[VoiceOps] Splitting SIP+RTP PCAP files

Nicholas Sten nicksten at gmail.com
Wed Jun 23 14:56:55 EDT 2010 

If you find yourself in that gray area where COTS hardware can't save the
day anymore, but you're not looking to spend Empirix money, Endace makes
some really good cards on which to develop your own very robust systems:

http://www.endace.com/

-N


On Wed, Jun 23, 2010 at 11:49 AM, Justin Randall <jrandall at comwave.net>wrote:

>  Hello,
>
>
>
> With an understanding of Wireshark and/or PCAP file structure and a little
> Perl magic you can whip up a simple script in less than 100 lines which will
> pull the exact information you’re looking for from existing PCAP files.
>
>
>
> As for real-time capturing, I can’t speak with any familiarity for Alex’s
> product however I can say that scalability of any solutions for real-time
> capturing/analysis without any type of ASICs or custom hardware have limited
> scalability, especially if you’re capturing all signalling and media for all
> call legs for several thousands of simultaneous calls at once in a
> multi-protocol VoIP environment.  We have had to rely on a commercial
> hardware/software vendor solution in order to capture larger volumes of
> traffic without loss.  You can still pull a decent solution together without
> a full commercial solution using a special NIC, carefully tuned PCAP
> filters, and a sufficiently distributed L2 switching network.
>
>
>
> Regards,
>
>
>
> Justin Randall
>
> Team Leader - VoIP Engineering
>
> Comwave Telecom Inc.
>
> *From:* voiceops-bounces at voiceops.org [mailto:
> voiceops-bounces at voiceops.org] *On Behalf Of *Brooks Bridges
> *Sent:* June-23-10 2:23 PM
> *To:* 'Lee Riemer'; voiceops at voiceops.org
>
> *Subject:* Re: [VoiceOps] Splitting SIP+RTP PCAP files
>
>
>
> It does not.  We didn’t see a need for that, as we use it as a real-time
> “backlog” of calls for troubleshooting.
>
>
>
> *Brooks R. Bridges*
>
> *Telecommunications Manager*
>
> *Ifbyphone, Inc.*
>
> *Phone: (847) 983-3000*
>
> *Fax: (847) 676-6553*
>
> *bbridges at ifbyphone.com*
>
> *http://www.ifbyphone.com*
>
>
>
> *From:* voiceops-bounces at voiceops.org [mailto:
> voiceops-bounces at voiceops.org] *On Behalf Of *Lee Riemer
> *Sent:* Wednesday, June 23, 2010 12:18 PM
> *To:* voiceops at voiceops.org
> *Subject:* Re: [VoiceOps] Splitting SIP+RTP PCAP files
>
>
>
> Will it work on data already captured in .pcap files?
>
> On 6/23/2010 12:07 PM, Brooks Bridges wrote:
>
> The utility was written by Alex as a replacement for pcapsipdump.
> pcapsipdump suffers from severe performance and stability problems with any
> appreciable traffic.
>
>
>
> I can vouch that Alex’s utility is very stable and efficient, but I do have
> to take exception to the “inexpensive (read: basically free!)” statement, as
> the utility is wholly owned (as per work-for-hire agreement) by Ifbyphone,
> Inc.
>
>
>
> Please contact me off-list if you would like to discuss using the utility.
> I do not believe there is an issue with us releasing the utility “free as in
> beer”, however I am not the one that can authorize such a release.  I will
> have to confirm this with our upper management.
>
>
>
> Thanks
>
>
>
> *Brooks R. Bridges*
>
> *Telecommunications Manager*
>
> *Ifbyphone, Inc.*
>
> *Phone: (847) 983-3000*
>
> *Fax: (847) 676-6553*
>
> *bbridges at ifbyphone.com*
>
> *http://www.ifbyphone.com*
>
>
>
> *From:* voiceops-bounces at voiceops.org [
> mailto:voiceops-bounces at voiceops.org <voiceops-bounces at voiceops.org>] *On
> Behalf Of *Darren Schreiber
> *Sent:* Wednesday, June 23, 2010 11:58 AM
> *To:* Nicholas Sten; Kristian Kielhofner
> *Cc:* voiceops at voiceops.org
> *Subject:* Re: [VoiceOps] Splitting SIP+RTP PCAP files
>
>
>
> What's wrong with pcapsipdump? You can pipe input into that I believe... its an old tool but it still works. :-)
>
>
>
> Nicholas Sten <nicksten at gmail.com> <nicksten at gmail.com> wrote:
>
>
>
>  Kristian,
>
> Alex has an elegant and inexpensive (read: basically free!) solution that
> you might want to check out.  Here's a brief description (I've culled from a
> personal email, so I hope I don't misrepresent it)
>
> *So I wrote a highly parallelised, multithreaded tool that runs on such a
> "capture box" and listens to SIP traffic intelligently.  It automatically
> identifies the media ports involved in a call and records both SIP and RTP
> to distinct capture files in a dated directory hierarchy separated by day
> and hour.  The capture file contains the date, time, ANI, DNIS and Call-ID.
> *
>
> You should give him a shout: Alex Balashov <abalashov at evaristesys.com>
>
> I can vouch for the quality and effectiveness of his solutions.
>
> -N
>
>  On Wed, Jun 23, 2010 at 9:02 AM, Kristian Kielhofner <
> kristian.kielhofner at gmail.com> wrote:
>
> Hello everyone,
>
>  Does anyone know of a tool to split PCAP files that is SIP+RTP
> aware?  Ideally I'd be able to record a PCAP file with any number of
> calls and then have a utility split that file into each separate call?
>  I'm pretty sure I've seen a utility to do this, I just can't remember
> the name...
>
> Thanks!
>
> --
> Kristian Kielhofner
> http://www.astlinux.org
> http://blog.krisk.org
> http://www.star2star.com
> http://www.submityoursip.com
> http://www.voalte.com
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
>
>
>
>
>
>
> _______________________________________________
>
> VoiceOps mailing list
>
> VoiceOps at voiceops.org
>
> https://puck.nether.net/mailman/listinfo/voiceops
>
>
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20100623/bffd1766/attachment-0001.html>

More information about the VoiceOps mailing list