search

sipcapture / captagent

100% Open-Source Packet Capture Agent for HEP
https://sipcapture.org
GNU Affero General Public License v3.0
167 stars 75 forks source link

[ERR] protocol_sip.c:373 bad parsing [ERR] protocol_sip.c:354 SIP PARSE ERROR [-1] while capturing RTCP #192

Closed rs03 closed 4 years ago

rs03 commented 5 years ago

Captagent.xml <?xml version="1.0"?>

socket_pcap.xml portrange 5060-5091 or ip[6:2] tcp port 5061 portrange 3000-50000 transport_hep.xml protocol_rtcp.xml ---------------------- ----------------------------- database_hash.xml -------------- captureplans sip_capture_plan.cfg capture[pcap] { # here we can check source/destination IP/port, message size if(msg_check("size", "100")) { #Do parsing if(parse_sip()) { #Can be defined many profiles in transport_hep.xml if(!send_hep("hepsocket")) { clog("ERROR", "Error sending HEP!!!!"); } if(sip_has_sdp()) { #Activate it for RTCP checks if(!check_rtcp_ipport()) { clog("ERROR", "ALREADY EXIST"); } } #Duplicate all INVITEs to JSON transport # if(sip_is_method() && sip_check("method","INVITE")) { # #Can be defined many profiles in transport_json.xml # if(!send_json("jsonsocket")) { # clog("ERROR", "Error sending JSON!!!"); # } # } } } drop; } rtcp_capture_plan.cfg capture[pcap] { # here we can check source/destination IP/port, message size if(msg_check("size", "100")) { if(is_rtcp()) { #Only for redis! if(is_rtcp_exist()) { #Convert to JSON if needed. if(parse_rtcp_to_json()) { #Can be defined many profiles in transport_hep.xml if(!send_hep("hepsocket")) { clog("ERROR", "Error sending HEP!!!!"); } } else { clog("ERROR", "couldn't parse RTCP to json"); } } else { clog("ERROR", "Couldnot find this call"); } } else { clog("ERROR", "This is not RTCP"); } } drop; } I am sending rtp/rtcp data from pjsip softphone , I can see rtcp data in wireshark but there is no rtcp data sent to homer server. Please assist here what could be the issue? ![image](https://user-images.githubusercontent.com/37635175/49391366-6f81f680-f751-11e8-87a9-0806fcb0aa15.png) Followed steps provided in other similar issues but no luck.
rs03 commented 5 years ago

getting below error while starting captagent

root@localhost ~]# systemctl status captagent ● captagent.service - LSB: captagent - the Open Source Homer Capture Agent Loaded: loaded (/etc/rc.d/init.d/captagent; bad; vendor preset: disabled) Active: active (running) since Mon 2018-12-03 14:44:24 GMT; 3h 7min ago Docs: man:systemd-sysv-generator(8) Process: 12303 ExecStop=/etc/rc.d/init.d/captagent stop (code=exited, status=0/SUCCESS) Process: 12314 ExecStart=/etc/rc.d/init.d/captagent start (code=exited, status=0/SUCCESS) Main PID: 12318 (captagent) CGroup: /system.slice/captagent.service └─12318 /usr/local/captagent/sbin/captagent -f /usr/local/captagent/etc/captagent/captagent.xml -d

Dec 03 17:42:53 localhost.localdomain captagent[12318]: [ERR] protocol_sip.c:354 SIP PARSE ERROR [-1] Dec 03 17:42:53 localhost.localdomain captagent[12318]: [59B blob data] Dec 03 17:42:53 localhost.localdomain captagent[12318]: [ERR] protocol_sip.c:373 bad parsing Dec 03 17:42:53 localhost.localdomain captagent[12318]: [ERR] protocol_sip.c:354 SIP PARSE ERROR [-1] Dec 03 17:42:54 localhost.localdomain captagent[12318]: [414B blob data] Dec 03 17:42:54 localhost.localdomain captagent[12318]: [ERR] protocol_sip.c:373 bad parsing Dec 03 17:42:54 localhost.localdomain captagent[12318]: [ERR] protocol_sip.c:354 SIP PARSE ERROR [-1] Dec 03 17:42:54 localhost.localdomain captagent[12318]: [174B blob data] Dec 03 17:42:54 localhost.localdomain captagent[12318]: [ERR] protocol_sip.c:373 bad parsing Dec 03 17:42:54 localhost.localdomain captagent[12318]: [ERR] protocol_sip.c:354 SIP PARSE ERROR [-1]

rs03 commented 5 years ago

Dec 04 07:54:03 Ecall-Manager captagent[6963]: [ERR] protocol_sip.c:132 This is not RTCP Dec 04 07:54:04 Ecall-Manager captagent[6963]: [70B blob data] Dec 04 07:54:04 Ecall-Manager captagent[6963]: [ERR] protocol_sip.c:427 bad parsing Dec 04 07:54:04 Ecall-Manager captagent[6963]: [ERR] protocol_sip.c:408 SIP PARSE ERROR [-1] Dec 04 07:54:04 Ecall-Manager captagent[6963]: [DEBUG] protocol_rtcp.c:128 IS RTCP Dec 04 07:54:04 Ecall-Manager captagent[6963]: [ERR] parser_rtcp.c:38 wrong version Dec 04 07:54:04 Ecall-Manager captagent[6963]: [ERR] protocol_sip.c:132 This is not RTCP Dec 04 07:54:04 Ecall-Manager captagent[6963]: [DEBUG] protocol_rtcp.c:128 IS RTCP Dec 04 07:54:04 Ecall-Manager captagent[6963]: [ERR] parser_rtcp.c:38 wrong version Dec 04 07:54:04 Ecall-Manager captagent[6963]: [ERR] protocol_sip.c:132 This is not RTCP

even though rtcp version is 2

image

rs03 commented 5 years ago

This is really a blocking issue .urgent help would be helpfull

kYroL01 commented 5 years ago

Hi @rs03 I'm trying to reproduce your issue and take a look asap.

kYroL01 commented 5 years ago

@rs03 I tried a pcap with SIP and RT(C)P traffic and I can see RTCP parsing:

[DEBUG] parser_rtcp.c:87 #1 SR (200) [DEBUG] parser_rtcp.c:135 #2 SDES (202) [DEBUG] parser_rtcp.c:196 End of RTCP packet [DEBUG] protocol_rtcp.c:121 JSON RTCP { "sender_information":{"ntp_timestamp_sec":151524,"ntp_timestamp_usec":476741337,"octets":160,"rtp_timestamp":289878434, "packets":1},"ssrc":1492336106,"type":200, "report_blocks":[{"source_ssrc":3535621694,"highest_seq_no":3,"fraction_lost":0,"ia_jitter":0,"packets_lost":0,"lsr":0,"dlsr":0}],"report_count":1,"sdes_ssrc":1492336106,"sdes_report_count":1,"sdes_information":[{"type":1,"text":"ACLTP ChannelHandle 30"}]}

I also see SIP PARSE ERROR [-1] but related to [ERR] protocol_sip.c:432 sipPacket CALLID has 0 len Can u pass me the pcap u used in your test ? Just to test the same traffic. Thank you

rs03 commented 5 years ago

sure.. test.zip Uploaded zipped pcap file ..Please do let me know if anything else is required @kYroL01

rs03 commented 5 years ago

or else Can you please confirm If I am missing anything in configuration which needs to be set?

kYroL01 commented 5 years ago

Hi @rs03 . The config seems good. The only things I noticed from default is the filter for rtcp in socket_pcap.xml and len >= 50. I'm investigating now with your pcap.

kYroL01 commented 5 years ago

Can u try this socket_pcap.xml config ?

<?xml version="1.0"?>
<document type="captagent_module/xml">
    <module name="socket_pcap" description="HEP Socket" serial="2014010402">
    <profile name="socketspcap_sip" description="HEP Socket" enable="true" serial="2014010402">
        <settings>
        <param name="dev" value="any"/>
        <param name="promisc" value="true"/>
        <param name="reasm" value="false"/>
        <param name="tcpdefrag" value="false"/>
        <param name="capture-plan" value="sip_capture_plan.cfg"/>
        <param name="filter">
            <value>portrange 5060-5091</value>
        </param>
        </settings>
    </profile>
    <profile name="socketspcap_tls" description="TLS Socket" enable="false" serial="2014010402">
        <settings>
        <param name="dev" value="any"/>
        <param name="promisc" value="true"/>
        <param name="reasm" value="false"/>
        <param name="tcpdefrag" value="true"/>
        <param name="capture-plan" value="tcp_capture_plan.cfg"/>
        <param name="filter">
            <value>tcp port 5061</value>
        </param>
        </settings>
    </profile>
    <profile name="socketspcap_rtcp" description="RTCP Socket" enable="true" serial="2014010402">
        <settings>
        <param name="dev" value="any"/>
        <param name="promisc" value="true"/>
        <param name="reasm" value="false"/>
        <!-- size in MB -->
        <param name="ring-buffer" value="20"/>
        <!-- for rtp && rtcp < 250 -->
        <param name="snap-len" value="256"/>
        <param name="capture-filter" value="rtcp"/>
        <param name="capture-plan" value="rtcp_capture_plan.cfg"/>
        <param name="filter">
            <value>portrange 10000-50000 and len >= 50</value>
        </param>
        </settings>
    </profile>
    </module>
</document>

and in captagent.xml put the debug level to 10. With this config, if I test your pcap and grep for RTCP, I see your RTCP pkts successfully parsed. ./captagent -n -D ~/test.pcap | grep RTCP :

[DEBUG] protocol_rtcp.c:128 IS RTCP
[DEBUG] protocol_rtcp.c:128 IS RTCP
[DEBUG] protocol_rtcp.c:128 IS RTCP
[DEBUG] protocol_rtcp.c:128 IS RTCP
[DEBUG] protocol_rtcp.c:128 IS RTCP
[DEBUG] protocol_rtcp.c:128 IS RTCP

So, everything is fine for me with this.

rs03 commented 5 years ago

Sure...checking now

rs03 commented 5 years ago

Now I am getting..

Dec 05 05:47:51 Ecall-Manager captagent[4838]: From: sip:12345@172.26.26.42;tag=4YnDO6zAuh8Hb0.G3ODOmaXbkQvmYNBr Dec 05 05:47:51 Ecall-Manager captagent[4838]: To: ;tag=0afdnhmmMmAvlX5zaTFKoN5uLa3YQ79f Dec 05 05:47:51 Ecall-Manager captagent[4838]: CSeq: 6314 BYE Dec 05 05:47:51 Ecall-Manager captagent[4838]: Content-Length: 0 Dec 05 05:47:51 Ecall-Manager captagent[4838]: ] Dec 05 05:47:51 Ecall-Manager captagent[4838]: [DEBUG] protocol_rtcp.c:128 IS RTCP Dec 05 05:47:51 Ecall-Manager captagent[4838]: [DEBUG] database_hash.c:165 IP PORT: 172.26.26.42:40001 Dec 05 05:47:51 Ecall-Manager captagent[4838]: [DEBUG] database_hash.c:280 IP PORT: [172.26.26.42:40001] Dec 05 05:47:51 Ecall-Manager captagent[4838]: [DEBUG] database_hash.c:280 IP PORT: [172.26.26.38:40001] Dec 05 05:47:51 Ecall-Manager captagent[4838]: [ERR] protocol_sip.c:132 Couldnot find this call

rs03 commented 5 years ago

Also, I don't see any RTCP details in HOMER UI...

below are logs for homer console..

Failed to load resource: the server responded with a status of 500 (Internal Server Error) dialogCtrl.js:580 no rtcp stats sipcapture.js:110 reloading quicksearch.js:93 Object resultCtrl.js:39 AUTH TRUE 2resultCtrl.js:343 modal1 opened from url trans-194781240 dialogCtrl.js:580 no rtcp stats /api/v1/report/log:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) 2resultCtrl.js:343 modal1 opened from url trans-194781240 /api/v1/report/log:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error)

kYroL01 commented 5 years ago

Ok, so, from captagent side everything is all right. The problem seem to be "up", in the Homer section. IMHO you have to open this issue in the Homer repo :)

rs03 commented 5 years ago

what about Dec 05 05:47:51 Ecall-Manager captagent[4838]: [ERR] protocol_sip.c:132 Couldnot find this call error ..

Also , If I am capturing pcap ,I don't see any HEP enabled RTCP image packet as I see for SIP packet image

Acc to me , captagent is not capturing RTCP packet yet

kYroL01 commented 5 years ago

Ok, so, you're right that RTCP is not parsed and send to HEP, because (testing with your pcap) the flow breaks on function is_rtcp_exist() in rtcp_capture_plan.cfg. When this function fails, the status goes to else branch else { clog("ERROR", "Couldnot find this call"); }. This function fails because cannot associate any existing call in database hash, as u can see here The function search for a string ip+port that is the key to look into the hash, but it fails and returns an empty message. So, if you're sure your call is not broken or incomplete, we need additional test to do.

lmangani commented 5 years ago

RTCP reports can only be paired with SIP Sessions the Agent is aware of - the "could not find call" message should progressively disappear and typically only regard RTCP for SIP sessions established before the Agent was initialized. If that's not the case, then there's some sort of NAT at play and the right options should be enabled.

rs03 commented 5 years ago

I am on Private network but all our servers are in same LAN ... But still just to check if NAT is issue , I have set nat-mode true in database_hash.xml .Still I see same issue .Is there any other configuration to be set fro NAT devices?

lmangani commented 4 years ago

Closing for inactivity. Reopen if needed.