Revised 2022-01-31 18:41 EST
SSH into 3CX SBC
Install Tshark
sudo apt-get update
sudo apt-get install tshark
When prompted “Should non-superusers be able to capture packets?”, choose “No”
Create Directories
sudo mkdir /root/Captures/
sudo mkdir /root/Captures/Captures-Old/
Update Permissions
sudo chmod -Rfv 777 /root/Captures*
Startup Script
NOTE: SCRIPT CODE BELOW REQUIRES 20GB FREE SPACE FOR CAPTURES.
The below tshark command will produce 512 20MB files equaling 10GB.
On reboot, the service will move the existing captures from the “Captures”
directory to the “Captures-Old” directory.
10GB in “Captures-Old” + 10GB in the “Captures” directory = 20GB.
If there is not enough space, reduce the number of files in the “files:512” section.
Create Startup Script
sudo nano /usr/local/bin/tshark-capture
Copy and paste code below into nano editor.
#!/bin/bash # Jomar Systems # Revised 2022-01-31 18:05 EST rm -f /root/Captures/Captures-Old/* mv -f /root/Captures/sbc_* /root/Captures/Captures-Old/ chmod -Rf 777 /root/Captures/ tshark -q -ni any -b files:512 -b filesize:20480 -w /root/Captures/sbc.pcap
Exit by pressing Ctrl+X
When prompted “Save modified buffer?”, Hit “Y” and press enter.
Update Permissions
sudo chmod -fv 755 /usr/local/bin/tshark-capture
Create systemd Service Script
sudo nano /lib/systemd/system/tshark-capture.service
Copy and paste code below into nano editor.
# /lib/systemd/system/tshark-capture.service [Unit] Description=Tshark Capture Service After=multi-user.target [Service] Type=idle ExecStart=/usr/local/bin/tshark-capture [Install] WantedBy=multi-user.target
Exit by pressing Ctrl+X
When prompted “Save modified buffer?”, Hit “Y” and press enter.
Update Permissions
sudo chmod -fv 644 /lib/systemd/system/tshark-capture.service
Enable and Start systemd Script
sudo systemctl daemon-reload
sudo systemctl enable tshark-capture.service
sudo systemctl start tshark-capture.service
Verify Capture is Running
Check Service Status
sudo systemctl status tshark-capture.service
If the tshark capture service is running you should see “active (running)”.
Verify Capture Files Are Being Created
sudo ls -al /root/Captures
You should see capture files named sbc_XXXXX_YYYYYYYYYYYYYY.pcap, where XXXXX is the sequential file number and YYYYYYYYYYYYYY is the date and time the file was created.