Hi
Has anyone come up with a scalable method to log the complete SIP trace of ALL calls, i.e to separate files etc Ngrep is greate for a few, but I want to be able to track all calls, for various purposes
Iqbal
Iqbal,
I'm by no means a network expert, but if you're looking for a way to make sure your network monitoring for SIP messages doesn't impact your SIP routers then I'd take a stab at the problem by using a VLAN switch that can do port mirroring.
Then you can use NGREP on a maching that is connected to a mirrored port on the VLAN switch.
Regards, Paul
On 10/3/05, Iqbal iqbal@gigo.co.uk wrote:
Hi
Has anyone come up with a scalable method to log the complete SIP trace of ALL calls, i.e to separate files etc Ngrep is greate for a few, but I want to be able to track all calls, for various purposes
Iqbal
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
but ngreeping each account into separate files, but day and time, anyone scripted this :-)
The vlan is okay, once I get this SPAN port business worked out
Iqbal
Paul Hazlett wrote:
Iqbal,
I'm by no means a network expert, but if you're looking for a way to make sure your network monitoring for SIP messages doesn't impact your SIP routers then I'd take a stab at the problem by using a VLAN switch that can do port mirroring.
Then you can use NGREP on a maching that is connected to a mirrored port on the VLAN switch.
Regards, Paul
On 10/3/05, Iqbal iqbal@gigo.co.uk wrote:
Hi
Has anyone come up with a scalable method to log the complete SIP trace of ALL calls, i.e to separate files etc Ngrep is greate for a few, but I want to be able to track all calls, for various purposes
Iqbal
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
.
Hi Paul,
I think your best shot would Either be to write something yourself based on libpcap, or do something with ngrep like :
#!/some/perl/like/lanuage/or/other/scripting/language
$numbers = `mysql -user -pheslo -e"use ser;select username from subscriber"; $foo=0; while($foo >count($numbers)){
`ngrep -W byline -T $number[$foo] port 5060>>$number[$foo]`; $foo++;
};
- Atle
* Iqbal iqbal@gigo.co.uk [051003 17:47]:
but ngreeping each account into separate files, but day and time, anyone scripted this :-)
The vlan is okay, once I get this SPAN port business worked out
Iqbal
Paul Hazlett wrote:
Iqbal,
I'm by no means a network expert, but if you're looking for a way to make sure your network monitoring for SIP messages doesn't impact your SIP routers then I'd take a stab at the problem by using a VLAN switch that can do port mirroring.
Then you can use NGREP on a maching that is connected to a mirrored port on the VLAN switch.
Regards, Paul
On 10/3/05, Iqbal iqbal@gigo.co.uk wrote:
Hi
Has anyone come up with a scalable method to log the complete SIP trace of ALL calls, i.e to separate files etc Ngrep is greate for a few, but I want to be able to track all calls, for various purposes
Iqbal
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Two other suggestions: 1. The ONsip.org script package contains two scripts that you can use to generate ngrep traces in various log files based on time, as well as a way to search. Maybe not exactly what you want, but I have found this approach to be reasonably efficient (see exerpt from README.ONSIP below) 2. Start a tcpdump with rotatelogs (see start_ngrep) and then use sip_scenario to generate the traces you want to a directory accessible through a web server
Both approaches require a cron clean-up job to delete old logs dependent on your disk space. And BTW, using a hub instead of a switch in front of your ser server means that you can set up a dedicated listener like Paul suggested without vlan. g-)
What you will find in this package:
start_ngrep --------------- A small script to start ngrep in a way where all SIP messages are logged to files in /var/log/sip/. Must be started as root. Assumes that ngrep version >1.42 is already installed. The log files will be rotated every 24 hours starting 24 hours from the time you run start_ngrep.
siplogs -------------- Usage: siplogs regex [siplog-filename] If start_ngrep has been run and ngrep is running as a process, siplogs can be called with one parameter like this: 'siplogs 1237890' This will filter out all SIP messages with 1237890 found somewhere in the message. Only messages found in the last logfile will be searched (i.e. < 24 hours ago dependent on when you started start_ngrep) siplogs can also take a second parameter: siplogs 1237890 sip.1114992000 and thus specify the log file (in /var/log/sip/) that you want to search through. The first parameter is a regular expression(awk), so you can for example run 'siplogs "^INVITE|^ACK"' to filter out all INVITE and ACK messages.
----- Original Message ----- From: "Iqbal" iqbal@gigo.co.uk To: serusers@lists.iptel.org Sent: Monday, October 03, 2005 04:59 PM Subject: [Serusers] logging of SIP dialog
Hi
Has anyone come up with a scalable method to log the complete SIP trace of ALL calls, i.e to separate files etc Ngrep is greate for a few, but I want to be able to track all calls, for various purposes
Iqbal
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
We use the low-level approach:
crontab -l
# purge SIP packet sniffs 35 5 * * * find /export/sipsniff -name pack* -mtime +60 -exec rm {} ;
cat /usr/local/bin/sipsniff
#!/bin/sh FILES=/export/sipsniff/packets while true; do FILESUFFIX=`date +%Y%m%d-%H%M%S` /usr/bin/tethereal -i any -a filesize:256 -n -w $FILES.$FILESUFFIX port 5060 or port 5061 done;
This is not very convenient for daily debugging, but sufficient I you debug once a month.
regards klaus
Iqbal wrote:
Hi
Has anyone come up with a scalable method to log the complete SIP trace of ALL calls, i.e to separate files etc Ngrep is greate for a few, but I want to be able to track all calls, for various purposes
Iqbal
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Hi
Is there any easy way of matching all messages belonging to a call in ngrep, aside from pulling out the call-id and the grepping for all those which match that call-id...I am guessing not...
iqbal
Klaus Darilion wrote:
We use the low-level approach:
crontab -l
# purge SIP packet sniffs 35 5 * * * find /export/sipsniff -name pack* -mtime +60 -exec rm {} ;
cat /usr/local/bin/sipsniff
#!/bin/sh FILES=/export/sipsniff/packets while true; do FILESUFFIX=`date +%Y%m%d-%H%M%S` /usr/bin/tethereal -i any -a filesize:256 -n -w $FILES.$FILESUFFIX port 5060 or port 5061 done;
This is not very convenient for daily debugging, but sufficient I you debug once a month.
regards klaus
Iqbal wrote:
Hi
Has anyone come up with a scalable method to log the complete SIP trace of ALL calls, i.e to separate files etc Ngrep is greate for a few, but I want to be able to track all calls, for various purposes
Iqbal
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
.
Iqbal wrote:
Is there any easy way of matching all messages belonging to a call in ngrep, aside from pulling out the call-id and the grepping for all those which match that call-id...I am guessing not...
I messed around with libpcap and libosipparser some time ago, and the result was a small prototype of a sniffer which collects sip and rtp packets and assigns them to sip dialogs.
It's far from being really useable, but it may give you an idea on how to do that (and hey, it compiles, runs and gives you at least some output ;o).
I'm currently not able to continue development because of lack of time, but maybe someone is interested in taking over the code.
You can find it here: http://linguin.org/voisniff-0.1a.tar.gz
Andy
cheers will take alook, but C and me aren't the best of friends, :-)
Also did you use callid is the identifier, cause it seems as if that is generated by the device itself, and not unique per call
iqbal
Andreas Granig wrote:
Iqbal wrote:
Is there any easy way of matching all messages belonging to a call in ngrep, aside from pulling out the call-id and the grepping for all those which match that call-id...I am guessing not...
I messed around with libpcap and libosipparser some time ago, and the result was a small prototype of a sniffer which collects sip and rtp packets and assigns them to sip dialogs.
It's far from being really useable, but it may give you an idea on how to do that (and hey, it compiles, runs and gives you at least some output ;o).
I'm currently not able to continue development because of lack of time, but maybe someone is interested in taking over the code.
You can find it here: http://linguin.org/voisniff-0.1a.tar.gz
Andy
.
Iqbal wrote:
cheers will take alook, but C and me aren't the best of friends, :-)
Also did you use callid is the identifier, cause it seems as if that is generated by the device itself, and not unique per call
Currently it only takes the call-id, but there's a TODO-comment somewhere in sip_handler.c to also use the from-tag for better matching. And for RFC-compliance the to-tag should be used for matching subsequent messages too.
As I said, it's quite far away from being really useful, but for someone familiar with libosip, this shouldn't be very difficult to implement.
Andy
I just grabbed the source as well. As I've been hacking around trying to get something similar setup (using libpcap but parsing things myself) I'll see if this might be a better starting point. If anything comes of it, I'll post it up for grabs.
-Evan
Andreas Granig wrote:
Iqbal wrote:
cheers will take alook, but C and me aren't the best of friends, :-)
Also did you use callid is the identifier, cause it seems as if that is generated by the device itself, and not unique per call
Currently it only takes the call-id, but there's a TODO-comment somewhere in sip_handler.c to also use the from-tag for better matching. And for RFC-compliance the to-tag should be used for matching subsequent messages too.
As I said, it's quite far away from being really useful, but for someone familiar with libosip, this shouldn't be very difficult to implement.
Andy
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Evan Borgstrom wrote:
I just grabbed the source as well. As I've been hacking aroundtrying to get something similar setup (using libpcap but parsing things myself) I'll see if this might be a better starting point. If anything comes of it, I'll post it up for grabs.
Great! And btw, I have completely forgotten that I already use from/to tag matching ;o)
It's just not... well... optimized ;o) because it uses the callid string as hash value which is compared again for collisions.
However, this is going quite offtopic here, so please PM for further information.
Andy
Hi all
I have some questions related to the lcr module:
- As far as i understand, the lcr module does not cache gateway or destination prefix data in RAM but queries the db upon each request, right? If so, i could do changes to the gateway data directly in the database (else than with subscriber data that is cached in ser)?
- In the table "gw" the ip address is stored (in ip_addr) in a numeric format. How is this value calculated from the common ip address format?
- There are 3 tables in the database that are used by lcr module: gw, gw_grp and lcr?
Thanks a lot for your help.
Regards Frank
Frank Fischer writes:
- As far as i understand, the lcr module does not cache gateway or
destination prefix data in RAM but queries the db upon each request, right? If so, i could do changes to the gateway data directly in the database (else than with subscriber data that is cached in ser)?
lcr module does cache gw information, but not routing information. if you add/delete gws, you have to reload the cache using fifo command.
- In the table "gw" the ip address is stored (in ip_addr) in a numeric
format. How is this value calculated from the common ip address format?
search the archives for code and description.
- There are 3 tables in the database that are used by lcr module: gw, gw_grp
and lcr?
yes, but gw_grp is not needed for request routing.
-- juha
Hi juha
Thanks a lot for your response.
One additional question regading "searching the archives": Of course that's what i use to try first before posting a question, but i couldn't find a search functionality for the mailing list archives, only the Archives sorted by months (which makes it quite hard to search). Is there anyway to search through the whole archive or do i really have to search posting for posting?
Kind Regards Frank
- As far as i understand, the lcr module does not cache
gateway or > destination prefix data in RAM but queries the db upon each request, right?
If so, i could do changes to the gateway data directly in
the database (else > than with subscriber data that is cached in ser)?
lcr module does cache gw information, but not routing information. if you add/delete gws, you have to reload the cache using fifo command.
- In the table "gw" the ip address is stored (in ip_addr)
in a numeric > format. How is this value calculated from the common ip address > format?
search the archives for code and description.
- There are 3 tables in the database that are used by lcr
module: gw, gw_grp > and lcr?
yes, but gw_grp is not needed for request routing.
-- juha
Try using google.com to search the archives like this...
site:mail.iptel.org my_keyword_or_phrase
- Daryl
On 10/13/05, Frank Fischer frank.fischer@digitalnomads.ch wrote:
Hi juha
Thanks a lot for your response.
One additional question regading "searching the archives": Of course that's what i use to try first before posting a question, but i couldn't find a search functionality for the mailing list archives, only the Archives sorted by months (which makes it quite hard to search). Is there anyway to search through the whole archive or do i really have to search posting for posting?
Kind Regards Frank
- As far as i understand, the lcr module does not cache
gateway or > destination prefix data in RAM but queries the db upon each request, right?
If so, i could do changes to the gateway data directly in
the database (else > than with subscriber data that is cached in ser)?
lcr module does cache gw information, but not routing information. if you add/delete gws, you have to reload the cache using fifo command.
- In the table "gw" the ip address is stored (in ip_addr)
in a numeric > format. How is this value calculated from the common ip address > format?
search the archives for code and description.
- There are 3 tables in the database that are used by lcr
module: gw, gw_grp > and lcr?
yes, but gw_grp is not needed for request routing.
-- juha
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Frank Fischer writes:
One additional question regading "searching the archives": Of course that's what i use to try first before posting a question, but i couldn't find a search functionality for the mailing list archives, only the Archives sorted by months (which makes it quite hard to search). Is there anyway to search through the whole archive or do i really have to search posting for posting?
try googling with site:mail.iptel.org.
-- juha
-
Andreas Granig -
Atle Samuelsen -
Daryl Sanders -
Evan Borgstrom -
Frank Fischer -
Greger V. Teigre -
Iqbal -
Juha Heinanen -
Klaus Darilion -
Paul Hazlett