Acquire a Packet Capture

Last modified by michaely on 2021/09/10 22:40

When troubleshooting issues related to the communication between iSymphony and Asterisk, we may need to get a packet capture to verify the exact information iSymphony is sending to and receiving from Asterisk. This will help us determine whether iSymphony or Asterisk is misbehaving, how it is misbehaving, and what an appropriate solution should be. 

Quickstart

The command below will use the most common options. See the Step-by-step guide for full details:

 tcpdump -i lo -s 0 -C 50 -W 5 -w isymphony.pcap tcp port 5038

This will create pcap files that we will need to examine. 

When running the command above you may get a "Permission Denied" message, despite the fact that you are running as the root user. To resolve this add the -Z root parameter after tcpdump.

Step-by-step guide

We will use a command called tcpdump to perform the packet capture. If you're already familiar with tcpdump, you can skip to the end of the guide to see the recommended set of flags, and reference the steps below to clarify any unknown flags. 

  1. Interface: First, determine which interface you'll need to monitor:
    1. If iSymphony is installed on the same server as Asterisk, this will be the lo interface. 
    2. If iSymphony is running on a separate server, this will be the interface over which iSymphony connects to Asterisk. In most situations, this will be the eth0 interface. 

    3. If you're not sure, the following command will tell you which interface is current being used. Be sure to replace the <asterisk_hostname> tag with the actual hostname of your Asterisk server. 

      ip route get $(getent ahosts <asterisk_hostname> | head -1 | awk '{print $1}') | grep -Po '(?<=(dev )).*(?= src)'
  2. Port: Next, determine what port to monitor:
    1. If we ask for a packet capture between iSymphony and Asterisk, use port 5038.
    2. If we ask for a packet capture between an iSymphony server and an iSymphony remote agent, use port 51000
  3. Size Constraints: Next, determine an appropriate size limit. This will be dependent on how busy your phone system is, how quickly you can stop the capture after the problem occurs, and how much available disk space you have. We will provide two separate parameters to the packet capture command to control the size limit. First, the -C flag will limit the size of one file created by the packet capture. Second, the -W flag will limit how many total files (each with the size defined with -C) are retained. Using these two parameters, the tcpdump command will automatically rotate capture files up to the limit. Here are some general guidelines to pick an appropriate size:
    1. As a starting point, we typically recommend a 5 file limit, with up to 50MB per file. Thus, -C should be 50, and -W should be 5
    2. If the problem is easily reproducible, and you can stop the packet capture quickly after the issue occurs, you can probably set the limits lower. Keep in mind, though, that the limits are limits, and if you stop the capture before reaching the limits, it won't use the full size of the limits anyway.
    3. If the phone system is low-traffic, it will grow the size of the packet capture more slowly, and the limits can be set lower. 
    4. If the phone system is high-traffic, but you can stop the capture quickly after the issue happens. In that case, the capture size can be smaller than otherwise necessary on a high traffic system.
    5. If the phone system is high-traffic and it may take some time before you can stop the capture after the issue occurs (for example, if it crashes overnight), the limits may need to be set higher, provided sufficient disk space is available. 

  4. Run the command: With that information collected, you're ready to run the command below to perform the packet capture. Note that tcpdump will run in the foreground, so you'll need to either run the command in a separate terminal/ssh session, or use a terminal multiplexer like screen to disconnect and reconnect to it as needed. 

    tcpdump -i <interface> -C <filesize_limit> -W <files_limit> -w isymphony.pcap tcp port <port>

    Be sure to replace the <interface>, <filesize_limit>, <files_limit>, and <port> placeholders with their appropriate values as determined above.

  5. Stop the command: Once the issue has occurred, press Ctrl+C to stop the capture. 
  6. Upload the files: You will now have several new files in the current directory, named isymphony.pcap, isymphony.pcap1, etc. We will need a copy of those files. If they are too large to attach to an email, please upload them to a file host for us to access. 

Related articles

Unknown macro: contentbylabel. Click on this message for details.

   

Search

Navigation

iSymphony