[VoiceOps] SIP packet capture with index
Chris Aloi
ctaloi at gmail.com
Tue Mar 24 22:52:25 EDT 2015
Thanks for the excellent reply here - I know i will refer to this down the road. Curious, how do you use the raw files ?
---
Christopher Aloi
Sent from my iPhone
> On Mar 24, 2015, at 10:22 PM, Peter Beckman <beckman at angryox.com> wrote:
>
> We capture 100% of our SIP traffic using tcpdump and logging 14 files at
> 100MB per file (1.5GB rough usage).
>
> We have at least a few days worth of SIP packets to review if necessary.
> Use tshark to find sets of connected data.
>
> This command line does all the rotation and capture for us:
>
> /usr/sbin/tcpdump -qpni eth0 -s 65535 -C 100 -W 14 -Z root -w /var/log/sip.pcap port 5060
>
> -q Quick (quiet?) output. Print less protocol information so
> output lines are shorter.
>
> -p Don’t put the interface into promiscuous mode.
>
> -n Don’t convert host addresses to names.
>
> -i Interface (eth0 here)
>
> -s Snarf snaplen bytes of data from each packet rather than
> the default of 68.
>
> -C Magic Sauce. Before writing a raw packet to a savefile,
> check whether the file is currently larger than file_size
> and, if so, close the current savefile and open a new one.
> Savefiles after the first savefile will have the name
> specified with the -w flag, with a number after it,
> starting at 1 and continuing upward. The units of
> file_size are millions of bytes (1,000,000 bytes, not
> 1,048,576 bytes).
>
> -W Used in conjunction with the -C option, this will
> limit the number of files created to the specified number,
> and begin overwriting files from the beginning, thus
> creating a ’rotating’ buffer. In addition, it will name
> the files with enough leading 0s to support the maximum
> number of files, allowing them to sort correctly.
>
> -Z Drops privileges (if root) and changes user ID to user and
> the group ID to the primary group of user. This behavior is
> enabled by default (-Z pcap), and can be disabled by -Z
> root.
>
> -w Write the raw packets to file rather than parsing and
> printing them out. They can later be printed with the -r
> option. Standard output is used if file is ‘‘-’’.
>
>> On Tue, 24 Mar 2015, Nelson Hicks wrote:
>>
>> I'm looking for options to capture SIP/RTP traffic, index it by call,
>> and make it easy to download the capture for a specific call based on
>> calling/called and time. I want the capture to remain ongoing (rotating
>> capture) with, say, a 96 hour window of calls available. I'm open to
>> hardware and software options.
>>
>> Right now, I have a server that uses tshark running rotating 1-minute
>> captures, but finding and extracting an individual call out of each of
>> the packet segments and merging them together is a slower and more
>> manual process than I'd like, and I'd like to get our techs direct
>> access to these captures as well.
>>
>> Thanks,
>>
>> --
>> Nelson Hicks
>> Network Operations
>> SOCKET
>> (573) 817-0000 ext. 210
>> nelsonh at socket.net
>
> ---------------------------------------------------------------------------
> Peter Beckman Internet Guy
> beckman at angryox.com http://www.angryox.com/
> ---------------------------------------------------------------------------
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
More information about the VoiceOps
mailing list