DESC: pcapsipdump is a tool for dumping SIP sessions (+RTP traffic, if available) to disk in a fashion similar to "tcpdump -w" (format is exactly the same), but one file per sip session (even if there are thousands of concurrect SIP sessions). As of SVN r128, there is limited but functional support for SIP over TCP. This functionality is not enabled by default and requires a specific make command:
The pcapsipdump program will attempt to capture SIP dialogs regardless of port number. Note that older versions of pcapsipdump do only port 5060. The trunk version of pcapsipdump is stable and is good for most production environments.
/* store all SIP sessions on tmp folder */ pcapsipdump -i eth0 -d /tmp/ pcapsipdump version 0.1.42-trunk Usage: pcapsipdump [-fpUfpUt] [-i <interface>] [| -r <file>] [-d <working directory>] [-v level] [-R filter] [-m filter] [-n filter] [-l filter] [-B size] [-T limit] [-t trigger:action:param] [expression] -f Do not fork or detach from controlling terminal. -p Do not put the interface into promiscuous mode. -U Make .pcap files writing 'packet-buffered' - slower method, but you can use partitially written file anytime, it will be consistent. -i Specify network interface name (i.e. eth0, em1, ppp0, etc). -r Read from .pcap file instead of network interface. -v Set verbosity level (higher is more verbose). -B Set the operating system capture buffer size, a.k.a. ring buffer size. This can be expressed in bytes/KB(*1000)/KiB(*1024)/MB/MiB/GB/GiB. ex.: '-B 64MiB' Set this to few MiB or more to avoid packets dropped by kernel. -R RTP filter. Specifies what kind of RTP information to include in capture: 'rtp+rtcp' (default), 'rtp', 'rtpevent', 't38', or 'none'. -m Method-filter. Default is '^(INVITE|OPTIONS|REGISTER)$' -n Number-filter. Only calls to/from specified number will be recorded -t T.38-filter. Only calls, containing T.38 payload indicated in SDP will be recorded
Argument is a regular expression. See 'man 7 regex' for details. -l Record only each N-th call (i.e. '-l 3' = record only each third call) -d Set directory (or filename template), where captured files will be stored. ex.: -d /var/spool/pcapsipdump/%Y%m%d/%H/%Y%m%d-%H%M%S-%f-%t-%i.pcap -T Unconditionally stop recording a call after it was active for this many seconds. Might be useful for broken peers that keep sending RTP long after call ended. -t <trigger>:<action>:<parameter>. Parameter is %-expanded (see below) Triggers: open = when opening a new .pcap file; close = when closing Actions and their parameters: mv:<directory> - move .pcap files to <directory> (using /bin/mv) exec:"/bin/blah args..." - fork and execute /bin/blah with arguments sh:"shell code" - fork and execute /bin/sh -c "shell code" * Following %-codes are expanded in -d and -t: %f (from/caller), %t (to/callee), %i (call-id), and call date/time (see 'man 3 strftime' for details) * Trailing argument is pcap filter expression syntax, see 'man 7 pcap-filter'
tshark aka tethereal
DESC: Dump and analyze network traffic.