[kamailio/kamailio] sipcapture: Fragmented packets are not captured on mirror port (#1049)
### Description
We are running a Kamailio on a mirror port for capturing traffic. This works as long as the packets are not fragmented. If they are fragmented, the packet is not seen inside Kamailio.
On the regular SIP servers, those fragmented packets are successfully reassembled and processed.
I guess this is an issue for @adubovikov.
#### Reproduction
Setup a Kamailio with sipcapture in mirror mode. These are the config parameters we use: ``` modparam("sipcapture", "capture_on", 1) modparam("sipcapture", "raw_moni_capture_on", 1) modparam("sipcapture", "raw_socket_listen", "10.0.0.1:5060") modparam("sipcapture", "raw_interface", "eth1") modparam("sipcapture", "raw_sock_children", 6) modparam("sipcapture", "promiscious_on", 1) modparam("sipcapture", "raw_moni_bpf_on", 1) modparam("sipcapture", "db_url", "mysql://root:XXXXX@127.0.0.1/sipcapture") ``` And this is what our route says: ``` request_route {
if ($sp == 5060 || $Rp == 5060) { xlog("L_INFO", "Request received from $si:$sp to $Ri:$Rp :\n$mb\n"); exit; } } ```
Now if you craft really big INVITEs (e.g. with a snom phone turning on encryption and long SDP and stuff), the first INVITE without Auth will still show up because it is below 1500 bytes, the second one will exceed 1500 bytes and won't appear in Kamailio.
#### Debugging Data
In tcpdump I can see the the missing packet:
``` 17:07:33.568718 IP 82.116.x.y.11223 > 217.10.79.9.5060: SIP: INVITE sip:0163xxxxxxx@sipgate.de;user=phone SIP/2.0 17:07:33.572659 IP 217.10.79.9.5060 > 82.116.x.y.11223: SIP: SIP/2.0 407 Proxy Authentication Required 17:07:33.951787 IP 82.116.x.y.11223 > 217.10.79.9.5060: SIP: ACK sip:0163xxxxxxx@sipgate.de;user=phone SIP/2.0 17:07:33.980561 IP 82.116.x.y.11223 > 217.10.79.9.5060: SIP: INVITE sip:0163xxxxxxx@sipgate.de;user=phone SIP/2.0 17:07:33.980566 IP 82.116.x.y > 217.10.79.9: ip-proto-17 17:07:33.995269 IP 217.10.79.9.5060 > 82.116.x.y.11223: SIP: SIP/2.0 100 trying -- your call is important to us ```
### Additional Information
* **Kamailio Version** - output of `kamailio -v`
``` version: kamailio 5.0.0 (x86_64/linux) flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: unknown compiled with gcc 4.9.2 ```
* **Operating System**:
``` Linux hostname 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux ```
raw socket method in the sipcapture module is deprecated and will be removed in the future. Please use the captagent and HEP communication.
Thank you!
Is there a good reason for that? I could imagine that just passing it to Kamailio directly is more efficient. And it eliminates another piece of software that could possibly go wild.
the most important reason is time, because here it's a lot work to implement udp defragmentation, tcp reassambling, also no chance to do rtp/rtcp stats, no chance to do filtering etc and this is only for a SINGLE node with one mirror port.... so if anybody have time to implement it, go ahead, but for me it looks ridiculous. Running the captagent on the localhost and send HEP traffic to kamailio on the SAME host is also efficient enough and almost cost nothing, specially for ONE SINGLE node.
Closed #1049.
Just to add for those not aware of it yet -- instead of captagent, one can also use sngrep to push traffic from network to Kamailio sipcapture/Homer server; it might not be as flexible as captagent, but for SIP traffic is good enough, allowing to do filtering from command line as well.
and the sipgrep as well :-)
indeed, same simple and cool stuff by sipgrep as well!
-
Alexandr Dubovikov -
Daniel-Constantin Mierla
-
Sebastian Damm