#17 Capturing on ports other than 5060

[Mercutio.viz]

Gentlemen,

Thank you for such a great project. I've been working with FreeSWITCH for 10 years and pcapsipdump has been invaluable.

I was very happy to see r127 about capturing on non-standard ports. My issue is that I can't seem to make that work, regardless of the syntax I use. I've tried the following syntaxes:
pcapsipdump -i eth0 -d /var/spool/pcapsipdump
pcapsipdump -i eth0 -d /var/spool/pcapsipdump portrange 5060-5080
pcapsipdump -i eth0 -d /var/spool/pcapsipdump port 5061 or port 5080

In each case I only capture packets for SIP traffic to or from port 5060. Just to make sure I was seeing traffic I ran a tcpdump -nq -s 0 -A -i eth0 portrange 5060-5080 in a separate terminal as a sanity check to make sure I was seeing the traffic on the interface on those ports, which I was.

Any suggestion on how to make sure pcapsipdump handles non-standard ports?

Thanks,
Michael

[Mercutio.viz]

Hi Aex,

That appears to be it - TCP vs. UDP. I do both TCP and UDP because of some
NAT craziness. I will try to use UDP as much as possible.

For the record, from a technical standpoint, how large a project is it to
add TCP to pcapsipdump?

Thanks,
Michael

On Mon, Jun 26, 2017 at 3:05 AM, Aex Aey aexaey@users.sf.net wrote:

• status: open --> pending
• assigned_to: Aex Aey
• Comment:

Hi Michael,

Couple more things sanity-check:
Are you running latest SVN (127)?
Are you capturing SIP/UDP? pcapsipdump doesn't support SIP/TCP or SIP/TLS
yet (but might in near future)

I've did a quick test with:

sipp -sn uac -p 5070 127.0.0.1:5080

./pcapsipdump -f -i lo -d .

and svn127 seem to capture just fine.

• [support-requests:#17]
  https://sourceforge.net/p/pcapsipdump/support-requests/17/ Capturing on
  ports other than 5060*

Status: pending
Group: v1.0_(example)
Created: Sun Jun 25, 2017 10:44 PM UTC by Mercutio.viz
Last Updated: Sun Jun 25, 2017 10:44 PM UTC
Owner: Aex Aey

Gentlemen,

Thank you for such a great project. I've been working with FreeSWITCH for
10 years and pcapsipdump has been invaluable.

I was very happy to see r127 about capturing on non-standard ports. My
issue is that I can't seem to make that work, regardless of the syntax I
use. I've tried the following syntaxes:
pcapsipdump -i eth0 -d /var/spool/pcapsipdump
pcapsipdump -i eth0 -d /var/spool/pcapsipdump portrange 5060-5080
pcapsipdump -i eth0 -d /var/spool/pcapsipdump port 5061 or port 5080

In each case I only capture packets for SIP traffic to or from port 5060.
Just to make sure I was seeing traffic I ran a tcpdump -nq -s 0 -A -i eth0
portrange 5060-5080 in a separate terminal as a sanity check to make sure I
was seeing the traffic on the interface on those ports, which I was.

Any suggestion on how to make sure pcapsipdump handles non-standard ports?

Thanks,
Michael

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/pcapsipdump/support-requests/17/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

[Aex Aey]

Hi Michael,

Couple more things sanity-check:
Are you running latest SVN (127)?
Are you capturing SIP/UDP? pcapsipdump doesn't support SIP/TCP or SIP/TLS yet (but might in near future)

I've did a quick test with:

sipp -sn uac -p 5070 127.0.0.1:5080

./pcapsipdump -f -i lo -d .

and svn127 seem to capture just fine.

[Aex Aey]

For really crude TCP support, check out [r128]. Known problems:
1. SYN, empty ACK, FIN, RST and keepalive packets are omitted;
2. when SIP (+SDP) are long enough to be split into multiple segments, only first segment is recorded;
3. if ip/port allocation lines of SDP happen to be beyong first TCP segment, RTP defined in that SDP is omitted.

Proper support with fragment reassembly and reordering is going to take a bit more effort. Ping me on aexaey [at] gmail, if you're interested in contributing and/or sponsoring this work.