Description:
This document describes how to use the LANCOM application LCOSCAP to capture packets in a format that can be read out using Wireshark.
LCOSCAP captures packets transmitted via any interface on a LANCOM router, and stores them in a Wireshark-compatible *.pcap file.

LCOScap via the command line is more efficient than in WebConfig, thus the chance that packages can not be recorded is lower.

LCOSCAP requires significantly fewer resources than a trace using the LCOS internal 'trace' command, because the packets are not analyzed any further, but simply written to the *.pcap file.




Requirement:

As of LCOS 10.40 also LCOSCap as of version 10.40 has to be used as Administrator passwords are encrypted as of LCOS 10.40 and saved as a hash .                   



Procedure:
1) WEBconfig:
1.1) Open the configuration for the LANCOM router in WEBconfig and switch to the menu item Extras → Packet-Capture.
1.2) Select the logical interface on which you want to capture packets.
  • Logical Network interfaces: LAN-x
  • Logical DSL interfaces: DSL-x
  • Integrated VDSL modem
    • 17xx: LL-VDSL
    • 19x6: LL-XDSL-1 and LL-XDSL-2
  • LACP: BUNDLE-x

The interfaces LL-VDSL-CTRL or LL-XDSL-x-CTRL must not be used as they only record management frames of the DSL modem.

1.3) Click on Go to start the packet capture.

1.4) The Stop button halts the packet capture.


2. Command prompt:

2.1 Open an SSH session on your LANCOM Router and type the following command to activate the package capturing on the device:

set /Setup/Packet-Capture/LCOSCap-Operating yes

As of LCOS 10.50 the Main device password is saved only as a hash instead of cleartext when performing an initial configuration or resetting the device to factory state (Setup/Config/Passwords/Keep-Cleartext No). Existing configurations are not affected.

Currently the tool LCOSCap doesn't work without a cleartext password. As a workaround the LCOSCap Algorithm Simple can be removed. For this purpose execute the following CLI command:

 set Setup/Packet-Capture/LCOSCap-Algorithms 12


2.2 Open the command prompt in Windows.
2.3 You can display the command syntax and additional options by entering the command lcoscap.
The command syntax is always: lcoscap [option(s)] <IP address>
The following options are available:
-o File where the captured packets are stored. 
-p Password of the LANCOM device, on which traffic is to be captured. 
-i Interface of the LANCOM device for which data is to be captured. If you omit this parameter,  LCOSCAP outputs a list of device interfaces. 
-b Switch to include the beacons in the data traffic (WLAN only). 
-h Switch to include the 802.11 headers, although without payload (WLAN only). Without this switch  WLAN packets are captured in full (802.11 header and payload), and with the switch, then only  the 802.11 headers are captured. 
-l Specifies the maximum size of the capture file. When the specified size is reached, LCOSCAP creates a new  file. The files are sequentially numbered. 
-n Specifies the number of files produced by LCOSCAP. If the maximum number of files is reached,  LCOSCAP overwrites the first file.
2.4 The first thing to find out is, which interfaces on the current device (here a LANCOM 1781AW) permit packet capture. To do this, enter following command:
lcoscap -p PASSWORD 192.168.50.1
( PASSWORD is a placeholder that represents the main password of the LANCOM router )
2.5 For example, if you wish to capture data traffic on the first WLAN interface, you must enter following command:
lcoscap -o output.pcap -i WLAN-1 -p PASSWORD 192.168.50.1
2.6 Data capture can be stopped using the key combination CTRL + C. The generated file with the extension *.pcap is stored in the LCOSCAP installation directory and can be opened with the software Wireshark.
2.7 After capturing the traces please deactivate the LCOSCap service via the following CLI command:
set /Setup/Packet-Capture/LCOSCap-Operating no