Capturing SIP and RTP packets can reveal trouble with the configuration of FreeSWITCH or the endpoints connecting to it. A packet capture might be required by developers to help troubleshoot your installation.
Use tcpdump if you want a pcap to open up in Wireshark later. Else, use tshark if you want a "text only" view of the SIP traffic without all the headers and extra information.
Real-time traffic dump (full packets) to stdout:
tcpdump -nq -s 0 -A -vvv -i eth0 port 5060
Dump to file:
tcpdump -nq -s 0 -i eth0 -w /tmp/dump.pcap port 5060
Save a new time-stamped file approximately once per hour on the specified port
tcpdump -nq -s 0 -i eth0 -G3600 -w /tmp/trace/sip-%F--%H-%M-%S.pcap port 5060
Daemonize and log 2 ports, rotate log every hour.
nohup tcpdump -nq -s 0 -i eth0 -G3600 -w /tmp/trace/sip-%F--%H-%M-%S.pcap port 5080 or port 5060 &
Daemonize and log 2 ports, rotate log every hour, and place into hierarchical directory structure.
This should be run from cron / init services at the first minute of each new day.
Capturing Calls For a Specific User
sofia status profile $profile user $user_id
to get the remote ip/and port, then use:
tcpdump -i $INTERFACE -s 1500 -A host $IPADDRESS and port $SIPPORT
Using Wireshark to Analyze pcap Files
Wireshark has some nice tools for analyzing your packet captures. See the tutorial linked at the bottom of this page for tips.
ngrep on the Debian Wheezy repository
HOMER Sip Capture
DESC: SIP capturing server with HEP and IP-proto-4 (IPIP) & Monitoring Application with CallFlows, PCAP extraction, powerful search tools, statistics and API. Native HEP capture agent integrated in FreeSWITCH
DESC: Sipgrep is a powerful pcap-aware tool command line tool to sniff, capture, display and troubleshoot SIP signaling over IP networks, allowing the user to specify extended regular expressions matching against SIP headers.
DESC: pcapsipdump is a tool for dumping SIP sessions (+RTP traffic, if available) to disk in a fashion similar to "tcpdump -w" (format is exactly the same), but one file per sip session (even if there are thousands of concurrect SIP sessions). As of SVN r128, there is limited but functional support for SIP over TCP. This functionality is not enabled by default and requires a specific make command:
The pcapsipdump program will attempt to capture SIP dialogs regardless of port number. Note that older versions of pcapsipdump do only port 5060. The trunk version of pcapsipdump is stable and is good for most production environments.
tshark aka tethereal
DESC: Dump and analyze network traffic.
SRC: irontec on github
DESC: Linux/OSX console-based SIP traffic viewer with filtering capabilities
sngrep is a handy utility for quickly capturing and viewing SIP traffic. It can be run on existing pcap files or it can capture traffic live. It can filter based on many criteria, including source/destination as well as message type. This is particularly useful when you have a lot of SIP traffic on a system and you need to find a specific dialog or message. (Have you ever wanted to see only NOTIFY traffic without being bombarded with REGISTERs, OPTIONS, and INVITEs? Or just INVITEs without all the other SIP traffic? If so, sngrep is the tool for you.) Once you find a dialog you can explicitly export it to a pcap file. The irontec github page has several screen shots that demonstrate its capabilities. Note that sngrep does not capture RTP, only SIP.
An especially useful feature of sngrep is its ability to create SIP "ladder graphs" showing the progression of the SIP dialog. The ladder graph appears on the left and the content of the highlighted SIP message appears on the right. Scroll up and down and you can quickly review the progression of a SIP dialog. Being able to see this right at the Linux/OSX command line can save you the effort of having to export a potentially large pcap file and open in Wireshark. Also, sngrep works well in conjunction with Wireshark. Use sngrep to locate quickly specific SIP traffic and then export a pcap to Wireshark for more detailed analysis.
Tips for using sngrep interface
Arrow up and down to move selector and press <enter> to open a specific dialog. This brings up the ladder-graph and all messages within the dialog.
View multiple (perhaps related) dialogs in a single ladder-graph by selecting them with the space bar. Press <enter> when all dialogs have been selected and a multi-endpoint ladder-graph will be displayed.
Change display filter by pressing F7. You can select To: and From:, source and destination, payload, and SIP message types.
Export selected dialogs by pressing F2.
Search through dialogs by pressing F3.
Truncate a pcap File
With The Wireshark GUI
Open the pcap, then click "Save as". Look at the options - from frame $x to $y, the marked ones, from the first marked one to the last marked one, etc. To mark packets, you can right–click them in the viewer.
If you have a large pcap from any of the above methods and want to share part of it, you can use the "editcap" command line program that comes with Wireshark. Read the full manual.
In short, if you want just packets $x to $y, use:
editcap -r $source_infile $outfile $x-$y
where -r means "only include x-y" otherwise without -r, this command would cut out x-y
If you want to omit some packets, then skip the -r and list the ones to omit, e.g. to omit packets 1000 to 3000:
editcap $source_infile $outfile 1000-3000
TLS with sharka
after some experimentation with various tools, I come out with a little shell tool that maybe can be useful to you too.
It can only work with non-forward secrecy ciphers, obviously, and only if is started before the client do the initial TLS handshake (eg, just restart the client). Forward secrecy cannot be decrypted after fact, so don't waste effort.
<X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=AES256-SHA"/>
TLS, real time, with sngrep
How to TRACE and visualize TLS and non-TLS SIP traffic in real time (thanks to Homer's Lorenzo Mangani for pointing me toward Frida)
SIP TLS with sharka
Edit the script first few lines with your own values.
Visualize the packets related to "firstname.lastname@example.org"
SIP TLS on port 5061
Replace 18.104.22.168 with your own IP address.
Analyze RTP Quality
sudo tshark -q -f 'udp portrange 16384-32768' -o rtp.heuristic_rtp:TRUE -z rtp,streams
If you're doing long-term captures, you may want to get a bit more paranoid about security:
sudo setuid 4755 /usr/bin/dumpcap dumpcap -f 'udp portrange 16384-32768' -i eth0 -w /tmp/qos.pcap tshark -qr /tmp/qos.pcap -o rtp.heuristic_rtp:TRUE -z rtp,streams
Remote live capture with local wireshark
you can also use tcpdump in conjunction with ssh to bring the packets back to your workstation so you can watch it live in Wireshark. Something to bare in mind with this approach is you must set the filter on the tcpdump or you are going to end up with either echoed data, or to much data.
Windows workstation to remote linux server
with wireshark and putty installed locally and tcpdump installed on the remote server
"C:\Program Files (x86)\PuTTY\plink.exe" -ssh root@x56 "tcpdump -ni eth0.1020 -s 0 -w - not port 22 and not proto ospf and not arp and not portrange 16384-32768" | "c:\Program Files\Wireshark\Wireshark.exe" -k -i -