Thanks for the excellent reply here - I know i will refer to this down the road. Curious, how do you use the raw files ?
--- Christopher Aloi Sent from my iPhone > On Mar 24, 2015, at 10:22 PM, Peter Beckman <[email protected]> wrote: > > We capture 100% of our SIP traffic using tcpdump and logging 14 files at > 100MB per file (1.5GB rough usage). > > We have at least a few days worth of SIP packets to review if necessary. > Use tshark to find sets of connected data. > > This command line does all the rotation and capture for us: > > /usr/sbin/tcpdump -qpni eth0 -s 65535 -C 100 -W 14 -Z root -w > /var/log/sip.pcap port 5060 > > -q Quick (quiet?) output. Print less protocol information so > output lines are shorter. > > -p Don’t put the interface into promiscuous mode. > > -n Don’t convert host addresses to names. > > -i Interface (eth0 here) > > -s Snarf snaplen bytes of data from each packet rather than > the default of 68. > > -C Magic Sauce. Before writing a raw packet to a savefile, > check whether the file is currently larger than file_size > and, if so, close the current savefile and open a new one. > Savefiles after the first savefile will have the name > specified with the -w flag, with a number after it, > starting at 1 and continuing upward. The units of > file_size are millions of bytes (1,000,000 bytes, not > 1,048,576 bytes). > > -W Used in conjunction with the -C option, this will > limit the number of files created to the specified number, > and begin overwriting files from the beginning, thus > creating a ’rotating’ buffer. In addition, it will name > the files with enough leading 0s to support the maximum > number of files, allowing them to sort correctly. > > -Z Drops privileges (if root) and changes user ID to user and > the group ID to the primary group of user. This behavior is > enabled by default (-Z pcap), and can be disabled by -Z > root. > > -w Write the raw packets to file rather than parsing and > printing them out. They can later be printed with the -r > option. Standard output is used if file is ‘‘-’’. > >> On Tue, 24 Mar 2015, Nelson Hicks wrote: >> >> I'm looking for options to capture SIP/RTP traffic, index it by call, >> and make it easy to download the capture for a specific call based on >> calling/called and time. I want the capture to remain ongoing (rotating >> capture) with, say, a 96 hour window of calls available. I'm open to >> hardware and software options. >> >> Right now, I have a server that uses tshark running rotating 1-minute >> captures, but finding and extracting an individual call out of each of >> the packet segments and merging them together is a slower and more >> manual process than I'd like, and I'd like to get our techs direct >> access to these captures as well. >> >> Thanks, >> >> -- >> Nelson Hicks >> Network Operations >> SOCKET >> (573) 817-0000 ext. 210 >> [email protected] > > --------------------------------------------------------------------------- > Peter Beckman Internet Guy > [email protected] http://www.angryox.com/ > --------------------------------------------------------------------------- > _______________________________________________ > VoiceOps mailing list > [email protected] > https://puck.nether.net/mailman/listinfo/voiceops > _______________________________________________ > VoiceOps mailing list > [email protected] > https://puck.nether.net/mailman/listinfo/voiceops _______________________________________________ VoiceOps mailing list [email protected] https://puck.nether.net/mailman/listinfo/voiceops
