Jump to content

PacketSquirrel - PCAPSIPDUMP


Yves Gougeon
 Share

Recommended Posts

So you're trying to filter the tcpdump file to view only SIP packets?

You can either do this with the command 'tcpdump', or use an external program to read the file and filter for certain traffic (e.g. Wireshark).
SIP traffic is usually over UDP on ports 5060 (unencrypted) and 5061 (encrypted). It can also be over TCP.

I can't remember all the arguments tcpdump takes but you should SSH into the PS and do a "tcpdump ?" to figure out what arguments you need to pass to it (pass port 5060 to it, and UDP as the protocol).

Links:
https://wiki.wireshark.org/SIP

Link to comment
Share on other sites

The purpose of PCAPSIPDUMP is to fragment each independent SIP calls in individual pcap files including its RTP streams. TCPDUMP does not have this ability. Additionally, the SIP and RTP packets can come from any ports, so it is not possible for TCPDUMP to capture a specific layer 7.

Link to comment
Share on other sites

On 3/24/2018 at 6:20 AM, Yves Gougeon said:

Additionally, the SIP and RTP packets can come from any ports, so it is not possible for TCPDUMP to capture a specific layer 7.

How many people out there do you think would change the default port - knowing that if you do that you have to reconfigure firewalls and the phone system itself? I think you'll find at least the SIP ports are default, as servers, clients and firewalls need to know it.

A lot of phone systems (like 3CX, for example) use specific ports for their audio streams. 3CX uses ports 9000-9500 (UDP) for it's audio streams over RTP, for example.

However, it is true TCPDump doesn't support pushing separate calls to separate dump files.

On 3/24/2018 at 6:20 AM, Yves Gougeon said:

...so it is not possible for TCPDUMP to capture a specific layer 7.

Of course it's not possible with that attitude.

 

If you want to use PCAPSIPDUMP so much, just try compiling it on the PS with libpcap and gcc3.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...