Automating PCAP captures on Cisco VOS applications

Jeremy Worden
automate builders
Published in
4 min readOct 22, 2022


Back around version 11.x, Cisco introduced an enhanced packet capture tool for its VOS (Voice Operating System). You might know it better as the OS that powers:

  • CUCM
  • UCCX
  • CUC
  • IM&P

The new packet capture tool would rotate a set of files continuously on the server until you asked it to stop. This made it much easier to troubleshoot an intermittent issue. Once you were able to reproduce the issue and capture via the tool, you could download the files via RTMT and analyze via Wireshark.

Today we’re going to automate this process and introduce a new way to analyze the packet captures via Cloudshark.

To start off we will need NodeJS. You’ll want to download version 16.18.0 or higher. We will be using the fetch module that was first introduced in 16.18.0.

Next you need to clone the following repository from Github, (alternatively you can download the code here):

gh repo clone sieteunoseis/cisco-vos-cloudshark

You’ll need to have Github CLI installed for the above command to work. You may also need to log into Github as well via:

gh auth login

Once you’ve cloned the repository, navigate to the folder to install the necessary node modules using:

npm install

This will create a node_modules folder for you will all the necessary modules installed.

Next we will need an environmental variable file. On MacOS and Linux you can create one via:

touch .env 

You’ll need to add the following environmental variables (replace with your own values):


By default the script will capture for 5 minutes. To change this value update the COMMANDTIMEOUT variable. This is in milliseconds and has a max value of 2147483647, which is just over 24 days.

You’ll also need a Cloudshark account and API token. You can sign up for a free 30 day trial on the Cloudshark webpage.

After filling in all of the environmental variables you’ll then be about to run the script via:

npm run start

Script output should resemble this once completed:

npm run start> cisco-vos-cloudshark@1.0.1 start
> NODE_OPTIONS= — experimental-vm-modules NODE_NO_WARNINGS=1 NODE_TLS_REJECT_UNAUTHORIZED=0 node main.js
Script brought to you by:
____ ____ ____ ____ ____ ____ ____ ____
||A |||u |||t |||o |||m |||a |||t |||e ||
____ ____ ____ ____ ____ ____ ____ ____
||B |||u |||i |||l |||d |||e |||r |||s ||

Retrieving servers via AXL API.
Starting packet captures on 1 servers via ssh.
SSH: Connected to
SSH: Ready. Running command for 150 seconds. Press Ctrl-c to force connection closed.
SSH: Command `utils network capture-rotate file testcapture` finished after 150 seconds. Closing connection and exiting.
SSH: Connection ended.
SSH: Connection to closed.
Packet capture completed. Retrieving a list of files from server(s) via DIME API
Successfully found 1 files on servers. Attempting to retrieve via DimeGetFileService.
Successfully downloaded files via DIME. Attempting to upload to Cloudshark.
Successfully uploaded files to Cloudshark. View online via url:

You’ll then be able to open the Cloudshark link in your favorite browser using the link at the bottom of the script.

Cloudshark Analysis tools

Cloudshark has a bunch of analytical tools built in, including Zeek logs. You can also add per-packet annotations for any notes that you may want to share with colleagues. They also let you tag the packets. In the script we tag packets with the following: cisco, cucm.

Tag can be edited in the main.js file at the top.

Cloudshark tags

If you would like to support my work, you can always buy me a coffee. I would really appreciate it (but is not required).

Thanks and enjoy!