WARN malformed packet which is neither hep nor protobuf encap

[ghmj2417]

I am attempting to transition from Kamailio to heplify-server, mainly due to this issue: Errors with OpenSIPs 2.3 (agent) to Kamailio 5.1.4 (node) using HEPv3 #320.

We have since reverted our changes and are using HEPv2, which is working correctly between OpenSIPs 2.3 (agent) and Kamailio 5.1.2 (node).

Continuing to use OpenSIPs as the SIP server and agent, when I disable Kamailio and enable heplify-server as the capture node, I am receiving the following errors:

2018-08-30T16:09:12Z WARN malformed packet with length 481 which is neither hep nor protobuf encapsulated 2018-08-30T16:09:22Z WARN malformed packet with length 475 which is neither hep nor protobuf encapsulated 2018-08-30T16:09:22Z WARN malformed packet with length 475 which is neither hep nor protobuf encapsulated 2018-08-30T16:09:32Z WARN malformed packet with length 476 which is neither hep nor protobuf encapsulated 2018-08-30T16:09:32Z WARN malformed packet with length 475 which is neither hep nor protobuf encapsulated 2018-08-30T16:09:36Z WARN malformed packet with length 921 which is neither hep nor protobuf encapsulated 2018-08-30T16:09:36Z WARN malformed packet with length 675 which is neither hep nor protobuf encapsulated 2018-08-30T16:09:36Z WARN malformed packet with length 917 which is neither hep nor protobuf encapsulated 2018-08-30T16:09:36Z WARN malformed packet with length 671 which is neither hep nor protobuf encapsulated

My heplify-server.toml looks like this: HEPAddr = "0.0.0.0:9060" ESAddr = "" ESDiscovery = false MQDriver = "" MQAddr = "" MQTopic = "" PromAddr = "" PromTargetIP = "" PromTargetName = "" HoraclifixStats = false RTPAgentStats = false DBShema = "homer5" DBDriver = "mysql" DBAddr = "xxxxxxx:3306" DBUser = "zzzz" DBPass = "xxxxxxx" DBDataTable = "homer_data" DBConfTable = "homer_configuration" DBTableSpace = "" DBBulk = 200 DBTimer = 2 DBRotate = false DBPartLog = "2h" DBPartSip = "1h" DBPartQos = "12h" DBDropDays = 0 DBDropOnStart = false Dedup = false DiscardMethod = [] AlegIDs = [] LogDbg = "" LogLvl = "debug" LogStd = false Version = false

And I start heplify-server by using this: ./heplify-server -config /etc/heplify-server.toml &

I can provide any other information that you might need, or if you want a pcap I can provide that.

[negbie]

I removed hepv2 long time ago and use only hepv3 for heplify-server. Thats why you get the warning. Why don't you use a capture client like heplify or captagent?

[ghmj2417]

Dang. Sorry for wasting your time. I didn't know you removed hepv2.

I don't have any control over the SIP servers and what agent they chose to use. I know since they use OpenSIPs for the SIP service and the proto_hep module is available, they preferred that. They didn't want a different agent since it was built into OpenSIPs 2.3. Their control will need to be loosened if we cannot get hepv3 with tcp working. And if that is the case, I will push for them to use heplify or captagent.

Thank you for getting to my issue so quickly.

[lmangani]

@ghmj2417 OpenSIPS supports HEP3 like no other. All you have to do is configure the Agents.

[ghmj2417]

@lmangani Yup, I know it does. My next test is to use heplify-server instead of Kamailio for hepv3. If you reference this issue, https://github.com/sipcapture/homer/issues/320, you will see why I am testing heplify-server.

[ghmj2417]

@negbie Sorry if this is the wrong place to post this but, to me, it doesn't warrant a new issue. More of a question in regards to you mentioning in this thread of only supporting hepv3. Using hepv3 with tcp, is that using TLS? If so, is there a way to disable TLS? I am testing right now and I see the packets coming in using tcpdump, but heplify isn't logging or reporting seeing the packets.

[negbie]

Hi, I removed plain TCP some time ago too because it was kinda useless for me. When the capture client is on the same server as the capture sever it's ok to use UDP and for backwards compatibility I kept it. For all other cases I would always use TLS on top of TCP and never ever send any unencrypted traffic over the network. It does not matter if it's your internal network or not. The golden rule is, never trust the network!

[ghmj2417]

Thank you for the explanation @negbie. I appreciate you taking the time to respond. With TLS being a requirement for using TCP, that limits what agents we can use. Unless that was your intention. I have no problem with using TLS. The problem is now I can no longer use the OpenSIPs proto_hep module, which might be ok if SIP TLS decryption is an option with heplify. I know with CaptAgent I can decrypt SIP TLS messages.

Does heplify support decrypting SIP TLS (similar to CaptAgent)? Does heplify support SIP/TCP? Does CaptAgent support HEPv3 TCP with TLS?

I'm really interested in using heplify-server. It's simple and easy which is awesome. My main requirement is that I need to use HEPv3 with TCP (along with the SIP TLS stuff) so I need to figure out what agents can connect to heplify-server with TCP.

[negbie]

My intention is and won't be to limit anything but make the default's as secure as possible. I will think about bringing back TCP (mainly due to compatibility) but I guess the better case would be to add TLS in the other agents.

Does heplify support decrypting SIP TLS (similar to CaptAgent)?

No and I have no plans to do it.

Does heplify support SIP/TCP?

Yes.

Does CaptAgent support HEPv3 TCP with TLS?

I think so but I'm not 100% sure.

I don't have any control over the SIP servers and what agent they chose to use.

I don't know what you are doing exactly and in which country you are living but keep in mind that sending such highly sensitive data over plain TCP or UDP could be very expensive at least in germany (DSGVO)

[negbie]

@ghmj2417 just want to let you know, that the latest version now has a option for a plain tcp input socket. You need to adjust the config file or command line flags. Just have a look at the example config.

[vaclavrak]

Hello, I have a similar problem within Kamailio 5.1.8 there should be support for HEP 3, right? but when I enable sipcapture module a could see only these WARN messages

any idea why?

update 10min later:

I follow rule RTFM https://www.kamailio.org/docs/modules/stable/modules/siptrace.html#idm1049283388

thank you for great product ;)