Cisco Support Community● Home Collecting a packet capture from a Cisco IP Phone Document Feb 23, 2015 7:13 PM Robert Thomas Jun 21st, 2010 Table of Contents ● ● ● ● Introduction. 1. Connect the Cisco IP Phone 2. Enable the Span to PC port feature. 3. Capture the packets with wireshark. 3a. Starting the capture 3b. Reproduce the issue to be captured 3c. Stop the capture. 3d. Save the packet capture as a .pcap file. ❍ ❍ ❍ ❍ Introduction. For troubleshooting purposes one may need to gather a packet (sniffer) capture from an IP Phone. There are many ways this can be accomplished. This article describes how to collect the capture using the IP Phone's built in PC ports. It can be enabled to copy all traffic entering into the SWITCH port, and send it to the PC port. From there, the data can be captured using a packet capture utility. These instructions are relevant for Cisco IP Phone Models, 7941, 7942, 7961, 7962, 7965, 7970, 7975, 99xx, 89xx, and 699xx. For models 7940 and 7960, skip Step 2 since "Span to PC Port setting" is not required. 1. Connect the Cisco IP Phone There should be a PC connected to the back of the IP phone in the PC port, and the phone connected to the Switch. 2. Enable the Span to PC port feature. From the IP phone configuration page, scroll down to the Protocol Specific Configuration section, and enable the "Span to PC Port" configuration option. This will trigger a change to the phone's TFTP configuration file. Save and reset the phone so it can retrieve the new configuration file. Note 7940 and 7960 Cisco IP Phones do not support the span to PC port feature, all data is automatically sent to the PC port. 3. Capture the packets with wireshark. 3a. Starting the capture Open Wireshark and click on the first NIC to the left. This will open the capture interfaces dialog, were you can select the NIC connected to the back of the IP phone we will capture. Click on start to initiate the capture 3b. Reproduce the issue to be captured Traffic should start to scroll down on the window. Depending on the current PC activity it could be a lot of traffic. To filter down use the eth.addr filter with the MAC Address of the IP phone. The resulting traffic should show only traffic comming to and from the IP phone. 3c. Stop the capture. 3d. Save the packet capture as a .pcap file. Rating 1 2 3 4 5 Overall Rating: 5 (8 ratings) Comments ● ● Collapse all Recent replies last Dennis Bigelow Tue, 01/27/2015 - 08:11 This will work on the DX70/DX80's. Once you enable Span to PC port. Click save. Then click apply config. When you start the capture you should see the RTP and the H.264 during the call. See More Adam Frankel Mon, 09/23/2013 - 06:42 Agreed with Robert. That is not an exploit, it's just enabling the feature as it was intended. Administrator's could easily prevent this by locking settings access and/or enabling sRTP via CTL. See More dazza_johnson Mon, 09/23/2013 - 13:22 Hi guys. Robert, I wasn't aware of ITL signed config files that you said is standard on CUCM 8.x and higher - this, if properly implemented, would prevent the attack. In my document I talk about disabling user settings, so I was aware of that and it is covered in my doc. Adam, I agree this is NOT a zero day vulnerability. It does however exploit weak default settings (in some versions of CUCM), meaning that is a security risk. Agreed about blocking default settings (see above) but using sRTP (encrypted RTP right) would also prevent the playback - I wasn't aware sRTP was supported so that is a cool preventative measure :-) Thanks guys, I will update the doc to include your comments. Darren See More frank3333 Fri, 10/03/2014 - 09:30 hi, I tried this method with cp-7942 but it only capture some skinny keepalive msg. telephony ----> voip calls does't show any call flow with my captured packets. Any idea how to resolve this? Thanks. See More UM ICTO-IUS-IS Mon, 02/23/2015 - 19:13 I encountered the same problem with CP-7962 with latest firmware. Any idea to resolve it? I'm able to capture the packet for CP-6901 model. I have tried both the switch spanning and PC port spanning on CP-7962. See More dazza_johnson Fri, 09/20/2013 - 20:16 Really good article. I wrote a tutorial on how this feature could be exploited to record phone calls that could be later be played back. This tutorial was sent to Cisco PSIRT prior to be released publically: http://www.og150.com/tutorials.php Download "Podo Attack" to see the end to end compromise. Thanks Darren See More Robert Thomas Sun, 09/22/2013 - 11:03 Darren, I look through your article. This feature is recomended to be enabled for troubleshooting purposes. Also some forms or call recording on our UCCX suite use this feature. To protect from the type of Attack you are describing, we have ITL signed config files that are now standard on CUCM 8.X and higher versions. Also you could block the settings to prevent the user from deleting the CM ITL file on the phone. See More Adam Frankel Wed, 07/28/2010 - 05:49 Thanks for the article. I hope you don't mind, I've gone through and made a few changes. I think I will add a troubleshooting or "Common Problems" section soon. See More https://supportforums.cisco.com/document/44741/collecting-packet-capture-cisco-ip-phone
Report "collecting a packet capture from a cisco ip phone"