Call Us Today! 877.742.2583




Page tree
Skip to end of metadata
Go to start of metadata

About

Capturing SIP and RTP packets can reveal trouble with the configuration of FreeSWITCH or the endpoints connecting to it. A packet capture might be required by developers to help troubleshoot your installation.

 Click to expand Table of Contents

tcpdump

SRC: http://www.tcpdump.org/

Use tcpdump if you want a pcap to open up in Wireshark later. Else, use tshark if you want a "text only" view of the SIP traffic without all the headers and extra information.

Examples

Basic Logging

Real-time traffic dump (full packets) to stdout:

  tcpdump -nq -s 0 -A -vvv -i eth0 port 5060

Dump to file:

  tcpdump -nq -s 0 -i eth0 -w /tmp/dump.pcap port 5060 

Save a new time-stamped file approximately once per hour on the specified port

  tcpdump -nq -s 0 -i eth0 -G3600 -w /tmp/trace/sip-%F--%H-%M-%S.pcap port 5060

Daemonize and log 2 ports, rotate log every hour.

  nohup tcpdump -nq -s 0 -i eth0 -G3600 -w /tmp/trace/sip-%F--%H-%M-%S.pcap port 5080 or port 5060 &

Daemonize and log 2 ports, rotate log every hour, and place into hierarchical directory structure.

tcpdump log example
 #!/bin/bash
 TD=`pidof tcpdump`
 if [ -n "$TD" ]; then
   kill "$TD"
 fi

 DIRS="/var/spool/pcap/`/bin/date '+%Y'`/ /var/spool/pcap/`/bin/date '+%Y'`/`/bin/date '+%m'`/ /var/spool/pcap/`/bin/date '+%Y'`/`/bin/date '+%m'`/`/bin/date '+%d'`/"
 for DIR in $DIRS
 do
   if [ ! -d "$DIR" ]; then
     mkdir "$DIR"
   fi
 done

 nohup tcpdump -nq -s 0 -i eth0 -G3600 -w '/var/spool/pcap/%Y/%m/%d/%H%M%S.pcap' port 5060 or port 5080 &> /opt/freeswitch/log/tcpdump.log &

 

This should be run from cron / init services at the first minute of each new day.

Capturing Calls For a Specific User

  sofia status profile $profile user $user_id

to get the remote ip/and port, then use:

  tcpdump -i $INTERFACE -s 1500 -A host $IPADDRESS and port $SIPPORT

 

Using Wireshark to Analyze pcap Files

Wireshark has some nice tools for analyzing your packet captures. See the tutorial linked at the bottom of this page for tips.

ngrep

SRC: http://ngrep.sourceforge.net/

ngrep on the Debian Wheezy repository

ngrep help
USAGE:usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
             <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
             <-P char> <-F file> <match expression> <bpf filter>
   -h  is help/usage
   -V  is version information
   -q  is be quiet (don't print packet reception hash marks)
   -e  is show empty packets
   -i  is ignore case
   -v  is invert match
   -R  is don't do privilege revocation logic
   -x  is print in alternate hexdump format
   -X  is interpret match expression as hexadecimal
   -w  is word-regex (expression must match as a word)
   -p  is don't go into promiscuous mode
   -l  is make stdout line buffered
   -D  is replay pcap_dumps with their recorded time intervals
   -t  is print timestamp every time a packet is matched
   -T  is print delta timestamp every time a packet is matched
   -M  is don't do multi-line match (do single-line match instead)
   -I  is read packet stream from pcap format file pcap_dump
   -O  is dump matched packets in pcap format to pcap_dump
   -n  is look at only num packets
   -A  is dump num packets after a match
   -s  is set the bpf caplen
   -S  is set the limitlen on matched packets
   -W  is set the dump format (normal, byline, single, none)
   -c  is force the column width to the specified size
   -P  is set the non-printable display char to what is specified
   -F  is read the bpf filter from the specified file
   -N  is show sub protocol number
   -d  is use specified device instead of the pcap default

EXAMPLES:
 ngrep -qt -W byline port 5060
 ngrep -d any port 5060 -W byline > outfile.txt
 ngrep -q '8005551212' -W byline port 5060 #<swk>:  only shows packets on 5060 with 8005551212 inside the payload

 

For a more in–depth tutorial on using ngrep check out this post by Jonathan Manning. VIM users may be interested in this syntax highlighter.

 

HOMER Sip Capture

SRC: http://www.sipcapture.org
DESC: SIP capturing server with HEP and IP-proto-4 (IPIP) & Monitoring Application with CallFlows, PCAP extraction, powerful search tools, statistics and API. Native HEP capture agent integrated in FreeSWITCH

sipgrep

SRC: https://github.com/sipcapture/sipgrep
DESC: Sipgrep is a powerful pcap-aware tool command line tool to sniff, capture, display and troubleshoot SIP signaling over IP networks, allowing the user to specify extended regular expressions matching against SIP headers.

sipgrep help
usage: sipgrep <-ahNViwgGJpevxlDTRMmqCJjxK> <-IO pcap_dump> <-n num> <-d dev> <-A num>
             <-s snaplen> <-S limitlen> <-c contact user> <-j user agent>
                 <-f from user>  <-t to user> <-H capture url> <-q autostop cond.>
                 <-Q split cond.> <-P portrange> <-F file> <-z duration>
                 <match expression> <bpf filter>
   -h  is help/usage
   -V  is version information
   -e  is show empty packets
   -i  is ignore case
   -x  is disable bad parsing notification
   -v  is invert match
   -R  is don't do privilege revocation logic
   -w  is word-regex (expression must match as a word)
   -p  is don't go into promiscuous mode
   -l  is make stdout line buffered
   -D  is replay pcap_dumps with their recorded time intervals
   -T  is print delta timestamp every time a packet is matched
   -m  is don't do dialog match
   -M  is don't do multi-line match (do single-line match instead)
   -I  is read packet stream from pcap format file pcap_dump
   -O  is dump matched packets in pcap format to pcap_dump
   -n  is look at only num packets
   -A  is dump num packets after a match
   -s  is set the bpf caplen
   -S  is set the limitlen on matched packets
   -C  is no colors in stdout
   -c  is search user in Contact: header
   -f  is search user in From: header
   -t  is search user in To: header
   -F  is read the bpf filter from the specified file
   -H  is homer sipcapture URL (i.e. udp:10.0.0.1:9061)
   -N  is show sub protocol number
   -g  is disabled clean up dialogs during trace
   -G  is print dialog report during clean up
   -J  is kill friendly scanner automatically
   -j  is kill friendly scanner automatically matching user agent string
   -K  is kill friendly scanner providing IP and port/portrange i.e.: 10.0.0.1:5060-5090
   -q  is auto stop condition:
        duration:NUM - stop after NUM seconds
        filesize:NUM - stop this file after NUM KB
   -Q  is pcap_dump split condition:
        duration:NUM - switch to next file after NUM secs
        filesize:NUM - switch to next file after NUM KB
   -a  is disable packet re-assemblation
   -P  is use specified portrange instead of default 5060-5061
   -d  is use specified device instead of the pcap default
   -z  is make statistics count maximum <duration> seconds



Examples:
#Find a dialog there From user contains '2323232'
sipgrep -f 2323232

#Find a dialog there To user contains '1111' and print dialog report
sipgrep -f 1111 -G

#Display only 603 replies without dialog match
sipgrep '^SIP/2.0 603' -m

#Display only OPTIONS and NOTIFY requests
sipgrep '^(OPTIONS|NOTIFY)'

#Display only SUBSCRIBE dialog
sipgrep 'CSeq:\s?\d* (SUBSCRIBE|PUBLISH|NOTIFY)' -M

#Kill friendly-scanner
sipgrep -J

#Kill friendly-scanner with custom UAC
sipgrep -j sipvicious

#Display dialogs and duplicate all traffic to HOMER sipcapture in HEPv3
sipgrep -f 23333 -H udp:10.0.0.1:9061

#collect all Calls/Regisrations dialogs during 120 seconds, print reports and exit.
sipgrep -g -G -q 120

# Find dialogs from user/number 0123456 to user/number 0654321, STDOUT line buffered
sipgrep -f 0123456 -t 0654321 -l

# Find dialogs from user/number 0123456, STDOUT line buffered, packet reassembly enabled
sipgrep -f 0123456 -a -l debug.sip
 


pcapsipdump

SRC: http://sourceforge.net/projects/pcapsipdump/
DESC: pcapsipdump is a tool for dumping SIP sessions (+RTP traffic, if available) to disk in a fashion similar to "tcpdump -w" (format is exactly the same), but one file per sip session (even if there are thousands of concurrect SIP sessions). As of SVN r128, there is limited but functional support for SIP over TCP. This functionality is not enabled by default and requires a specific make command:

make CXXFLAGS=-DUSE_TCP=1

The pcapsipdump program will attempt to capture SIP dialogs regardless of port number. Note that older versions of pcapsipdump do only port 5060. The trunk version of pcapsipdump is stable and is good for most production environments.

Example

/* store all SIP sessions on tmp folder */
pcapsipdump -i eth0 -d /tmp/

pcapsipdump version 0.2-trunk
Usage: pcapsipdump [-fpUt] [-i <interface> | -r <file>] [-d <working directory>]
                   [-v level] [-R filter] [-m filter] [-n filter] [-l filter]
                   [-B size] [-T limit] [-t trigger:action:param] [expression]
 -f   Do not fork or detach from controlling terminal.
 -p   Do not put the interface into promiscuous mode.
 -U   Make .pcap files writing 'packet-buffered' - slower method,
      but you can use partitially written file anytime, it will be consistent.
 -i   Specify network interface name (i.e. eth0, em1, ppp0, etc).
 -r   Read from .pcap file instead of network interface.
 -v   Set verbosity level (higher is more verbose).
 -B   Set the operating system capture buffer size, a.k.a. ring buffer size.
      This can be expressed in bytes/KB(*1000)/KiB(*1024)/MB/MiB/GB/GiB. ex.: '-B 64MiB'
      Set this to few MiB or more to avoid packets dropped by kernel.
 -R   RTP filter. Specifies what kind of RTP information to include in capture:
      'rtp+rtcp' (default), 'rtp', 'rtpevent', 't38', or 'none'.
 -m   Method-filter. Default is '^(INVITE|OPTIONS|REGISTER)$'
 -n   Number-filter. Only calls to/from specified number will be recorded
      Argument is a regular expression. See 'man 7 regex' for details.
 -l   Record only each N-th call (i.e. '-l 3' = record only each third call)
 -d   Set directory (or filename template), where captured files will be stored.
      ex.: -d /var/spool/pcapsipdump/%Y%m%d/%H/%Y%m%d-%H%M%S-%f-%t-%i.pcap
 -T   Unconditionally stop recording a call after it was active for this many seconds.
      Might be useful for broken peers that keep sending RTP long after call ended.
 -t   <trigger>:<action>:<parameter>. Parameter is %-expanded (see below)
      Triggers: open = when opening a new .pcap file; close = when closing
      Actions and their parameters:
      mv:<directory> - move .pcap files to <directory> (using /bin/mv)
      exec:"/bin/blah args..." - fork and execute /bin/blah with arguments
      sh:"shell code" - fork and execute /bin/sh -c "shell code"
 *    Following %-codes are expanded in -d and -t: %f (from/caller), %t (to/callee),
      %i (call-id), and call date/time (see 'man 3 strftime' for details)
 *    Trailing argument is pcap filter expression syntax, see 'man 7 pcap-filter'



tshark aka tethereal

SRC: http://www.wireshark.org
DESC: Dump and analyze network traffic.

TShark 0.99.4
Dump and analyze network traffic.
See http://www.wireshark.org for more information.

Copyright 1998-2006 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Usage: tshark [options] ...

Capture interface:
  -i <interface>           name or idx of interface (def: first non-loopback)
  -f <capture filter>      packet filter in libpcap filter syntax
  -s <snaplen>             packet snapshot length (def: 65535)
  -p                       don't capture in promiscuous mode
  -y <link type>           link layer type (def: first appropriate)
  -D                       print list of interfaces and exit
  -L                       print list of link-layer types of iface and exit

Capture stop conditions:
  -c <packet count>        stop after n packets (def: infinite)
  -a <autostop cond.> ...  duration:NUM - stop after NUM seconds
                           filesize:NUM - stop this file after NUM KB
                              files:NUM - stop after NUM files
Capture output:
  -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
Input file:
  -r <infile>              set the filename to read from (no pipes or stdin!)

Processing:
  -R <read filter>         packet filter in Wireshark display filter syntax
  -n                       disable all name resolutions (def: all enabled)
  -N <name resolve flags>  enable specific name resolution(s): "mntC"
  -d <layer_type>==<selector>,<decode_as_protocol> ...
                           "Decode As", see the man page for details
                           Example: tcp.port==8888,http
Output:
  -w <outfile|->           set the output filename (or '-' for stdout)
  -F <output file type>    set the output file type, default is libpcap
                           an empty "-F" option will list the file types
  -V                       add output of packet tree        (Packet Details)
  -x                       add output of hex and ASCII dump (Packet Bytes)
  -T pdml|ps|psml|text     output format of text output (def: text)
  -t ad|a|r|d              output format of time stamps (def: r: rel. to first)
  -l                       flush output after each packet
  -q                       be more quiet on stdout (e.g. when using statistics)
  -X <key>:<value>         eXtension options, see the man page for details
  -z <statistics>          various statistics, see the man page for details

Miscellaneous:
  -h                       display this help and exit
  -v                       display version info and exit
  -o <name>:<value> ...    override preference setting



Filter with tshark then seperate them per call into different pcap files with pcapsipdump:
EXAMPLE:  'sip.uri contains "soemname" or rtp or rtcp' -w -|pcapsipdump -



Capture SIP, RTP, ICMP, DNS, RTCP, and T38 traffic in a ring buffer capturing 100 50MB files continuously:
EXAMPLE: tshark -i eth0 -o "rtp.heuristic_rtp: TRUE" -w /tmp/capture.pcap -b filesize:51200 -b files:100 -R 'sip or rtp or icmp or dns or rtcp or t38'



Filter on RTCP packets reporting any packet loss or jitter over 30ms
EXAMPLE: tshark -i eth0 -o "rtp.heuristic_rtp: TRUE" -R 'rtcp.ssrc.fraction >= 1 or rtcp.ssrc.jitter >= 240' -V



Filter on SIP and all RTP packets
EXAMPLE: tshark -S -w capture.pcap -f "(udp port sip) or (udp[1] & 1 != 1 && udp[3] & 1 != 1 && udp[8] & 0x80 == 0x80 && length < 250)"



Capture all SIP on specified port and switch files every hour
tshark -nq -i eth0 -b duration:3600 -w /tmp/trace/sip.pcap port 5080

 

 

sngrep

SRC: irontec on github

DESC: Linux/OSX console-based SIP traffic viewer with filtering capabilities

sngrep is a handy utility for quickly capturing and viewing SIP traffic. It can be run on existing pcap files or it can capture traffic live. It can filter based on many criteria, including source/destination as well as message type. This is particularly useful when you have a lot of SIP traffic on a system and you need to find a specific dialog or message. (Have you ever wanted to see only NOTIFY traffic without being bombarded with REGISTERs, OPTIONS, and INVITEs? Or just INVITEs without all the other SIP traffic? If so, sngrep is the tool for you.) Once you find a dialog you can explicitly export it to a pcap file. The irontec github page has several screen shots that demonstrate its capabilities. Note that sngrep does not capture RTP, only SIP.

An especially useful feature of sngrep is its ability to create SIP "ladder graphs" showing the progression of the SIP dialog. The ladder graph appears on the left and the content of the highlighted SIP message appears on the right. Scroll up and down and you can quickly review the progression of a SIP dialog. Being able to see this right at the Linux/OSX command line can save you the effort of having to export a potentially large pcap file and open in Wireshark. Also, sngrep works well in conjunction with Wireshark. Use sngrep to locate quickly specific SIP traffic and then export a pcap to Wireshark for more detailed analysis.

sngrep help
Usage: sngrep [-hVcivNqrD] [-IO pcap_dump] [-d dev] [-l limit] [<match expression>] [<bpf filter>]
    -h --help            This usage
    -V --version         Version information
    -d --device          Use this capture device instead of default
    -I --input           Read captured data from pcap file
    -O --output          Write captured data to pcap file
    -c --calls           Only display dialogs starting with INVITE
    -r --rtp             Capture RTP packets payload
    -l --limit           Set capture limit to N dialogs
    -i --icase           Make <match expression> case insensitive
    -v --invert          Invert <match expression>
    -N --no-interface    Don't display sngrep interface, just capture
    -q --quiet           Don't print captured dialogs in no interface mode
    -D --dump-config     Print active configuration settings and exit
    -f --config          Read configuration from file
    -F --no-config       Do not read configuration from default config file
    -R --rotate          Rotate calls when capture limit have been reached
 
Examples:
# look at live SIP traffic on default interface:
sngrep
 
# look at live SIP traffic on specified interface:
sngrep -d eth0
 
# look at live SIP traffic, calls only (i.e. INVITEs):
sngrep -c
 
# look at live SIP traffic for with SIP from or two containing a name or number:
sngrep 1000
sngrep someuser
 
# look at live SIP traffic, calls/INVITEs only, for with SIP from or two containing a name or number: 
sngrep -c 1000
sngrep -c someuser

# open an existing pcap file and review all SIP traffic:
sngrep -I filename.pcap
 
# open an existing pcap file and review SIP calls only:
sngrep -c -I filename.pcap


Tips for using sngrep interface

Arrow up and down to move selector and press <enter> to open a specific dialog. This brings up the ladder-graph and all messages within the dialog.

View multiple (perhaps related) dialogs in a single ladder-graph by selecting them with the space bar. Press <enter> when all dialogs have been selected and a multi-endpoint ladder-graph will be displayed. 

Change display filter by pressing F7. You can select To: and From:, source and destination, payload, and SIP message types.

Export selected dialogs by pressing F2.

Search through dialogs by pressing F3.

Truncate a pcap File

With The Wireshark GUI

Open the pcap, then click "Save as". Look at the options - from frame $x to $y, the marked ones, from the first marked one to the last marked one, etc. To mark packets, you can right–click them in the viewer.

editcap

If you have a large pcap from any of the above methods and want to share part of it, you can use the "editcap" command line program that comes with Wireshark. Read the full manual.

In short, if you want just packets $x to $y, use:

editcap -r $source_infile $outfile $x-$y

where -r means "only include x-y" otherwise without -r, this command would cut out x-y

If you want to omit some packets, then skip the -r and list the ones to omit, e.g. to omit packets 1000 to 3000:

editcap $source_infile $outfile 1000-3000

TLS with sharka

after some experimentation with various tools, I come out with a little shell tool that maybe can be useful to you too.
It can only work with non-forward secrecy ciphers, obviously, and only if is started before the client do the initial TLS handshake (eg, just restart the client). Forward secrecy cannot be decrypted after fact, so don't waste effort.

An example of ciphers that can be decrypted are the "AES256-SHA" openssl cipher group. In FreeSWITCH, edit vars.xml and put
<X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=AES256-SHA"/>
You can use ssldump to check what cipher is used by serverhello.
Enjoy, make it better, and share it :)
sharka shell script
#!/bin/bash 
# brought to you by Giovanni Maruzzelli
# 
SERVERIP="192.168.1.150"
SERVERPORT="5061"
PRIVKEY="/etc/certs/privkey.pem"
STDERR2DEVNULL=" 2>/dev/null "
REGEX="notyet"

if [ -z "$1" ]; then
        REGEX="\\\.*"
else
        REGEX="$1"
fi
FILTER="ssl.app_data and sip matches"
FILTER2="$FILTER \"$REGEX\""
FILTER3="'$FILTER2'"
ARGUMENT="-i 1 -Y $FILTER3 -E header=y -T fields -e frame.number -e frame.time -e frame.time_delta_displayed -e ip.src -e ip.dst -e sip.Status-Line -e sip.Request-Line -e sip.msg_hdr -l -d tcp.port\=\=$SERVERPORT,sip  -o \"ssl.keys_list: $SERVERIP,$SERVERPORT,sip,$PRIVKEY\" $STDERR2DEVNULL | sed -u 's/\t/\n/g' | sed -u '/^$/d' | sed -u 's/^[0-9]*$/\n==&==============================/g'"

echo ""
echo "NB: if it do not works, edit script so that STDERR2DEVNULL=\" \" and try again"
echo ""
echo "NB: remember to quote and escape match patterns, using triple slash"
echo "    eg, for matching 1010@pbx.example.com, use \"1010@pbx.example.com\""
echo "    eg, for matching anything, use \"\\\\\\.*\""
echo "    eg, for matching *98, use \"\\\\\\*98\""
echo "USAGE: $0 \"\\\\\\*98@pbx.example.com\""
echo ""


case "$1" in
        -help|--help|?)
        exit 0
        ;;
*)
        echo "THIS TIME WE'RE DOING:"
        echo "tshark $ARGUMENT"
        echo ""
        bash -c "tshark $ARGUMENT"
        ;;
esac

TLS, real time, with sngrep

How to TRACE and visualize TLS and non-TLS SIP traffic in real time (thanks to Homer's Lorenzo Mangani for pointing me toward Frida)
RTP analysis example
#fosdem #voip #tls #sngrep #hep #frida #ssl #sip #homer #sipcapture #freeswitch #asterisk #opensips #kamailio
# gmaruzz at opentelecom.it

apt-get install python-pip
pip install frida
pip install hexdump
wget https://raw.githubusercontent.com/google/ssl_logger/master/ssl_logger.py

#first ssh terminal
# create fifo pipe, then will send the content from fifo pipe to an sngrep without gui, which will be reading pcap from stdin, and sending eep packets to the other sngrep (third terminal)

mkfifo /tmp/pipe
cat /tmp/pipe | sngrep -N -q -H udp:127.0.0.1:5077 -I -

#second ssh terminal
# writes as pcap to fifo pipe what freeswitch writes and reads from ssl lib

python ssl_logger_giova.py -pcap /tmp/pipe freeswitch

#third ssh terminal
# sngrep that receives packets from both the Ethernet device, and the eep packets sent by the other sngrep (eg, the tls packets ssl_logger grabs from freeswitch's ssl lib)

sngrep -L udp:127.0.0.1:5077

(you may want to edit ssl_logger.py and change 228 to be 101 - LINKTYPE_IPV4 to be LINKTYPE_RAW )




Example Analyses

SIP TLS with sharka

Edit the script first few lines with your own values.

Visualize the packets related to "1010@pbx.example.com"

sharka example
sharka "1010@pbx.example.com"

SIP TLS on port 5061

Replace 4.2.2.2 with your own IP address.

Wireshark example
wireshark -o "ssl.desegment_ssl_records: TRUE" \
  -o "ssl.desegment_ssl_application_data: TRUE" \
  -o "ssl.keys_list: 4.2.2.2,5061,sip,/usr/local/freeswitch/conf/ssl/agent.pem" \
  -o "ssl.debug_file: /tmp/wireshark.log" \
  -i eth0 
  -f "tcp port 5061"
tshark example
tshark -o "ssl.desegment_ssl_records: TRUE" \
  -o "ssl.desegment_ssl_application_data: TRUE" \
  -o "ssl.keys_list: 4.2.2.2,5061,sip,/opt/freeswitch/conf/ssl/agent.pem" \
  -o "ssl.debug_file:/tmp/tshark.log" \
  -i eth0 \
  -f "tcp port 5061"

 

RTP events

RTP analysis example
tshark -o "rtp.heuristic_rtp: TRUE" -R rtpevent
or with tethereal:
tethereal -o "rtp.heuristic_rtp: TRUE" -R rtpevent

 

 

Analyze RTP Quality

sudo tshark -q -f 'udp portrange 16384-32768' -o rtp.heuristic_rtp:TRUE -z rtp,streams

If you're doing long-term captures, you may want to get a bit more paranoid about security:

sudo setuid 4755 /usr/bin/dumpcap
dumpcap -f 'udp portrange 16384-32768' -i eth0 -w /tmp/qos.pcap
tshark -qr /tmp/qos.pcap -o rtp.heuristic_rtp:TRUE -z rtp,streams
 

Remote live capture with local wireshark

you can also use tcpdump in conjunction with ssh to bring the packets back to your workstation so you can watch it live in Wireshark. Something to bare in mind with this approach is you must set the filter on the tcpdump or you are going to end up with either echoed data, or to much data.

Windows workstation to remote linux server

with wireshark and putty installed locally and tcpdump installed on the remote server

"C:\Program Files (x86)\PuTTY\plink.exe" -ssh root@{server} "tcpdump -ni {server_interface} -s 0 -w - port 5060 or portrange 16384-32768" | "c:\Program Files\Wireshark\Wireshark.exe" -k -i -

 

 

See Also

 

"C:\Program Files (x86)\PuTTY\plink.exe" -ssh root@x56 "tcpdump -ni eth0.1020 -s 0 -w - not port 22 and not proto ospf and not arp and not portrange 16384-32768" | "c:\Program Files\Wireshark\Wireshark.exe" -k -i -

3 Comments

  1. The second presentation is here: http://www.viddler.com/explore/cluecon/videos/33/

    The first presentation got cut short, but it's still good: http://www.viddler.com/explore/cluecon/videos/8/

     
    The page you were looking for doesn't exist.
    You may have mistyped the address or the page may have moved.

     

    1. Even those links have died a miserable, horrible death.

      Thanks.

  2. <param name="sip-capture" value="yes"/>

    <param name="capture-server" value="udp:HOMER_EXTERNAL:5061;hep=3;capture_id=100"/>

     

    root@ts180:/usr/share/freeswitch/scripts# tcpdump -nq -s 0 -A -vvv -i eth0 port 5061
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

     

    Not was be sent capture, not working.

     

    Thanks.