Packet Capture
From FreeSWITCH Wiki
Contents |
[edit]
ngrep
SRC: http://ngrep.sourceforge.net/
USAGE:usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
<-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
<-P char> <-F file> <match expression> <bpf filter>
-h is help/usage
-V is version information
-q is be quiet (don't print packet reception hash marks)
-e is show empty packets
-i is ignore case
-v is invert match
-R is don't do privilege revocation logic
-x is print in alternate hexdump format
-X is interpret match expression as hexadecimal
-w is word-regex (expression must match as a word)
-p is don't go into promiscuous mode
-l is make stdout line buffered
-D is replay pcap_dumps with their recorded time intervals
-t is print timestamp every time a packet is matched
-T is print delta timestamp every time a packet is matched
-M is don't do multi-line match (do single-line match instead)
-I is read packet stream from pcap format file pcap_dump
-O is dump matched packets in pcap format to pcap_dump
-n is look at only num packets
-A is dump num packets after a match
-s is set the bpf caplen
-S is set the limitlen on matched packets
-W is set the dump format (normal, byline, single, none)
-c is force the column width to the specified size
-P is set the non-printable display char to what is specified
-F is read the bpf filter from the specified file
-N is show sub protocol number
-d is use specified device instead of the pcap default
EXAMPLE: ngrep -qt -W byline port 5060
[edit]
sipgrep
SRC: http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/utils/sipgrep/sipgrep
DESC: Perl with number matching in -t or -f 5554443333 style. colored output.
Usage: sipgrep <-h> <-f number> <-t number> <-a> <-l file> <-V> <-p> <-T> <-n|-c>
-h Displays this help message.
-f ARG Search ARG in From field.
-t ARG Search ARG in To field.
-a Search the ARG from '-f' and '-t' parameters in To and From fields.
-l ARG Debug file name.
-V Displays the current version.
-p Port for ngrep.
-T Parameter for ngrep. Indicating the delta between packet matches.
-c Allow colors in debug file.
-n Not allow colors in STDOUT.
Example: sipgrep -f 0123456 -t 0654321 -l debug.sip
or
sipgrep -f 0123456 -a -l debug.sip
[edit]
pcapsipdump
SRC: http://sourceforge.net/projects/psipdump/
DESC: pcapsipdump is a tool for dumping SIP sessions (+RTP traffic, if available) to disk in a fashion similar to "tcpdump -w" (format is exactly the same), but one file per sip session (even if there is thousands of concurrect SIP sessions).
[edit]
tshark
SRC: http://www.wireshark.org
DESC: Dump and analyze network traffic.
TShark 0.99.4
Dump and analyze network traffic.
See http://www.wireshark.org for more information.
Copyright 1998-2006 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Usage: tshark [options] ...
Capture interface:
-i <interface> name or idx of interface (def: first non-loopback)
-f <capture filter> packet filter in libpcap filter syntax
-s <snaplen> packet snapshot length (def: 65535)
-p don't capture in promiscuous mode
-y <link type> link layer type (def: first appropriate)
-D print list of interfaces and exit
-L print list of link-layer types of iface and exit
Capture stop conditions:
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ... duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
Input file:
-r <infile> set the filename to read from (no pipes or stdin!)
Processing:
-R <read filter> packet filter in Wireshark display filter syntax
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mntC"
-d <layer_type>==<selector>,<decode_as_protocol> ...
"Decode As", see the man page for details
Example: tcp.port==8888,http
Output:
-w <outfile|-> set the output filename (or '-' for stdout)
-F <output file type> set the output file type, default is libpcap
an empty "-F" option will list the file types
-V add output of packet tree (Packet Details)
-x add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|text output format of text output (def: text)
-t ad|a|r|d output format of time stamps (def: r: rel. to first)
-l flush output after each packet
-q be more quiet on stdout (e.g. when using statistics)
-X <key>:<value> eXtension options, see the man page for details
-z <statistics> various statistics, see the man page for details
Miscellaneous:
-h display this help and exit
-v display version info and exit
-o <name>:<value> ... override preference setting
Filter with tshark then seperate them per call into different pcap files with pcapsipdump: EXAMPLE: 'sip.uri contains "soemname" or rtp or rtcp' -w -|pcapsipdump -
Capture SIP, RTP, ICMP, DNS, RTCP, and T38 traffic in a ring buffer capturing 100 50MB files continuously: EXAMPLE: tshark -i eth0 -o "rtp.heuristic_rtp: TRUE" -w /tmp/capture.pcap -b filesize:51200 -b files:100 -R 'sip or rtp or icmp or dns or rtcp or t38'
Filter on RTCP packets reporting any packet loss or jitter over 30ms EXAMPLE: tshark -i eth0 -o "rtp.heuristic_rtp: TRUE" -R 'rtcp.ssrc.fraction >= 1 or rtcp.ssrc.jitter >= 240' -V
Analyze a packet capture with SIP TLS on port 5061 EXAMPLE: wireshark -o "ssl.desegment_ssl_records: TRUE" \ -o "ssl.desegment_ssl_application_data: TRUE" \ -o "ssl.keys_list: 4.2.2.2,5061,sip,/usr/local/freeswitch/conf/ssl/agent.pem" \ -o "ssl.debug_file: /root/wireshark.log" \ -i eth0 -R "tcp.port == 5061"
Analyze RTP events
tethereal -o "rtp.heuristic_rtp: TRUE" -R rtpevent
