Blast from the past! I have tried to follow something very similar to this (didn't use an access-list) on some Adtrans I have in the field. Some are 908Es, some Netvantas 6300. When I do this, I can certainly see tons of data, can convert it with text2pcap but not much I could identify as SIP when I know there is SIP running through the box. Am using the Adtrans SIP proxy - not sure if this has anything to do with it? Anyone seen anything similar? From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Brad Anouar Sent: Thursday, September 22, 2011 6:54 PM To: 'Zak Rupas'; voiceops at voiceops.org Subject: Re: [VoiceOps] TCPDump on an Adtran TA908E Hi Zak, The following is the whole procedure on how to obtain and convert a packet capture to a pcap file.

From the command line, we have the ability to look at every packet coming in and out of the router, along with the ability to limit that debug with an access-list. This is best done from a telnet or SSH session, as the console can drop some of the output due to a limited buffer size.

It is preferable to not have any other messages pop up that may interfere with the capture text. The events and any other debugs should be turned off before performing this debug. This can be done with the following commands: Router# no events Router# undebug all The general command is: <> = optional Router# debug ip packet <access-list name> <detail / dump> NOTE: It is not recommended to run this command without referencing an access-list. --------------------------------------------------- To limit the traffic to and from a particular peer: ip access-list extended test permit ip any host <IP in question> permit ip host <IP in question> any For example: ip access-list extended test permit udp host 192.168.40.22 any eq 5060 debug ip packet test detail debug ip packet test dump --------------------------------------------------- If you desire to see more than what 'detail' provides, choosing 'dump' will output the entire packet in text form. This can be copied to a text document and converted to an actual packet capture. The program Wireshark (www.wireshark.org) comes with a utility known as Text2Pcap. Copy (text2pcap.exe) from the Wireshark folder to a root drive, as well as the text file. Run the following command from a DOS prompt: text2pcap.exe -e 0x800 <Text Filename> <Capture Filename to Create (extension .pcap)> The capture file can then be opened in Wireshark. If the unit is running a firewall, you will probably see every packet twice (once entering the firewall & once leaving, depending on the ACL you are using); the second may be after a NAT process if NAT is enabled. If the traffic is across a VPN, the second packet will not be seen since it enters/leaves the router encapsulated in VPN. Brad Anouar | Anywhere (310) 360-2028 | Corporate (800) 942-4700 | <http://www.broadcore.com/> www.broadcore.com From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Zak Rupas Sent: Thursday, September 22, 2011 3:24 PM To: voiceops at voiceops.org Subject: [VoiceOps] TCPDump on an Adtran TA908E Does anyone know the TCP Dump commands for the Adtran TA908e CLI? Thanks- Zak Rupas Tier 3 Engineer Support: 303-242-8606 option 1 Like SimpleSignal on <http://www.facebook.com/SimpleSignal> Facebook ! SimpleSignal Inc. 3600 S. Yosemite Street Suite 150 Denver, CO 80237 Description: Description: Description: cid:image001.png at 01CBDE2D.5E1CC730

Yes I can.I just ran them in parallel - 'debug sip stack message' on one vty session and 'debug ip packet dump' on another and messages gathered on the sip debug are missing from the IP debug. Even tried to look at the raw text file for call-ids and such and they are not there. *scratches head* Not sure whats up here. Only thing I could think was that the Adtran proxy was doing something funky. Christian Pena | Engineering EarthLink Business www.earthlinkbusiness.com <http://www.earthlinkbusiness.com/> E: christian.pena at corp.earthlink.com O: 786-363-0460 | F: 786-363-0206 From: Zak Rupas [mailto:zak at simplesignal.com] Sent: Friday, November 09, 2012 4:30 PM To: Pena, Christian; Brad Anouar; voiceops at voiceops.org Subject: RE: [VoiceOps] TCPDump on an Adtran TA908E Christian Sorry I have not seen something similar. I personally was able to use the below steps and get a working pcap for wirewhark. Can you see SIP messaging when you run a normal debug on the Adtran in the CLI? Thanks- Zak Rupas | Tier 3 Engineer Support Line 303-242-8616 Option 1 www.simplesignal.com <http://www.simplesignal.com/> From: Christian Pena [mailto:christian.pena at corp.earthlink.com] Sent: Friday, November 09, 2012 2:06 PM To: 'Brad Anouar'; 'Zak Rupas'; voiceops at voiceops.org Subject: RE: [VoiceOps] TCPDump on an Adtran TA908E Blast from the past! I have tried to follow something very similar to this (didn't use an access-list) on some Adtrans I have in the field. Some are 908Es, some Netvantas 6300. When I do this, I can certainly see tons of data, can convert it with text2pcap but not much I could identify as SIP when I know there is SIP running through the box. Am using the Adtrans SIP proxy - not sure if this has anything to do with it? Anyone seen anything similar? From: voiceops-bounces at voiceops.org [ mailto:voiceops-bounces at voiceops.org] On Behalf Of Brad Anouar Sent: Thursday, September 22, 2011 6:54 PM To: 'Zak Rupas'; voiceops at voiceops.org Subject: Re: [VoiceOps] TCPDump on an Adtran TA908E Hi Zak, The following is the whole procedure on how to obtain and convert a packet capture to a pcap file.

From the command line, we have the ability to look at every packet coming in and out of the router, along with the ability to limit that debug with an access-list. This is best done from a telnet or SSH session, as the console can drop some of the output due to a limited buffer size.

It is preferable to not have any other messages pop up that may interfere with the capture text. The events and any other debugs should be turned off before performing this debug. This can be done with the following commands: Router# no events Router# undebug all The general command is: <> = optional Router# debug ip packet <access-list name> <detail / dump> NOTE: It is not recommended to run this command without referencing an access-list. --------------------------------------------------- To limit the traffic to and from a particular peer: ip access-list extended test permit ip any host <IP in question> permit ip host <IP in question> any For example: ip access-list extended test permit udp host 192.168.40.22 any eq 5060 debug ip packet test detail debug ip packet test dump --------------------------------------------------- If you desire to see more than what 'detail' provides, choosing 'dump' will output the entire packet in text form. This can be copied to a text document and converted to an actual packet capture. The program Wireshark (www.wireshark.org) comes with a utility known as Text2Pcap. Copy (text2pcap.exe) from the Wireshark folder to a root drive, as well as the text file. Run the following command from a DOS prompt: text2pcap.exe -e 0x800 <Text Filename> <Capture Filename to Create (extension .pcap)> The capture file can then be opened in Wireshark. If the unit is running a firewall, you will probably see every packet twice (once entering the firewall & once leaving, depending on the ACL you are using); the second may be after a NAT process if NAT is enabled. If the traffic is across a VPN, the second packet will not be seen since it enters/leaves the router encapsulated in VPN. Brad Anouar | Anywhere (310) 360-2028 | Corporate (800) 942-4700 | www.broadcore.com <http://www.broadcore.com/> From: voiceops-bounces at voiceops.org [ mailto:voiceops-bounces at voiceops.org] On Behalf Of Zak Rupas Sent: Thursday, September 22, 2011 3:24 PM To: voiceops at voiceops.org Subject: [VoiceOps] TCPDump on an Adtran TA908E Does anyone know the TCP Dump commands for the Adtran TA908e CLI? Thanks- Zak Rupas Tier 3 Engineer Support: 303-242-8606 option 1 Like SimpleSignal on Facebook <http://www.facebook.com/SimpleSignal> ! SimpleSignal Inc. 3600 S. Yosemite Street Suite 150 Denver, CO 80237