Live PCAP with Wireshark¶

For better debugging, a modified version of dahdi_pcap can be used to capture the D-channel/signalling directly into Wireshark via network/UDP:

Requirements¶

The modified utility is called "dahdi_gsmtap" and is currently present in the laforge/dahdi_gsmtap branch of dahdi-tools:
https://gitea.osmocom.org/retronetworking/dahdi-tools/src/branch/laforge/dahdi_gsmtap

The dahdi_gsmtap utility will encapsulate the LAPD data into GSM TAP (with channel info and direction flags) UDP packets, which Wireshark can then decode as LAPD & Q.931.

The support in Wireshark itself was added in September 2022, Version 4.1.0 , so you might have to build Wireshark from source for now.

Running dahdi_gsmtap:¶

./dahdi_gsmtap -p lapd -c 16 -r user -i 10.23.2.1

will capture all info on DAHDI channel 16 (aka the first E1 signalling channel) and send it as UDP packets to the IPv4 address 10.23.2.1 on port 4729.
Change this IP to the machine you're running Wireshark on.

You can capture multiple channels at once.

-c 16,47

will capture the signalling on both the first and second E1 line in the system.

In order to reduce the amount of packets captured, "udp port 4729" can be input as a eBPF capture filter in the Capture Options:

Be sure to input this in the capture options and not the display filter, otherwise you'll still capture all the packets on your NIC, hogging your RAM and CPU resources.

By default, Wireshark will try to decode the packets as GSM RSL instead of ISDN Q.931. You can change this behaviour by disabling "Use GSM SAPI values" in the LAPD protocol preferences: