Automating PCAP captures on Cisco VOS applications
Back around version 11.x, Cisco introduced an enhanced packet capture tool for its VOS (Voice Operating System). You might know it better as the OS that powers:
- CUCM
- UCCX
- CUC
- IM&P
The new packet capture tool would rotate a set of files continuously on the server until you asked it to stop. This made it much easier to troubleshoot an intermittent issue. Once you were able to reproduce the issue and capture via the tool, you could download the files via RTMT and analyze via Wireshark.
Today we’re going to automate this process and introduce a new way to analyze the packet captures via Cloudshark.
To start off we will need NodeJS. You’ll want to download version 16.18.0 or higher. We will be using the fetch module that was first introduced in 16.18.0.
Next you need to clone the following repository from Github, (alternatively you can download the code here):
gh repo clone sieteunoseis/cisco-vos-cloudsharkYou’ll need to have Github CLI installed for the above command to work. You may also need to log into Github as well via:
gh auth loginOnce you’ve cloned the repository, navigate to the folder to install the necessary node modules using:
npm installThis will create a node_modules folder for you will all the necessary modules installed.
Next we will need an environmental variable file. On MacOS and Linux you can create one via:
touch .env You’ll need to add the following environmental variables (replace with your own values):
PUBLISHER="10.10.20.1"
USERNAME="administrator"
PASSWORD="ciscopsdt"
VERSION="14.0"
COMMANDTIMEOUT="150000"
FILENAME="testcapture"
CLOUDSHARKAPI=""By default the script will capture for 5 minutes. To change this value update the COMMANDTIMEOUT variable. This is in milliseconds and has a max value of 2147483647, which is just over 24 days.
You’ll also need a Cloudshark account and API token. You can sign up for a free 30 day trial on the Cloudshark webpage.
After filling in all of the environmental variables you’ll then be about to run the script via:
npm run startScript output should resemble this once completed:
npm run start> cisco-vos-cloudshark@1.0.1 start
> NODE_OPTIONS= — experimental-vm-modules NODE_NO_WARNINGS=1 NODE_TLS_REJECT_UNAUTHORIZED=0 node main.jsScript brought to you by:
____ ____ ____ ____ ____ ____ ____ ____
||A |||u |||t |||o |||m |||a |||t |||e ||
||__|||__|||__|||__|||__|||__|||__|||__||
|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|
____ ____ ____ ____ ____ ____ ____ ____
||B |||u |||i |||l |||d |||e |||r |||s ||
||__|||__|||__|||__|||__|||__|||__|||__||
|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|
Retrieving servers via AXL API.
Starting packet captures on 1 servers via ssh.
SSH: Connected to 10.10.20.1.
SSH: Ready. Running command for 150 seconds. Press Ctrl-c to force connection closed.
SSH: Command `utils network capture-rotate file testcapture` finished after 150 seconds. Closing connection and exiting.
SSH: Connection ended.
SSH: Connection to 10.10.20.1 closed.
Packet capture completed. Retrieving a list of files from server(s) via DIME API
Successfully found 1 files on servers. Attempting to retrieve via DimeGetFileService.
Successfully downloaded files via DIME. Attempting to upload to Cloudshark.
Successfully uploaded files to Cloudshark. View online via url:
https://www.cloudshark.org/captures/472e67eb0862
You’ll then be able to open the Cloudshark link in your favorite browser using the link at the bottom of the script.
Cloudshark has a bunch of analytical tools built in, including Zeek logs. You can also add per-packet annotations for any notes that you may want to share with colleagues. They also let you tag the packets. In the script we tag packets with the following: cisco, cucm.
Tag can be edited in the main.js file at the top.
If you would like to support my work, you can always buy me a coffee. I would really appreciate it (but is not required).
Thanks and enjoy!
