The packet-trace command allows the Acme Packet SBC (Session Director) to capture SIP signaling communication between two endpoints and send the capture to external server such as Wireshark.The SBC uses the network interfaces (ie. media interfaces) to send the capture.  The wancom management interface is not supported in this case.

The first step is to configure a capture receiver.  This tells the SBC what interface is used for the mirrored packets and the target IP of the Wireshark server. The network-interface is the SBC’s network-interface and sub-port ID.

The next step is to identify what IP and ports the SBC should listen to in order to send the packets to Wireshark. If no ports are identified then the SBC listens on all ports.



Even though it is not required to specify the local and remote TCP/UDP ports  it’s always a good idea to be as specific as possible when defining captures so only the required data is captured. At this point any calls coming into the SBC that involve the IP on TCP or UDP port 5060 are going to trigger the capture and packets will be sent to Wireshark. Sixteen concurrent traces can be running at once.

One thing to note is the capture is sent to Wireshark using RFC 2003 (IP to IP encapsulation) as opposed to relaying SIP on port 5060. This means Wireshark needs to be configured to listen for RFC 2003 packets and then it will decode them. Use the ip.src filter to display only the encapsulated SIP packets.

  1. Nicholas says:


    Great one as I was searching thru Google about this. What do you think the port it will used if I’m sending over this across MPLS network where there are firewalls in between the destination of the capture receiver? Apparently, I can ping to the capture receiver IP via the media interface:vlan and the source IP.


  2. Engineer719 says:

    Be careful when turning on the packet capture; we had a FW in front of the SBC for some reason and the capture receiver was behind that same FW. We basically overloaded the FW with packets destined for the cap box. Its wasnt good. So make sure you nail down the specific IP/PORTs that you want monitored.


  3. stephen says:

    Hi Mark…..1st great site and super information.

    Question about the ports in the both entries above. In the Capture-Receiver config statements, is the port the SBC media interface where the PC (wireshark) is? An then the command “packet-trace” port would be the SBC port the target packets for tracing traverse? So in theory I could trace the public side (SBC config would have M00) and my “packet trace” CLI statement would use port M10 (private side port) where my wireshark PC is located. THANKS

  4. Julian Stucch Kairuz says:

    Take care with leave enable the capture receiver, for experience if you have a lot of customers in the SBC the processor overload, cause 503 errors. Just enable… use it … and disabled again

  5. Mark R says:

    Mark, thank you for this blog, it is very helpful. I have a question on the packet trace – how would I accomplish this with having a Red Hat Linux server capturing the packets from the Acme SBC?

    Basically how do I setup a wireshark server on the red hat server to listen to the Acme packets?


  6. Mark says:

    You’re better off using SIP Monitor and Trace than packet-trace. SM&T is the newer incarnation of packet capture directly on the SBC and it will generate the ladder diagrams which are viewable directly on the SBC’s web interface. Packet-trace is limited to 16 concurrent captures.

  7. Mike Beckham says:

    Hi Mark
    I’m just starting out on the Oracle SBC. This is a great site. My question is how do I run diagnostics on a Acme Packet 3820 ECZ7.2.0 Patch 5 (Build 215)? The instructions from Oracle/Acme are not that clear. Any help would be greatly appreciated.

    Mike Beckham
    UC Engineer
    The Coca-Cola Company

  8. Bruce says:

    Does the Packet Trace capture RTP traffic as well?

  9. Mark says:

    Yes it is possible to capture signaling and RTP for up to 15 concurrent calls.