Introducing FreePBX Packet Capture

pbxact
commercialmodules
sysadmin
freepbx
freepbx-15
Tags: #<Tag:0x00007f7028af9c50> #<Tag:0x00007f7028af9b10> #<Tag:0x00007f7028af99a8> #<Tag:0x00007f7028af9868> #<Tag:0x00007f7028af9728>

(Greg Blumenthal) #1

We have just rolled out a new feature in SysAdmin Pro, a way to collect and download a system packet capture from the FreePBX GUI.

Availability:

Packet capture is available in System Admin version 15.0.21 which is already available from the Edge repository. SysAdmin Pro is a commercial module available a-la carte from the Sangoma Store or as part of the Starter and Everything bundles. All PBXact systems also include SysAdmin Pro, so it will be available in PBXact 15 as soon as SysAdmin 15.0.21 is pinned for PBXact.

Usage:

Go to “System Admin” from the Admin menu and choose “Packet Capture” from the right-hand-side list:
image

Actions has two buttons to start a packet capture, and stop a running packet capture

Packet Capture Status reports information about the running or previous packet capture. If it’s running you’ll see an animated icon along with the file name and number of packets captured (continuously updated)

Available Packet Captures shows all the existing packet captures, and has buttons to download the packet capture directly, download a zipped version of the packet capture, or delete the file

Notes:

Packet captures are set to run on all interfaces and capture all packets. They also don’t stop when you change to a different page. The resulting files can get kind of big, so remember to stop the packet capture once you have what you need!

Each packet capture is limited to 500 MB as a backstop in case you forget to stop it. If the packet capture exceeds this size, the current capture will continue to run, using the same file from zero length (discarding the packets captured earlier). If you don’t want to lose the first packets captured, make sure you stop the packet capture before the size reaches 500 MB (refresh the page to see the size of the current capture in the file list)

Remember that packet captures are taken before (i.e. outside) the OS-level firewall so :

  1. If you see an incoming packet you are hoping to see (like a SIP REGISTER from a company phone), that doesn’t mean that Asterisk is seeing that packet, it may still be blocked by the firewall
  2. If you see lots of suspicious packets that you think should be filtered out by the firewall, don’t panic. If your firewall is configured to block the suspicious packets you’ll still see them in the packet capture, but they won’t make it to Asterisk. If you see Asterisk responding in the packet capture, then panic

Suggestions?

We’d love to hear what related features you would like to see in the next version, so please leave a comment if you’d like to see something more. Here are few we have thought about:

  1. Ability to apply capture filters for SIP-only or SIP and RTP only
  2. PBX banner to remind you that a packet capture is running
  3. Ability to automatically stop after a specified time
  4. Ability to capture on a specific network interface
  5. Interface to Asterisk’s new PJSIP packet capture feature (https://www.asterisk.org/new-pjsip-logging-functionality/) which has the advantage of capturing decoded SIP if you’re using TLS
  6. Setting for rollover to multiple PCAP files in case you need to capture a lot of data
  7. Ability to automatically delete old packet captures

#2

Suggest adding filters for IP addresses and extensions.


#3

@chrisduncansb great idea.


(Greg Blumenthal) #4

Thanks for the suggestion. Filtering for a specific IP address should be straightforward enough (maps to “host w.x.y.z” capture filter). Not sure how a filter for extension would work though, I think that would need to be handled after the fact in Wireshark where you have much more flexible filtering capabilities