Live PCAP with Wireshark

For better debugging, a modified version of dahdi_pcap can be used to capture the D-channel/signalling directly into Wireshark via network/UDP:
Wireshark screenshot


The modified utility is called "dahdi_gsmtap" and is currently present in the laforge/dahdi_gsmtap branch of dahdi-tools:

The dahdi_gsmtap utility will encapsulate the LAPD data into GSM TAP (with channel info and direction flags) UDP packets, which Wireshark can then decode as LAPD & Q.931.

The support in Wireshark itself was added in September 2022, Version 4.1.0 , so you might have to build Wireshark from source for now.

Running dahdi_gsmtap:

./dahdi_gsmtap -p lapd -c 16 -r user -i

will capture all info on DAHDI channel 16 (aka the first E1 signalling channel) and send it as UDP packets to the IPv4 address on port 4729.
Change this IP to the machine you're running Wireshark on.

You can capture multiple channels at once.

-c 16,47

will capture the signalling on both the first and second E1 line in the system.

In order to reduce the amount of packets captured, "udp port 4729" can be input as a eBPF capture filter in the Capture Options:
eBPF capture filter
Be sure to input this in the capture options and not the display filter, otherwise you'll still capture all the packets on your NIC, hogging your RAM and CPU resources.

By default, Wireshark will try to decode the packets as GSM RSL instead of ISDN Q.931. You can change this behaviour by disabling "Use GSM SAPI values" in the LAPD protocol preferences:
GSM SAPI protocol preferences

Files (3)
keuycdgmjfb.png View keuycdgmjfb.png 147 KB Wireshark screenshot manawyrm, 09/28/2022 06:53 AM
etnalfysbhi.png View etnalfysbhi.png 107 KB GSM SAPI protocol preferences manawyrm, 09/28/2022 06:59 AM
hsbdvljfien.png View hsbdvljfien.png 33.4 KB eBPF capture filter manawyrm, 09/28/2022 07:03 AM

Updated by manawyrm over 1 year ago · 1 revisions

Add picture from clipboard (Maximum size: 48.8 MB)