How to install Wireshark on CUCM 7.1 server ?

Unanswered Question
Apr 6th, 2010


I have recently upgraded from Call Manager 4.1 Windows 2000 Server, to CUCM 7.1.3 Linux based system. It seems that the only way to communicate with the server is through a web page. Is there a way to access the CUCM 7.1 Linux prompt and install software directly, for example I would like to install Wireshark ?

Thank you,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (4 ratings)
William Bell Tue, 04/06/2010 - 10:32

There is actually no need to do this. The CUCM server has a packet capturing tool available to you.

You can access the tool using "utils network capture". There are various command line arguments. If you wanted to capture to a file (for example) you could do something like:

admin: utils network capture file mycap count 100000 size all host all

Executing command with options:

size=all count=100000 interface=eth0

src= dest= port=


This would create a file. When done, use "Ctrl-C" to stop the capture. You can then download the file to your workstation as follows:

admin:file get activelog platform/cli/mycap.cap

From there, load it into WireShark and have a ball.

I wrote up a blog on the procedures here:

Take a look and let me know if you have any questions.




Please remember to rate helpful posts.

William Bell Tue, 04/06/2010 - 10:34

Oh. I guess I should also add that loading software on the CUCM appliance models (like 7.1) is not permitted by Cisco. So, there is no way to load WireShark. Sorry for the double response. Just though I would add that extra tidbit in.




jackli123 Tue, 04/06/2010 - 11:48

Thank you so much for your fast response. I followed your instructions on

the blob,

: file get activelog/cli/mycap.cap is not there, the command returns an

error that it cannot find the file.

try to search or tail the file with "file tail ...." and "file list ....", I

cannot find it.

It there a another way to see what is on the file system to see where my

file is.


On Tue, Apr 6, 2010 at 1:34 PM, wjbell-ncn <

William Bell Tue, 04/06/2010 - 12:16


The syntax of your file get command is wrong. It should be:

admin:file get activelog platform/cli/mycap.cap

If you want to check to see if the capture file is there, then you can use the following command:

admin:file list activelog platform/cli/*.cap

Now, keep in mind that you have to create the capture file first by using the "utils network capture". You can specify filters, etc. To see the syntax of the command use:

admin:utils network capture ?




Please remember to rate helpful posts.

jackli123 Tue, 04/06/2010 - 12:29

It works, thank you!

My capture was wrong, it didn't capture anything in the first place.


On Tue, Apr 6, 2010 at 3:17 PM, wjbell-ncn <

jackli123 Fri, 04/09/2010 - 07:01

Hi William,

I captured the traffic off the UCM, all I see is SIP traffic, there is no

RTP packets - where is the voice traffic and how is it carried from 1 phone

to the other.


On Tue, Apr 6, 2010 at 3:34 PM, wjbell-ncn <

William Bell Fri, 04/09/2010 - 07:24

With CUCM, the RTP traffic is streamed between the communicating endpoints. A CUCM node is never involved in a RTP stream unless it is being used as a MoH server, software conference bridge, software MTP, or Annunciator for a specific call. Annunciator and MoH would stream in one direction (CUCM to target end point (or mcast address)).

If you want to see the RTP traffic between two phones or between a phone and a gateway then you need to use SPAN or RSPAN. Further, your SPAN source needs to be on a network switch that physically transports at least a portion of the RTP streams (ideally, both sides of the stream).




please rate helpful posts.


This Discussion