Packet Captures in Pexip Infinity v18

Version 18 of Pexip Infinity includes the ability to perform a packet capture directly from the web interface of the management node, you can take a capture to and from Conferencing/Proxy Nodes in one or more locations, and also the Management Node.

Packet Capture Permissions

There are two new permissions associated with captures

  • May create/delete packet capture
  • May download packet capture

These permissions must be assigned to the account role to enable the administrator to run and download a packet capture, these are configured under Users > Administrator Roles

Taking a Packet Capture

Packet captures can be taken by navigating to Utilities > Packet Capture

On this page you have the following options to choose from before you start a capture

  • System Locations – The system locations in which to run this packet capture.
  • Capture IPsec traffic – Tick this box to capture backplane IPsec traffic in addition to regular user-facing traffic.
  • Log encryption keys – Tick this box to capture encryption keys for SIP and H323, as well as IPsec traffic (if selected).
  • Duration – Duration for which to run the packet capture. Range: 10 to 600 (in seconds).

Start a capture by clicking the ‘Start packet capture’ button and you will see a countdown timer.
Starting a new capture will remove any existing captures for the included locations

Once this timer completes the page will refresh and you will see the new capture(s) in the list below where you have the option to download or delete the capture (if any of your Pexip nodes have dual network interfaces, both interfaces will be captured).

Capturing IPsec Traffic

All communication links between the Management Node and Conferencing/Proxy Nodes, and between Conferencing/Proxy Nodes, use an IPsec transport, you can choose to omit this from the captures or if you are diagnosing an issue between nodes this can be included

Logging Encryption Keys & Decrypting in Wireshark

If you need to troubleshoot issues with encrypted calls or inter-node traffic you have the option of logging the encryption keys (your Pexip support representative may request these), the keys are logged outside of the packet capture and can be retrieved by taking a snapshot once the packet capture has completed.

Navigate to Utilities > Diagnostic Snapshot and download a 1/2 hour limited duration snapshot

Decrypting IPsec Traffic

Locating the keys

Extract the snapshot you downloaded and run the following command in either Terminal (Mac) or PowerShell

This will output the keys you need to input into wireshark.

Open the packet capture, select Wireshark > Preferences and navigate to Protocols > ESP and click Edit…

Click on ‘Create new entry’ (+) icon and input the detail encryption keys from the unified_osstatus.log above.

and the other direction

This will decrypt the ESP traffic from

to

Decrypting H.323 & SIP Traffic

Open a support case with support@pexip.com 🙂