[VoiceOps] SIP packet capture with index

Chris Aloi ctaloi at gmail.com
Tue Mar 24 22:52:25 EDT 2015


Thanks for the excellent reply here - I know i will refer to this down the road. Curious, how do you use the raw files ? 

---
Christopher Aloi
Sent from my iPhone

> On Mar 24, 2015, at 10:22 PM, Peter Beckman <beckman at angryox.com> wrote:
> 
> We capture 100% of our SIP traffic using tcpdump and logging 14 files at
> 100MB per file (1.5GB rough usage).
> 
> We have at least a few days worth of SIP packets to review if necessary.
> Use tshark to find sets of connected data.
> 
> This command line does all the rotation and capture for us:
> 
>    /usr/sbin/tcpdump -qpni eth0 -s 65535 -C 100 -W 14 -Z root -w /var/log/sip.pcap port 5060
> 
>        -q      Quick (quiet?) output.  Print less protocol information so
>                output lines are shorter.
> 
>        -p      Don’t put the interface into promiscuous mode.
> 
>        -n      Don’t convert host addresses to names.
> 
>        -i      Interface (eth0 here)
> 
>        -s      Snarf snaplen bytes of data from each packet rather than
>                the default of 68.
> 
>        -C      Magic Sauce. Before writing a raw packet to a savefile,
>                check whether the file is currently larger than file_size
>                and, if so, close the current savefile and open a new one.
>                Savefiles after the first savefile will have the name
>                specified with the -w flag, with a number after it,
>                starting at 1 and continuing upward.  The units of
>                file_size are millions of bytes (1,000,000 bytes, not
>                1,048,576 bytes).
> 
>        -W      Used  in  conjunction  with  the  -C option, this will
>                limit the number of files created to the specified number,
>                and begin overwriting files from the beginning, thus
>                creating a ’rotating’ buffer.  In addition, it will name
>                the files with enough leading 0s to support the maximum
>                number of files, allowing them to sort correctly.
> 
>        -Z      Drops privileges (if root) and changes user ID to user and
>                the group ID to the primary group of user. This behavior is
>                enabled by default (-Z pcap), and can be disabled by -Z
>                root.
> 
>        -w      Write the raw packets to file rather than parsing and
>                printing them out.  They can later be printed with the -r
>                option.  Standard output is used if file is ‘‘-’’.
> 
>> On Tue, 24 Mar 2015, Nelson Hicks wrote:
>> 
>> I'm looking for options to capture SIP/RTP traffic, index it by call,
>> and make it easy to download the capture for a specific call based on
>> calling/called and time. I want the capture to remain ongoing (rotating
>> capture) with, say, a 96 hour window of calls available. I'm open to
>> hardware and software options.
>> 
>> Right now, I have a server that uses tshark running rotating 1-minute
>> captures, but finding and extracting an individual call out of each of
>> the packet segments and merging them together is a slower and more
>> manual process than I'd like, and I'd like to get our techs direct
>> access to these captures as well.
>> 
>> Thanks,
>> 
>> -- 
>> Nelson Hicks
>> Network Operations
>> SOCKET
>> (573) 817-0000 ext. 210
>> nelsonh at socket.net
> 
> ---------------------------------------------------------------------------
> Peter Beckman                                                  Internet Guy
> beckman at angryox.com                                 http://www.angryox.com/
> ---------------------------------------------------------------------------
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops


More information about the VoiceOps mailing list