Packet Capture for network analysis


Chronicall 3.6 communicates with Avaya IP Office via a UDP network socket. One of the downsides of UDP traffic is a lack of receipt verification.

Once the Call Info stream is established, the IP Office attempts to combat this possible lost packet by including a simple incrementing number at the beginning of the data payload. Chronicall and the Monitor application it's based on can then keep track of this number and output an error if the next packet received does not have the next incremented number. Chronicall then enters a brief "cleanup" state where it queries the IP Office for a list of active calls and then generates a drop packet for any call not in that list.

Another situation where the lack of receipt verification becomes a problem is when the Call Info stream is being created. Chronicall sends a small batch of packets (about 12) and the IP Office responds with a single packet regardless of how many arrive.

In both cases, a network device dropped a UDP packet.


Identifying which network device is responsible for dropping a packet is a difficult proposition.

Xima Support recommends starting the identification process by capturing packets as close to the end devices as possible to prove that it is the network hardware and not the IP Office or Chronicall software. For Chronicall and IP Office Server Edition, the capture can be done directly on the OS using Wireshark or TCPDUMP. For IP 500 v2 units the capture must be done externally.



Most managed switches include a Mirror or Monitor feature. Otherwise a sniffer of some kind must be used, such as a computer with two network interfaces bridged.

Cisco switches can use commands similar to the following to setup the mirror:

monitor session 1 source interface Gi0/3
monitor session 1 destination interface Gi0/21

Then either Wireshark or TCPDUMP can be used on the computer attached to the Destination interface. In my example below I used a laptop.


Wireshark is a popular open source network packet capture and analyze tool. To keep the resulting filesize low I recommend using the Capture Options with a Capture Filter. NOTE: Capture filters are not the same as Display filters and use a different syntax.

Capture filter: udp port 50794 and host

Display filter: udp.port==50794 && ip.addr==

Useful display filter: ip.addr== && ip.addr== && udp.port==50794


Most linux distributions, including CentOS used by IP Office Server Edition, include tcpdump. The capture filters are similar if not identical to Wireshark's.

tcpdump -i eth0 -s 65535 -w /root/tcpdump/capture.pcap udp port 50794


This example assumes three devices where packets will be gathered from.

Device 1: Chronicall server running Windows 8.1 (windows colored purple)

Device 2: IP 500 v2 mirrored to a laptop running Windows 8.1 (windows colored green)

Device 3: IP Office Server Edition running CentOS 5


For Device 1 and 2, the following was done:

  • Launch Wireshark
  • Click Capture Options
  • In the upper Capture section, place a checkmark next to the physical interface to capture
  • In the Capture Filter field type "udp port 50794"
  • Click Start
  • To restart the capture, click on the green restart button


For Device 3, the following commands were executed:

  • Optional: screen
  • tcpdump -i eth0 -s 65535 -w /root/tcpdump/capture.pcap udp port 50794
  • To restart capture press CTRL+C to terminate it, then execute the command again.
  • If the SSH session times out and you used the optional screen command, then once logged back in type screen -RR to re-attach to the existing screen.



  • Optional: For Call Info establishing issues, stop Chronicall service; watch wireshark, verify no new packets.
  • Otherwise for issues after the Call Info stream is established, continue
  • Restart capture on all devices.
  • Optional: Start Chronicall service.
  • Make test call.
  • Optional: Stop Chronicall Service
  • Save captures on all devices. Name them using the following format: (the filenames themselves do not matter, this is an example)
  • chronicall201502101235.pcap
  • ip500201502101235.pcap
  • ipse201502101235.pcap


  • Pick a computer with Wireshark installed, such as the Chronicall server.
  • Open wireshark.
  • Load one file chronicall*.pcap
  • Merge another file using Append ip500*.pcap
  • Merge the third file using Append ipse*.pcap
  • Click Statistics, Compare
  • Enter this filter, replacing IP addresses of Server and IP Office as needed.
  • ip.addr== && ip.addr== && udp.port==50794
  • Click Create Stat


If the optional service start and stop was used then there should not be any "lost packets".

If the captures were not started at the same time, there may be "lost packets" at the beginning and end.


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Powered by Zendesk