[VoiceOps] SIP packet capture with index

Peter Beckman beckman at angryox.com
Tue Mar 24 22:22:39 EDT 2015 

We capture 100% of our SIP traffic using tcpdump and logging 14 files at
100MB per file (1.5GB rough usage).

We have at least a few days worth of SIP packets to review if necessary.
Use tshark to find sets of connected data.

This command line does all the rotation and capture for us:

     /usr/sbin/tcpdump -qpni eth0 -s 65535 -C 100 -W 14 -Z root -w /var/log/sip.pcap port 5060

         -q      Quick (quiet?) output.  Print less protocol information so
                 output lines are shorter.

         -p      Don’t put the interface into promiscuous mode.

         -n      Don’t convert host addresses to names.

         -i      Interface (eth0 here)

         -s      Snarf snaplen bytes of data from each packet rather than
                 the default of 68.

         -C      Magic Sauce. Before writing a raw packet to a savefile,
                 check whether the file is currently larger than file_size
                 and, if so, close the current savefile and open a new one.
                 Savefiles after the first savefile will have the name
                 specified with the -w flag, with a number after it,
                 starting at 1 and continuing upward.  The units of
                 file_size are millions of bytes (1,000,000 bytes, not
                 1,048,576 bytes).

         -W      Used  in  conjunction  with  the  -C option, this will
                 limit the number of files created to the specified number,
                 and begin overwriting files from the beginning, thus
                 creating a ’rotating’ buffer.  In addition, it will name
                 the files with enough leading 0s to support the maximum
                 number of files, allowing them to sort correctly.

         -Z      Drops privileges (if root) and changes user ID to user and
                 the group ID to the primary group of user. This behavior is
                 enabled by default (-Z pcap), and can be disabled by -Z
                 root.

         -w      Write the raw packets to file rather than parsing and
                 printing them out.  They can later be printed with the -r
                 option.  Standard output is used if file is ‘‘-’’.

On Tue, 24 Mar 2015, Nelson Hicks wrote:

> I'm looking for options to capture SIP/RTP traffic, index it by call,
> and make it easy to download the capture for a specific call based on
> calling/called and time. I want the capture to remain ongoing (rotating
> capture) with, say, a 96 hour window of calls available. I'm open to
> hardware and software options.
>
> Right now, I have a server that uses tshark running rotating 1-minute
> captures, but finding and extracting an individual call out of each of
> the packet segments and merging them together is a slower and more
> manual process than I'd like, and I'd like to get our techs direct
> access to these captures as well.
>
> Thanks,
>
> -- 
> Nelson Hicks
> Network Operations
> SOCKET
> (573) 817-0000 ext. 210
> nelsonh at socket.net
>

---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                 http://www.angryox.com/
---------------------------------------------------------------------------
-------------- next part --------------
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops

More information about the VoiceOps mailing list