search

sipcapture / homer

HOMER - 100% Open-Source SIP, VoIP, RTC Packet Capture & Monitoring
https://sipcapture.org
GNU Affero General Public License v3.0
1.58k stars 239 forks source link

Not all INVITE requests are visible in homer docker #593

Closed perrfect closed 1 year ago

perrfect commented 1 year ago

Hello. I'm using homer in docker-containers and database postgresql and have noticed that not all INVITE requests are visible. It seems that INVITE requests are truncated when MTU is more than 1500 bytes. Maybe some INVITE requests are incorrect write to a DB?

lmangani commented 1 year ago

There's no limits at the receiving end, so you should look at the agent side and make sure the right settings are used to reassemble packets before encapsulation. What's your agent of choice?

perrfect commented 1 year ago

There's no limits at the receiving end, so you should look at the agent side and make sure the right settings are used to reassemble packets before encapsulation. What's your agent of choice?

We are using captagent.

lmangani commented 1 year ago

If you're only using UDP just change the following in your socket_pcap configuration:

<param name="reasm" value="true"/>

If you're using TCP @kYroL01 will assist with the other settings 😉

perrfect commented 1 year ago

If you're only using UDP just change the following in your socket_pcap configuration:

<param name="reasm" value="true"/>

If you're using TCP @kYroL01 will assist with the other settings wink

Ok, thank you, I will try.

perrfect commented 1 year ago

Hello. I changed reasm to true, but now I have the problem with filters:

        <param name="filter">
            <value>portrange 5060-5091 or (ip[6:2] & 0x3fff != 0x0000)</value>
        </param>

: [NOTICE] Loaded socket_pcap
: [ERR] xmlread.c:170 Parse error at line [13]:[not well-formed (invalid token)]
: [ERR] socket_pcap.c:1109 Unable to open configuration file: /usr/local/captagent/etc/captagent//socket_pcap.xml
        <param name="filter">
            <value>portrange 5060-5091 or ip[6:2]</value>
        </param>

67521]: [NOTICE] Using filter: (portrange 5060-5091 or ip[6:2])
67521]: [ERR] socket_pcap.c:885 Failed to compile filter "(portrange 5060-5091 or ip[6:2])": can't parse filter expression: syntax error

        <param name="filter">
            <value>portrange 5060-5091 or ((ip[6:2] & 0x3fff) != 0x0000)</value>
        </param>

[ERR] xmlread.c:170 Parse error at line [13]:[not well-formed (invalid token)]
68512]: [ERR] socket_pcap.c:1109 Unable to open configuration file: /usr/local/captagent/etc/captagent//socket_pcap.xml
        <param name="filter">
            <value>portrange 5060-5091 or (ip[6:2] & 0x3fff != 0)</value>
        </param>

        <param name="filter">
            <value>portrange 5060-5091 or (ip[6:2] and 0x3fff != 0x0000)</value>
        </param>

[NOTICE] Loaded socket_pcap
Started SIP capture agent server daemon.
[NOTICE] Using filter: (portrange 5060-5091 or (ip[6:2] and 0x3fff != 0x0000))
[ERR] socket_pcap.c:885 Failed to compile filter "(portrange 5060-5091 or (ip[6:2] and 0x3fff != 0x0000))": can't parse filter expression: syntax error

Version captagent - 6.3.1

kYroL01 commented 1 year ago

Hi @perrfect This is a bad BPF filter, as the error shows you. What are you trying to filter with ip[6:2] and 0x3fff != ? Identification field for IP header ? When you activate reasm = true we internally already apply a BPF filter, so try to leave it simply portrange 5060-5091. Please try with the default one, thank you