[VoiceOps] Splitting SIP+RTP PCAP files

David Hiers hiersd at gmail.com
Thu Jun 24 09:10:12 EDT 2010


A few random thoughts on the topic of capture/analysis/forensics....

1.  We've found enough interesting SIP packets excluded from
wireshark's "voip calls" graph that we only use it as a very rough
guide to what might have happened.  After all, if  UC-1 sends a packet
that doesn't match the dialog or transaction identifiers expected by
UC-2, that is the packet that will probably kill the call and that is
also the packet that will NOT appear to be associated with the call in
wireshark's graph.  These tools build a subset of reality, and the one
interesting packet that you need to see might not be included in that
subset.  Moreover, you need to allow for the possibility of a defect
in the tool's filters.

2.  Gulp totally rocks:  http://staff.washington.edu/corey/gulp/

C.  Since when did the USA play soccer?


:)


David



On Wed, Jun 23, 2010 at 10:20 PM, Lee Riemer <lriemer at bestline.net> wrote:
> Awesome.
>
> On 6/23/2010 10:39 PM, Brooks Bridges wrote:
>
> To everyone that has contacted me about this application, I'm happy to share
> with you that I have gotten approval from our CEO to release it as a free
> app, however it will be restricted in some commercial uses (e.g. you can't
> repackage it and sell it as a product, etc).
>
> Once I have it past the lawyers and their standard "if you install this and
> it starts world war 3, it's not our fault" disclaimers that will have to be
> added, I will make a point to get it set up somewhere and post a link on
> this list and a couple others.
>
> Please be patient.  As we all know, lawyers like to take their time so it
> appears that we're paying all that money for a reason. ;-)  Stay tuned!
>
> Brooks R. Bridges
> Telecommunications Manager
> Ifbyphone, Inc.
> Phone: (847) 983-3000
> Fax: (847) 676-6553
> bbridges at ifbyphone.com
> http://www.ifbyphone.com
>
> Brooks Bridges wrote:
>
> The utility was written by Alex as a replacement for pcapsipdump.
> pcapsipdump suffers from severe performance and stability problems with any
> appreciable traffic.
>
>
>
> I can vouch that Alex’s utility is very stable and efficient, but I do have
> to take exception to the “inexpensive (read: basically free!)” statement, as
> the utility is wholly owned (as per work-for-hire agreement) by Ifbyphone,
> Inc.
>
>
>
> Please contact me off-list if you would like to discuss using the utility.
> I do not believe there is an issue with us releasing the utility “free as in
> beer”, however I am not the one that can authorize such a release.  I will
> have to confirm this with our upper management.
>
>
>
> Thanks
>
>
>
> Brooks R. Bridges
>
> Telecommunications Manager
>
> Ifbyphone, Inc.
>
> Phone: (847) 983-3000
>
> Fax: (847) 676-6553
>
> bbridges at ifbyphone.com
>
> http://www.ifbyphone.com
>
>
>
> From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org]
> On Behalf Of Darren Schreiber
> Sent: Wednesday, June 23, 2010 11:58 AM
> To: Nicholas Sten; Kristian Kielhofner
> Cc: voiceops at voiceops.org
> Subject: Re: [VoiceOps] Splitting SIP+RTP PCAP files
>
>
>
> What's wrong with pcapsipdump? You can pipe input into that I believe... its
> an old tool but it still works. :-)
>
>
>
> Nicholas Sten <nicksten at gmail.com> wrote:
>
>
>
> Kristian,
>
> Alex has an elegant and inexpensive (read: basically free!) solution that
> you might want to check out.  Here's a brief description (I've culled from a
> personal email, so I hope I don't misrepresent it)
>
> So I wrote a highly parallelised, multithreaded tool that runs on such a
> "capture box" and listens to SIP traffic intelligently.  It automatically
> identifies the media ports involved in a call and records both SIP and RTP
> to distinct capture files in a dated directory hierarchy separated by day
> and hour.  The capture file contains the date, time, ANI, DNIS and Call-ID.
>
> You should give him a shout: Alex Balashov <abalashov at evaristesys.com>
>
> I can vouch for the quality and effectiveness of his solutions.
>
> -N
>
> On Wed, Jun 23, 2010 at 9:02 AM, Kristian Kielhofner
> <kristian.kielhofner at gmail.com> wrote:
>
> Hello everyone,
>
>  Does anyone know of a tool to split PCAP files that is SIP+RTP
> aware?  Ideally I'd be able to record a PCAP file with any number of
> calls and then have a utility split that file into each separate call?
>  I'm pretty sure I've seen a utility to do this, I just can't remember
> the name...
>
> Thanks!
>
> --
> Kristian Kielhofner
> http://www.astlinux.org
> http://blog.krisk.org
> http://www.star2star.com
> http://www.submityoursip.com
> http://www.voalte.com
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
>
>
> ________________________________
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
>
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>
>



More information about the VoiceOps mailing list