You are on page 1of 9

Cisco Support Community

Home

Collecting a packet capture from a Cisco IP Phone


Document
Feb 23, 2015 7:13 PM

Robert Thomas Jun 21st, 2010


Table of Contents

Introduction.
1. Connect the Cisco IP Phone
2. Enable the Span to PC port feature.
3. Capture the packets with wireshark.
3a. Starting the capture
3b. Reproduce the issue to be captured
3c. Stop the capture.
3d. Save the packet capture as a .pcap file.

Introduction.
For troubleshooting purposes one may need to gather a packet (sniffer) capture from an IP
Phone. There are many ways this can be accomplished. This article describes how to collect
the capture using the IP Phone's built in PC ports. It can be enabled to copy all traffic entering
into the SWITCH port, and send it to the PC port. From there, the data can be captured using
a packet capture utility.
These instructions are relevant for Cisco IP Phone Models, 7941, 7942, 7961, 7962, 7965,
7970, 7975, 99xx, 89xx, and 699xx.
For models 7940 and 7960, skip Step 2 since "Span to PC Port setting" is not required.
1. Connect the Cisco IP Phone

There should be a PC connected to the back of the IP phone in the PC port, and the phone
connected to the Switch.
2. Enable the Span to PC port feature.
From the IP phone configuration page, scroll down to the Protocol Specific Configuration
section, and enable the "Span to PC Port" configuration option. This will trigger a change to
the phone's TFTP configuration file. Save and reset the phone so it can retrieve the new
configuration file.

Note
7940 and 7960 Cisco IP Phones do not support the span to PC port feature, all data is automatically
sent to the PC port.

3. Capture the packets with wireshark.


3a. Starting the capture

Open Wireshark and click on the first NIC to the left.

This will open the capture interfaces dialog, were you can select the NIC connected to the back
of the IP phone we will capture. Click on start to initiate the capture

3b. Reproduce the issue to be captured


Traffic should start to scroll down on the window. Depending on the current PC activity it could
be a lot of traffic. To filter down use the eth.addr filter with the MAC Address of the IP phone.
The resulting traffic should show only traffic comming to and from the IP phone.

3c. Stop the capture.

3d. Save the packet capture as a .pcap file.

Rating
1
2
3
4
5
Overall Rating: 5 (8 ratings)

Comments

Collapse all
Recent replies last

Dennis Bigelow Tue, 01/27/2015 - 08:11


This will work on the DX70/DX80's. Once you enable Span to PC port. Click save. Then click
apply config. When you start the capture you should see the RTP and the H.264 during the
call.

See More

Adam Frankel Mon, 09/23/2013 - 06:42


Agreed with Robert. That is not an exploit, it's just enabling the feature as it was intended.
Administrator's could easily prevent this by locking settings access and/or enabling sRTP via
CTL.

See More

dazza_johnson Mon, 09/23/2013 - 13:22


Hi guys. Robert, I wasn't aware of ITL signed config files that you said is standard on CUCM 8.x
and higher - this, if properly implemented, would prevent the attack. In my document I talk
about disabling user settings, so I was aware of that and it is covered in my doc. Adam, I
agree this is NOT a zero day vulnerability. It does however exploit weak default settings (in
some versions of CUCM), meaning that is a security risk. Agreed about blocking default
settings (see above) but using sRTP (encrypted RTP right) would also prevent the playback - I
wasn't aware sRTP was supported so that is a cool preventative measure :-)
Thanks guys, I will update the doc to include your comments.
Darren
See More

frank3333 Fri, 10/03/2014 - 09:30


hi,

I tried this method with cp-7942 but it only capture some skinny keepalive msg.
telephony ----> voip calls does't show any call flow with my captured packets.

Any idea how to resolve this?

Thanks.

See More

UM ICTO-IUS-IS Mon, 02/23/2015 - 19:13


I encountered the same problem with CP-7962 with latest firmware. Any idea to resolve it? I'm
able to capture the packet for CP-6901 model. I have tried both the switch spanning and PC
port spanning on CP-7962.

See More

dazza_johnson Fri, 09/20/2013 - 20:16


Really good article. I wrote a tutorial on how this feature could be exploited to record phone
calls that could be later be played back. This tutorial was sent to Cisco PSIRT prior to be
released publically:
http://www.og150.com/tutorials.php Download "Podo Attack" to see the end to end compromise.
Thanks
Darren

See More

Robert Thomas Sun, 09/22/2013 - 11:03


Darren,
I look through your article. This feature is recomended to be enabled for troubleshooting
purposes. Also some forms or call recording on our UCCX suite use this feature. To protect
from the type of Attack you are describing, we have ITL signed config files that are now
standard on CUCM 8.X and higher versions. Also you could block the settings to prevent the
user from deleting the CM ITL file on the phone.

See More

Adam Frankel Wed, 07/28/2010 - 05:49


Thanks for the article. I hope you don't mind, I've gone through and made a few changes. I
think I will add a troubleshooting or "Common Problems" section soon.

See More

https://supportforums.cisco.com/document/44741/collecting-packet-capture-cisco-ip-phone

You might also like