Yves Gougeon Posted March 21, 2018 Share Posted March 21, 2018 Hello Group I am curious if it is possible to compile pcapsipdump on a packetsquirrel. We are planning to use a squirrel to capture SIP calls only not a full TCPDUMP Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted March 22, 2018 Share Posted March 22, 2018 So you're trying to filter the tcpdump file to view only SIP packets? You can either do this with the command 'tcpdump', or use an external program to read the file and filter for certain traffic (e.g. Wireshark). SIP traffic is usually over UDP on ports 5060 (unencrypted) and 5061 (encrypted). It can also be over TCP. I can't remember all the arguments tcpdump takes but you should SSH into the PS and do a "tcpdump ?" to figure out what arguments you need to pass to it (pass port 5060 to it, and UDP as the protocol). Links:https://wiki.wireshark.org/SIP Link to comment Share on other sites More sharing options...
Yves Gougeon Posted March 23, 2018 Author Share Posted March 23, 2018 The purpose of PCAPSIPDUMP is to fragment each independent SIP calls in individual pcap files including its RTP streams. TCPDUMP does not have this ability. Additionally, the SIP and RTP packets can come from any ports, so it is not possible for TCPDUMP to capture a specific layer 7. Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted March 26, 2018 Share Posted March 26, 2018 On 3/24/2018 at 6:20 AM, Yves Gougeon said: Additionally, the SIP and RTP packets can come from any ports, so it is not possible for TCPDUMP to capture a specific layer 7. How many people out there do you think would change the default port - knowing that if you do that you have to reconfigure firewalls and the phone system itself? I think you'll find at least the SIP ports are default, as servers, clients and firewalls need to know it. A lot of phone systems (like 3CX, for example) use specific ports for their audio streams. 3CX uses ports 9000-9500 (UDP) for it's audio streams over RTP, for example. However, it is true TCPDump doesn't support pushing separate calls to separate dump files. On 3/24/2018 at 6:20 AM, Yves Gougeon said: ...so it is not possible for TCPDUMP to capture a specific layer 7. Of course it's not possible with that attitude. If you want to use PCAPSIPDUMP so much, just try compiling it on the PS with libpcap and gcc3. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.