/
Packet Capture Guide

Packet Capture Guide

Owned by Mack Baczynski
Last updated: Feb 14, 2023
8 min read

Quick links

1 Sharpen Q Phone - Rolling Capture | 2 SIP Soft Phone - Rolling Capture | 3 Retrieval, Analysis, and Removal | 4 Polycom Live Capture

Introduction

Setting up a packet capture may be necessary in times of troubleshooting IP phone connectivity or call quality issues. This guide describes how to remotely or locally setup a packet capture using the commonly known Wireshark tool, or it’s subcomponent, Dumpcap.

Please note, due to encrypted RTP present in webRTC traffic, this guide is NOT applicable to Sharpen Q phone if we’re looking to capture and interpret audio quality. For call quality concerns related to Sharpen Q phone, please refer to the webRTC-internals guide. Signaling and general RTP availability concerns through Sharpen Q Phone can still benefit from this guide.

What is Wireshark?

Wireshark is a commonly used tool to capture inbound and outbound traffic from a designated network interface. The captured data is then used to provide historical troubleshooting material for the SharpenCare team. The tool is distributed in an open source model, free of charge.

Wireshark comes with a visual interface meant to capture and analyze the data in real time. The capture can be viewed live or saved for archival. Data will only be captured while the application is running, and after capturing has been manually initiated on the defined capture interface. Data can be filtered at the time of capture, so data shared with the SharpenCare team contains only necessary data. Wireshark capture filters are clearly documented here.

This method is best used for events which are reproducible on demand.

What is Dumpcap?

Dumpcap is a CLI sub-component of Wireshark, which can be run without launching the full Wireshark user interface. It captures traffic specified by predefined capture filters on a user defined network interface. We use Dumpcap for its minimal resource utilization and automation capabilities. Utilizing a simple batch script, a Windows scheduled task is configured to initiate dumpcap.exe with our specified capture filter. Once set up, users can continue without disruption and you’ll be gathering the information we need. You’ll see the application running as “dumpcap.exe” in Windows Task Manager following successful setup.

Once the necessary data has been captured, the process can be removed via the uninstall script. Logs can then be gathered and sent to the SharpenCare team. Like Wireshark, capture filters are configurable. By default, our dumpcap script captures only traffic sent or received to/from the Sharpen network and Google STUN resources.

This method is best used for incidents which are not easy to predict. You can setup the logging, wait for the issue to happen and then gather the logs. Log files are stored with date/time references to allow for historical use. The script is configured to retain the last 50 files of ~90 MB each. Once the 50th file is written, it replaces the 1st with what would be the 51st. This allows for reasonable history of events, but not so much which will exhaust storage.

Prerequisites

Windows Desktop

A Windows desktop with administrator privileges is necessary for the setup and install of Wireshark. In addition, the Dumpcap script, leveraging Windows task scheduler, requires administrator privileges to execute.

Wireshark

Wireshark provides the mechanism for capturing pcap data.

Dumpcap Script

Capture script configured to gather Sharpen traffic from the client workstation.

Sharpen Q phone

Included as part of Sharpen Q, the webRTC-based soft-phone client built into Sharpen Q will be necessary if we’re tracking down audio issues within Sharpen Q.

SIP soft-phone

SIP soft-phone is necessary if you’re looking to troubleshoot audio quality issues. This allows for RTP to be captured in an unencrypted manner, giving us clear insight into the performance of the call from the client perspective.

Polycom Phone

Supported phone for live capturing via steps provided. Yealink phones have an alternate capture method referenced here.

Setup

Sharpen Q Phone - Rolling Capture

This method is useful for most capture scenarios. It involves setting up Wireshark, setting up the dumpcap script, and capturing the issue.

Please note, due to encrypted RTP present in webRTC traffic, the information gathered will not allow us to interpret the audio signal while diagnosing audio quality issues with Sharpen Q phone. For additional granularity in troubleshooting call quality concerns related to Sharpen Q phone, please refer to the webRTC-internals guide. Signaling and general RTP availability troubleshooting efforts for Sharpen Q Phone can still benefit from gathering this information.

Setup Wireshark - Download

  1. Download the appropriate installer for the Operating System in use

  2. Run the installer

  3. Leave defaults for Selected Components

  4. Leave defaults for Additional Tasks

  5. Install to C:\Program Files\Wireshark

  6. Check the box to validate “Install Npcap…” is selected

  7. Skip USB Capture and Click Install

Dumpcap script

  1. Download the DumpcapSetup here

  2. Extract the contents

  3. Double click the “Install.bat” script

    1. You will likely be prompted by Windows defender indicating “Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.” – This is expected since the batch file was not created local to the machine in use. 

    2. Click the “More info” link, then choose “Run anyway”

  4. User Account Control will prompt for evaluated permissions. Continue or enter Administrator credentials to continue

  5. Observe the text at the top of the command prompt window. It will display all the observed network interfaces available to dumpcap, and will launch the windows network connections control panel

  6. Input the corresponding numeric entry associated with the active network interface handling Sharpen traffic.

    1. Tip: In most cases, multiple network adapters will show. Choose the one which has the name matching the “Connected” status. Unless simultaneously connected to networks, this will be the active adapter

    2. Please also note that dumpcap’s identification of network adapters by ID can change upon reboot. The initial setup of this script sets the ID statically. So, if the ID changes, the capture will not work. If possible, it is best to disable all but the necessary (“Connected”) network interface for the duration of the data gathering.

    3. Here’s an example from a machine with a few virtual adapters, a VPN, and a bridged WiFi connection. In this case, the bridge is the active connection, so option “1” would be chosen in the command prompt.

  7. Press Enter

  8. Setup is now complete

  9. Validate logs are capturing

    1. Navigate to Desktop\DumpCap\Captures

    2. Observe whether file(s) such as the following exist

      1. file_00001_20181101115841.pcap

      2. File size is only expected to increase once audio traffic to/from Sharpen commences

SIP Soft Phone - Rolling Capture

This method is useful for scenarios where we’re trying to assess call quality concerns. It involves setting up Wireshark, installing and configuring a soft-phone, setting up the dumpcap script, and capturing the issue.

Setup Wireshark - Download

  1. Download the appropriate installer for the Operating System in use

  2. Run the installer

  3. Leave defaults for Selected Components

  4. Leave defaults for Additional Tasks

  5. Install to C:\Program Files\Wireshark

  6. Check the box to validate “Install Npcap…” is selected

  7. Skip USB Capture and Click Install

SIP Soft-phone

  1. Download your preferred soft-phone (MicroSIP or Zoiper recommended)

  2. Install soft-phone

  3. Navigate to https://app.sharpencx.com/admin/configuration/extensions/

  4. Locate your extension and choose the edit button

  5. Take note of your “username”, “password”, and “Server Address” fields. Leave this page up to copy paste from.

  6. Register soft-phone with the noted information

    1. Zoiper setup

    2. MicroSIP setup

Dumpcap script

  1. Download the DumpcapSetup here

  2. Extract the contents

  3. Double click the “Install.bat” script

    1. You will likely be prompted by Windows defender indicating “Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.” – This is expected since the batch file was not created local to the machine in use. 

    2. Click the “More info” link, then choose “Run anyway”

  4. User Account Control will prompt for evaluated permissions. Continue or enter Administrator credentials to continue

  5. Observe the text at the top of the command prompt window. It will display all the observed network interfaces available to dumpcap, and will launch the windows network connections control panel

  6. Input the corresponding numeric entry associated with the active network interface handling Sharpen traffic.

    1. Tip: In most cases, multiple network adapters will show. Choose the one which has the name matching the “Connected” status. Unless simultaneously connected to networks, this will be the active adapter

    2. Please also note that dumpcap’s identification of network adapters by ID can change upon reboot. The initial setup of this script sets the ID statically. So, if the ID changes, the capture will not work. If possible, it is best to disable all but the necessary (“Connected”) network interface for the duration of the data gathering.

    3. Here’s an example from a machine with a few virtual adapters, a VPN, and a bridged WiFi connection. In this case, the bridge is the active connection, so option “1” would be chosen in the command prompt.

  7. Press Enter

  8. Setup is now complete

  9. Validate logs are capturing

    1. Navigate to Desktop\DumpCap\Captures

    2. Observe whether file(s) such as the following exist

      1. file_00001_20181101115841.pcap

      2. File size is only expected to increase once audio traffic to/from Sharpen commences

Retrieval, Analysis, and Removal

Once an event has been captured, the logs from the capture must be retrieved and sent to SharpenCare for analysis. Follow the steps below to gather and send the logs to Sharpen.

  1. Navigate to the original extraction point of the DumpcapSetup.zip

  2. Locate the “Uninstall.bat” file and double-click

  3. User Account Control will prompt for evaluated permissions. Continue or enter Administrator credentials to continue

  4. Navigate to Desktop\DumpCap\Captures

  5. Identify the proper capture associated with the incident

    1. Date and time can be interpreted by observing the file name

      1. file_00001_20181101115841.pcap

        1. Year, Month, Day, Hour, Minute, Second indicates start time of file Date Modified File Explorer column indicates the end time of the file

  6. Copy the identified packet capture file

  7. Upload the file to a cloud storage solution such as Google Drive, Onedrive, Dropbox, etc...

  8. Provide public link to Sharpen in SharpenCare case

  9. Sharpen will analyze the capture in conjunction with server-side captures to help reach root cause understanding.

Polycom Live Capture

This method is useful if you’re able to reproduce an issue on demand, and are using a polycom phone. This involves enabling an optional setting on the phone, and capturing the stream of the phone remotely via Wireshark.

Setup Polycom phone

  1. Identify the IP address of your Polycom phone (Settings>Status>Network>TCP/IP Parameters)

  2. In a web browser, enter https://x.x.x.x (eg.. https://10.0.5.68) to navigate to your web configuration for the phone

  3. Depending on your browser, you will see a variation of a security warning. Choose to proceed to the web page

  4. Authenticate using Admin as the user, and 6311 as the password

  5. Navigate to Utilities > Import & Export Configuration

  6. Import the pcap_on.cfg file from here (To disable capturing after work is complete, import the pcap_off.cfg file)

  7. Reboot phone

Setup Wireshark - Download

  1. Download the appropriate installer for the Operating System in use

  2. Run the installer

  3. Leave defaults for Selected Components

  4. Leave defaults for Additional Tasks

  5. Install to C:\Program Files\Wireshark

  6. Check the box to validate “Install WinPcap…” is selected

  7. Skip USB Capture and Click Install

Capture

  1. Launch Wireshark

  2. Navigate to Capture>Options

  3. Choose “Manage Interfaces”

  4. Select the “Remote Interfaces” tab

  5. Click the “+” button

  6. Enter the IP address of your Polycom phone

  7. Enter 2002 in the Port: field

  8. Choose the Password authentication radio button

  9. Enter Polycom for the Username:

  10. Enter the MAC address of the phone (without colons or spaces, all lowercase) for the Password:

  11. Press OK

  12. You may see 2 new interfaces. If this is the case, choose the one which has a collapsed sub-item which identifies as the phone’s IP address

  13. Press Start

  14. Reproduce issue

  15. Press the Stop button at the top left of the interface

  16. Choose File>Save As… to save the packet capture.

  17. Send capture to SharpenCare

Related content

WebRTC Internals Logs
WebRTC Internals Logs
SharpenCare Knowledge Base
More like this
Sharpen Q Phone troubleshooting
Sharpen Q Phone troubleshooting
SharpenCare Knowledge Base
Read with this
Call Recording
Call Recording
SharpenCare Knowledge Base
More like this
Polycom Manual Provisioning
Polycom Manual Provisioning
SharpenCare Knowledge Base
Read with this
Extracting webRTC Audio(RTP) from a Firefox session
Extracting webRTC Audio(RTP) from a Firefox session
SharpenCare Knowledge Base
More like this
Gathering Logs from Polycom IP Phone
Gathering Logs from Polycom IP Phone
SharpenCare Knowledge Base
More like this