irontec / sngrep

Ncurses SIP Messages flow viewer
GNU General Public License v3.0
1.02k stars 187 forks source link

Capturing SIPS + RTP/SAVP with asterisk #439

Open Yannik opened 1 year ago

Yannik commented 1 year ago

Hi,

thanks for this great project!

To debug an issue, I would like to capture both SIPS & RTP/SAVP traffic. Note: both are encrypted, which is why I am using HEP w/sngrep instead of tcpdump in the first place :-)

I have configured asterisk to send HEP traffic like this:

[general]
enabled = yes
capture_address = 127.0.0.1:6000
capture_id = 1234
uuid_type = call-id

I'm calling sngrep like this: sngrep--eep-listen udp:127.0.0.1:6000 --rtp.

SIP traffic is captured just fine, but for some reason, RTP is not. By tcpdumping the port 6000 traffic I was able to see that asterisk is not sending the rtp traffic along. According to the HEP3 spec, that should be possible (capture protocol type 0x04). However, I could not find any way to enable it.

I was able to capture RTP by adding -d any to the sngrep call, but now capturing to a pcap ( -O trace.pcap) is broken. The file is just not getting creating. Trying to save from the GUI results in an error message.

Is there some general issue with capturing RTP via HEP, or is this just an asterisk problem?

How would you recommend I proceed to capture encrypted SIP&RTP to pcap? Is there any solution for this issue?

Yannik commented 1 year ago

I was also able to capture SIP+RTP using sngrep --device enp1s0 --keyfile <my-tls-key>, but again this results in Saving is not possible when multiple input sources are specified. when trying to save to pcap. (Which doesn't really make sense to me, as I am only specifying one single device!)

Actually, this was still using HEP due to .sngreprc. Unfortunately, sngrep --device enp1s0 --keyfile <my-tls-key> does not work, since the server is using TLS 1.3 which mandates PFS.

Kaian commented 1 year ago

HI @Yannik !!

Is there some general issue with capturing RTP via HEP, or is this just an asterisk problem?

Nope, this is a common problem in sngrep using HEP. You can save HEP and you can save network traffic, but mixing them in the same PCAP is not supported.

The reason behind this limitation is that sngrep always tries to save each pcap exactly how it was captured, including any fragmentation or segmation and datalink layer data (Loopback device, Ethernet 100, ...). This is easy while saving packets from a single capture device, because libpcap input handle can be used to generate output file.

HEP packets are received in a socket, so this datalink info doesn't exists. We create a fake Ethernet 100Mb datalink layer and build each header manually, converting each received data into a Ethernet>IP>UDP packet to store it in a ethernet datalink pcap file.

In order to support saving from network and HEP at the same time, sngrep must use the network capture handle to create the output pcap and convert each HEP packet to the datalink used in that file by creating the appropiate fake datalink layer data (like it does right now for Ethernet).

Regards!

Yannik commented 1 year ago

I see. Would love to see support for this!

Thanks for your reply @Kaian !