Wednesday, January 5, 2011

SIP Capture with TCPDUMP

It is very common to do a sip capture on our company IP PBX servers or any other voip application to debug what is going on. I like to use "tcpdump" to capture sip packets and then analyze them in Wireshark. Here is a quick guide on a"howto" do this since it really makes debugging a lot easier.

1. Download and install Wireshark on your windows computer.

2. Use your preferred terminal emulator to login to your IP PBX linux / OSX server.

3. Once logged in use the following command to start the SIP capture:

tcpdump -i eth0 -n -s 0 port 5060 -vvv -w /tmp/capture_file_name.pcap

-i = interface you want to capture on, eth0, eth1, eth2, etc, you will want to do this on your public interface most likely.

-n = Do not convert IPADDR to names, prevents DNS look-ups.

-s = How many bytes of data to grab from each packet, zero means use the required length to catch whole packets.

port = What port to listen to, 5060 is the default port for SIP.

-vvv = Even more verbose output, this will give you as many details as possible.

-w = Write to a raw file to be parsed later.

4. Now that we are capturing packets, have the EU duplicate the problem so you can capture the data needed, and then stop the capture by using the CTRL Key + C.

You can use -c 200 limits it to a count of 200 runs. If you don't set a count limit, stop it with Ctrl+C

5. Once you stopped the capture login to the server using your preferred emulator and go to the tmp directory. You will find the capture file in there just copy that file to your windows computer from the linux smb share, so you will be able to open it with Wireshark.

6. Start Wireshark and open the file which you just copied from your linux server.

7. Now you will be able to look at all the sip packets and get an idea of what is going on with the server.

8. There is also a great tool in Wireshark to see calls made on the server, in the menu bar click on Telephony then VoIP Calls. This will show all the calls that were captured with tcpdump. You will also be able to see the packets sent between the two end points by selecting a call and clicking Graph at the bottom.

Other examples of tcpdump:

tcpdump -s 0 -w filename.pcap ip host 192.168.1.88
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)