[OpenSIPS-Users] Using sngrep for visualising encrypted SIP traffic

Giovanni Maruzzelli gmaruzz at gmail.com
Wed Mar 24 14:29:26 EST 2021


Ciao Ovidiu!

We're often in parallel :)

I found that if you create the transaction before creating (if any) the
dialog, then the ACK is traced even from HEP.

What I would add to the super nice recipe is:

- let's give a portrange to sngrep, so it will not analyze all traffic on
all ports, and will not trace the RTP packets too
- let's give a limit on how many dialogs will keep in memory, default is
2000
- let's do a rotation of dialogs, FIFO, so will keep the latest and discard
the older
- let's try to understand fragmented udp too
- let's use aliases for having names for our servers
- let's not listen for HEP trace when we want (without duplicate display)

- let's send both to a local sngrep and a remote homer
- let's trace the 100 reply to INVITE too

=========

let's put in .bashrc:

alias sngrepa='sngrep -l 5000 -R -Ludp:127.0.0.1:9080 -v "OPTIONS\ sip"
"portrange 5050-5090 or (ip[6:2] & 0x1fff) != 0"'
alias sngrepw='sngrep -l 5000 -R -v "OPTIONS\ sip" "portrange 9069-9071 or
(ip[6:2] & 0x1fff) != 0"'

sngrepa will be used for "normal traffic", "sngrepw" for HEP trace
the negation of OPTIONS would not be useful in sngrepw, but is there so the
command line understands when the BPF filter begins

=========

opensips.cfg:

modparam("tm", "auto_100trying", 0)

modparam("proto_hep", "hep_id", "[hep_dst] 127.0.0.1:9070; transport=udp;
version=3")
modparam("proto_hep", "hep_id", "[hep_dst2] 168.77.20.250:9060;
transport=udp; version=3")
modparam("proto_hep", "homer5_on", 1)
modparam("proto_hep", "homer5_delim", "#")
modparam("proto_hep", "hep_capture_id", 100)

modparam("tracer", "trace_on", 1)
modparam("tracer", "trace_id", "[sngrep]uri=hep:hep_dst")
modparam("tracer", "trace_id", "[homer]uri=hep:hep_dst2")

route {
        t_newtran();

        if (!has_totag()) {
                if(is_method("INVITE") ) {
                        trace("sngrep", "D");
                        trace("homer", "D");
                        send_reply(100, "Trying Hard");
                }
        } else {
                match_dialog();
        }

        if(is_method("MESSAGE|REGISTER|SUBSCRIBE|NOTIFY|PUBLISH") ) {
                trace("sngrep", "T");
                trace("homer", "T");
        }
}

local_route {
        if(is_method("NOTIFY") ) {
                trace("sngrep", "M");
                trace("homer", "M");
        }
}

onreply_route[local] {
        if(is_method("NOTIFY") ) {
                trace("sngrep", "M");
                trace("homer", "M");
        }
}

=========

beginning of the commonc .sngreprc:

alias 168.77.20.201 FS1
alias 168.77.20.202 FS2
alias 168.77.20.203 FS3
alias 67.153.242.46 LB
alias 168.77.20.200 LB
alias 194.143.78.61 GW1
alias 94.43.18.61 GW2
...
set background default
...
set eep.listen on
set eep.listen.version 3
set eep.listen.address 127.0.0.1
set eep.listen.port 9070
set eep.listen.pass
set eep.listen.uuid off


-giovanni


On Wed, Mar 24, 2021 at 2:43 AM Ovidiu Sas <osas at voipembedded.com> wrote:

> Hello all,
>
> Here's a quick recipe to ease the troubleshooting of encrypted SIP traffic:
>
> https://voipembedded.wordpress.com/2021/03/23/troubleshooting-opensips-encrypted-sip-traffic/
>
> Regards,
> Ovidiu Sas
>
> --
> VoIP Embedded, Inc.
> http://www.voipembedded.com
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>


-- 
Sincerely,

Giovanni Maruzzelli
OpenTelecom.IT
cell: +39 347 266 56 18
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20210324/5b614547/attachment.html>


More information about the Users mailing list