analyze packet captures?

We recommend using Wireshark regardless of your platform. Don't worry, you don't need to be able to read this information. Our Support team can help!

https://www.wireshark.org/

Understanding where and how to take a packet capture

Wireshark is only useful for taking packet captures if the traffic you are wanting to see is passing through the device where you are doing your capture, or your device and Endpoint have the ability to do a Remote packet capture.

If Wireshark is running on your computer, you will only see traffic that is sent to and from your computer. This includes traffic meant for your computer, as well as Broadcast and Multicast traffic. In a typical network environment, you will not be able to see phone traffic by default because the data does not pass through to your computer.

So without any additional set up, using your computer to take packet captures will only be useful for

  • Trying to capture SIP/Voice data that is generated on your computer like a Softphone.
  • Analyzing Multicast traffic

Port Mirroring

If you are using a Smart Switch, you likely have the ability to do Port Mirroring. Port mirroring takes all (or part) of the traffic from one port and sends it to another port. This allows you to replicate phone traffic and send a copy to the Computer.

Switch set up will vary by manufacturer, so please see your switches documentation for how to set up Port Mirroring.

Port mirroring can also be useful to see traffic as it comes into the Network by putting a smart switch in between the Firewall and Modem.

Taking the Wireshark Capture

When you open Wireshark, select the Network interface that you want to capture and press the shark fin button to start the capture.

To stop simply press the red stop button, you can save these packets using the File menu > Save options.

Where else can I take packet captures?

You don't necessarily need Wireshark to take a packet capture, many Networking devices (including VoIP phones) have the ability to take packet captures directly from their Web UI. Phones might also have the ability to replicate their traffic to the PC Port.

Yealink

Yealink gives you the ability to create a packet capture from the WebUI or by using Span to PC.

Web UI

You can take a packet capture from your Yealink phone by logging into the WebUI and navigating to Settings > Configuration. Select Standard or Enhanced, start the packet capture, replicate the issue and stop the packet capture.

Standard: Captures Traffic and stores it in the phone's local memory until the capture is done.

Enhanced: Streams packets to the browser until the capture is done. This option allows for longer packet captures.

Span to PC

This option takes all traffic from the Internet port on the Yealink and duplicates to the PC Port. In this case, you could plug a computer into the PC port and use Wireshark to capture traffic on the appropriate interface.

Toggling SPan to PC can also be achieved using the following NDP override.

network.span_to_pc_port="1"

Polycom

Polycom does not have the ability to create packet captures from the Web UI but is capable of doing Remote packet captures if you have a Windows Computer.  

See this article for more information.

Snom/Vtech

Web UI

You can take a packet capture from your Snom or Vtech (D-Series Phone) by logging into the WebUI and navigating to Settings > PCAP Trace. Press 'Start' to start the packet capture, replicate the issue and stop the packet capture.


Grandstream GXP

Web UI

You can take a packet capture from your on your Grandstream GXP Phone by logging into the WebUI and navigating to 'Maintenance' > 'Packet Capture'. 

You can write packets to internal storage (to be downloaded when finished) or to a USB Flash Drive if there is a USB port on your model phone.

Select 'Yes' to 'With RTP Packets' if you are trying to capture audio.

Press 'Start' to start the packet capture, replicate the issue and stop the packet capture then download.