We capture 100% of our SIP traffic using tcpdump and logging 14 files at
100MB per file (1.5GB rough usage).
We have at least a few days worth of SIP packets to review if necessary.
Use tshark to find sets of connected data.
This command line does all the rotation and capture for us:
/usr/sbin/tcpdump -qpni eth0 -s 65535 -C 100 -W 14 -Z root -w
/var/log/sip.pcap port 5060
-q Quick (quiet?) output. Print less protocol information so
output lines are shorter.
-p Don’t put the interface into promiscuous mode.
-n Don’t convert host addresses to names.
-i Interface (eth0 here)
-s Snarf snaplen bytes of data from each packet rather than
the default of 68.
-C Magic Sauce. Before writing a raw packet to a savefile,
check whether the file is currently larger than file_size
and, if so, close the current savefile and open a new one.
Savefiles after the first savefile will have the name
specified with the -w flag, with a number after it,
starting at 1 and continuing upward. The units of
file_size are millions of bytes (1,000,000 bytes, not
1,048,576 bytes).
-W Used in conjunction with the -C option, this will
limit the number of files created to the specified number,
and begin overwriting files from the beginning, thus
creating a ’rotating’ buffer. In addition, it will name
the files with enough leading 0s to support the maximum
number of files, allowing them to sort correctly.
-Z Drops privileges (if root) and changes user ID to user and
the group ID to the primary group of user. This behavior is
enabled by default (-Z pcap), and can be disabled by -Z
root.
-w Write the raw packets to file rather than parsing and
printing them out. They can later be printed with the -r
option. Standard output is used if file is ‘‘-’’.
On Tue, 24 Mar 2015, Nelson Hicks wrote:
I'm looking for options to capture SIP/RTP traffic, index it by call,
and make it easy to download the capture for a specific call based on
calling/called and time. I want the capture to remain ongoing (rotating
capture) with, say, a 96 hour window of calls available. I'm open to
hardware and software options.
Right now, I have a server that uses tshark running rotating 1-minute
captures, but finding and extracting an individual call out of each of
the packet segments and merging them together is a slower and more
manual process than I'd like, and I'd like to get our techs direct
access to these captures as well.
Thanks,
--
Nelson Hicks
Network Operations
SOCKET
(573) 817-0000 ext. 210
[email protected]
---------------------------------------------------------------------------
Peter Beckman Internet Guy
[email protected] http://www.angryox.com/
---------------------------------------------------------------------------
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
