PCAP Tools for Linux

PCAP Tools for Linux is a packet capture utility (sniffer) which can be useful to network engineers or snoopers. It is pre-installed on CS1K Rel.6/7.5 linux-base systems, and can be used to view SIP (and UNISTIM) messages, or to diagnose network problems.

Get Wireshark (freeware), if you haven't already, from: http://www.wireshark.org/download.html
Once installed, goto Preferences ➤ Protocols ➤ UNISTIM and set the UNISTIM UDP port to 5000.
This will help you interpret Nortel/Avaya phone messages.

UNIStim (Unified Networks IP Stimulus) is a proprietary Nortel (now Avaya) VOIP protocol. Further information: here, or here.

Login to a CS1K Linux base element (UCM/Signaling Server) with either admin or admin2.

Use pcap config to set options such as ELAN or TLAN (default) monitoring, and the capture file size.

• Monitor the ELAN to debug VGMC/MGC/Signaling Server to Call Server or VGMC/MGC/Signaling Server to EM problems.
• Monitor the TLAN (or the LAN with the IP Phone) to debug TPS to IP Phone problems and voice Gateway-related issues.

Unharden nettools, and start packet capture:

[admin@ss0 ~]$ harden nettools on
You are trying to set Hardening policy 'network tools' in less secure state.
Do you want to proceed? (Y/N) [Y]? y
Network tools are enabled.
[admin@ss0 ~]$ pcap start
Starting PCAP: 
       PCAP is stopped 
       Configuration file validated                        [PASSED]
       PCAP is starting 
PCAP successfully started                                  [  OK  ]
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1

While running, all network traffic will be stored in a capture file.
When ready, stop the capture, and harden nettools again:

[admin@ss0 ~]$ pcap stop
Stopping PCAP: 
       pcap is stopping                                    [  OK  ]
58 packets captured
PCAP successfully stopped                                  [  OK  ]
[admin@ss0 ~]$ harden nettools off
Network tools are disabled. 

Download the capture file from: /var/opt/nortel/dfoTools/pcap (via SFTP), and open it in Wireshark. Eg, using SFTP clients: Transmit (macOS), or WinSCP (Windows). Note that capture files cannot be retrieved while PCAP is running.

To display only the telephony traffic, enter unistim in the filter box, and hit apply.

---