search

sipcapture / heplify

Portable and Lightweight HEP Capture Agent for HOMER
https://sipcapture.org
GNU Affero General Public License v3.0
185 stars 65 forks source link

HEP3 packets are also captured even if the mode is SIP #192

Closed sincejune closed 3 years ago

sincejune commented 3 years ago

I think heplify should exclude HEP3 packets when running in SIP mode but it didn't.

Do we have a workaround for this? :)

lmangani commented 3 years ago

Could you enumerate with more details as of your specific condition and configuration? Generally speaking, HEP packets SHOULD never appear to a SIP dedicated port quite simply put. Is this your case?

sincejune commented 3 years ago

I'm using HEPlify(1.56) with such options cuz I have several components running on the box. And some of my components are sending traces to homer(another host). I suspected the ports my components used to send traces are also in the range 5060-10000 so I also got HEP3 packets in HEPlify(debug output).

heplify -m SIP -pr 5060-10000 -dim ...
negbie commented 3 years ago

@sincejune since this is quite special I won't even think about to implement it but to help you I suggest you following. Use:

-pr "5060-10000 and not port 9060" -dim ....

You can even be more creative if you lookup how the flag is implemented.

negbie commented 3 years ago

Here you go https://github.com/sipcapture/heplify/blob/master/sniffer/sniffer.go#L86

sincejune commented 3 years ago

Thanks @negbie

Actually, I think the port my components used is not 9060. But the solution you provided inspired me. Maybe we can add ( and ) around sniffer.config.PortRange so that we can specify ports like

-pr "5060-5061 or portrange 9999-10000" -dim ...
negbie commented 3 years ago

Be creative you can use any BPF filter in -pr. Good luck!