3 Oct
2005
3 Oct
'05
10:59 a.m.
Hi
Has anyone come up with a scalable method to log the complete SIP trace
of ALL calls, i.e to separate files etc
Ngrep is greate for a few, but I want to be able to track all calls, for
various purposes
Iqbal
3 Oct
3 Oct
11:40 a.m.
Iqbal,
I'm by no means a network expert, but if you're looking for a way to
make sure your network monitoring for SIP messages doesn't impact your
SIP routers then I'd take a stab at the problem by using a VLAN switch
that can do port mirroring.
Then you can use NGREP on a maching that is connected to a mirrored
port on the VLAN switch.
Regards,
Paul
On 10/3/05, Iqbal <iqbal(a)gigo.co.uk> wrote:
Hi
Has anyone come up with a scalable method to log the complete SIP trace
of ALL calls, i.e to separate files etc
Ngrep is greate for a few, but I want to be able to track all calls, for
various purposes
Iqbal
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
11:46 a.m.
but ngreeping each account into separate files, but day and time, anyone
scripted this :-)
The vlan is okay, once I get this SPAN port business worked out
Iqbal
Paul Hazlett wrote:
Iqbal,
I'm by no means a network expert, but if you're looking for a way to
make sure your network monitoring for SIP messages doesn't impact your
SIP routers then I'd take a stab at the problem by using a VLAN switch
that can do port mirroring.
Then you can use NGREP on a maching that is connected to a mirrored
port on the VLAN switch.
Regards,
Paul
On 10/3/05, Iqbal <iqbal(a)gigo.co.uk> wrote:
Hi
Has anyone come up with a scalable method to log the complete SIP trace
of ALL calls, i.e to separate files etc
Ngrep is greate for a few, but I want to be able to track all calls, for
various purposes
Iqbal
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
.
11:55 a.m.
Hi Paul,
I think your best shot would Either be to write something yourself based
on libpcap, or do something with ngrep like :
#!/some/perl/like/lanuage/or/other/scripting/language
$numbers = `mysql -user -pheslo -e"use ser;select username from
subscriber";
$foo=0;
while($foo >count($numbers)){
`ngrep -W byline -T $number[$foo] port 5060>>$number[$foo]`;
$foo++;
};
- Atle
* Iqbal <iqbal(a)gigo.co.uk> [051003 17:47]:
but ngreeping each account into separate files, but
day and time, anyone
scripted this :-)
The vlan is okay, once I get this SPAN port business worked out
Iqbal
Paul Hazlett wrote:
Iqbal,
I'm by no means a network expert, but if you're looking for a way to
make sure your network monitoring for SIP messages doesn't impact your
SIP routers then I'd take a stab at the problem by using a VLAN switch
that can do port mirroring.
Then you can use NGREP on a maching that is connected to a mirrored
port on the VLAN switch.
Regards,
Paul
On 10/3/05, Iqbal <iqbal(a)gigo.co.uk> wrote:
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
Hi
Has anyone come up with a scalable method to log the complete SIP trace
of ALL calls, i.e to separate files etc
Ngrep is greate for a few, but I want to be able to track all calls, for
various purposes
Iqbal
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
.
4 Oct
4 Oct
2:03 a.m.
Two other suggestions:
1. The ONsip.org script package contains two scripts that you can use to
generate ngrep traces in various log files based on time, as well as a way
to search. Maybe not exactly what you want, but I have found this approach
to be reasonably efficient (see exerpt from README.ONSIP below)
2. Start a tcpdump with rotatelogs (see start_ngrep) and then use
sip_scenario to generate the traces you want to a directory accessible
through a web server
Both approaches require a cron clean-up job to delete old logs dependent on
your disk space.
And BTW, using a hub instead of a switch in front of your ser server means
that you can set up a dedicated listener like Paul suggested without vlan.
g-)
What you will find in this package:
start_ngrep
---------------
A small script to start ngrep in a way where all SIP messages are logged to
files in /var/log/sip/.
Must be started as root. Assumes that ngrep version >1.42 is already
installed. The log files will be
rotated every 24 hours starting 24 hours from the time you run start_ngrep.
siplogs
--------------
Usage: siplogs regex [siplog-filename]
If start_ngrep has been run and ngrep is running as a process, siplogs can
be called with one parameter
like this: 'siplogs 1237890'
This will filter out all SIP messages with 1237890 found somewhere in the
message. Only messages found in
the last logfile will be searched (i.e. < 24 hours ago dependent on when you
started start_ngrep) siplogs
can also take a second parameter: siplogs 1237890 sip.1114992000 and thus
specify the log file (in
/var/log/sip/) that you want to search through.
The first parameter is a regular expression(awk), so you can for example run
'siplogs "^INVITE|^ACK"' to
filter out all INVITE and ACK messages.
----- Original Message -----
From: "Iqbal" <iqbal(a)gigo.co.uk>
To: <serusers(a)lists.iptel.org>
Sent: Monday, October 03, 2005 04:59 PM
Subject: [Serusers] logging of SIP dialog
Hi
Has anyone come up with a scalable method to log the complete SIP trace of
ALL calls, i.e to separate files etc
Ngrep is greate for a few, but I want to be able to track all calls, for
various purposes
Iqbal
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
2:57 a.m.
We use the low-level approach:
crontab -l
# purge SIP packet sniffs
35 5 * * * find /export/sipsniff -name pack\* -mtime +60 -exec rm {} \;
cat /usr/local/bin/sipsniff
#!/bin/sh
FILES=/export/sipsniff/packets
while true; do
FILESUFFIX=`date +%Y%m%d-%H%M%S`
/usr/bin/tethereal -i any -a filesize:256 -n -w $FILES.$FILESUFFIX
port 5060 or port 5061
done;
This is not very convenient for daily debugging, but sufficient I you
debug once a month.
regards
klaus
Iqbal wrote:
Hi
Has anyone come up with a scalable method to log the complete SIP trace
of ALL calls, i.e to separate files etc
Ngrep is greate for a few, but I want to be able to track all calls, for
various purposes
Iqbal
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
11 Oct
11 Oct
1:45 p.m.
Hi
Is there any easy way of matching all messages belonging to a call in
ngrep, aside from pulling out the call-id and the grepping for all those
which match that call-id...I am guessing not...
iqbal
Klaus Darilion wrote:
We use the low-level approach:
crontab -l
# purge SIP packet sniffs
35 5 * * * find /export/sipsniff -name pack\* -mtime +60 -exec rm {} \;
cat /usr/local/bin/sipsniff
#!/bin/sh
FILES=/export/sipsniff/packets
while true; do
FILESUFFIX=`date +%Y%m%d-%H%M%S`
/usr/bin/tethereal -i any -a filesize:256 -n -w $FILES.$FILESUFFIX
port 5060 or port 5061
done;
This is not very convenient for daily debugging, but sufficient I you
debug once a month.
regards
klaus
Iqbal wrote:
Hi
Has anyone come up with a scalable method to log the complete SIP
trace of ALL calls, i.e to separate files etc
Ngrep is greate for a few, but I want to be able to track all calls,
for various purposes
Iqbal
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
.
2:21 p.m.
Iqbal wrote:
Is there any easy way of matching all messages
belonging to a call in
ngrep, aside from pulling out the call-id and the grepping for all those
which match that call-id...I am guessing not...
I messed around with libpcap and libosipparser some time ago, and the
result was a small prototype of a sniffer which collects sip and rtp
packets and assigns them to sip dialogs.
It's far from being really useable, but it may give you an idea on how
to do that (and hey, it compiles, runs and gives you at least some
output ;o).
I'm currently not able to continue development because of lack of time,
but maybe someone is interested in taking over the code.
You can find it here: http://linguin.org/voisniff-0.1a.tar.gz
Andy
2:44 p.m.
cheers will take alook, but C and me aren't the best of friends, :-)
Also did you use callid is the identifier, cause it seems as if that is
generated by the device itself, and not unique per call
iqbal
Andreas Granig wrote:
Iqbal wrote:
Is there any easy way of matching all messages
belonging to a call in
ngrep, aside from pulling out the call-id and the grepping for all
those which match that call-id...I am guessing not...
I messed around with libpcap and libosipparser some time ago, and the
result was a small prototype of a sniffer which collects sip and rtp
packets and assigns them to sip dialogs.
It's far from being really useable, but it may give you an idea on how
to do that (and hey, it compiles, runs and gives you at least some
output ;o).
I'm currently not able to continue development because of lack of
time, but maybe someone is interested in taking over the code.
You can find it here: http://linguin.org/voisniff-0.1a.tar.gz
Andy
.
3:01 p.m.
Iqbal wrote:
cheers will take alook, but C and me aren't the
best of friends, :-)
Also did you use callid is the identifier, cause it seems as if that is
generated by the device itself, and not unique per call
Currently it only takes the call-id, but there's a TODO-comment
somewhere in sip_handler.c to also use the from-tag for better matching.
And for RFC-compliance the to-tag should be used for matching subsequent
messages too.
As I said, it's quite far away from being really useful, but for someone
familiar with libosip, this shouldn't be very difficult to implement.
Andy
3:24 p.m.
I just grabbed the source as well. As I've been hacking around trying
to get something similar setup (using libpcap but parsing things myself)
I'll see if this might be a better starting point. If anything comes of
it, I'll post it up for grabs.
-Evan
Andreas Granig wrote:
Iqbal wrote:
cheers will take alook, but C and me aren't
the best of friends, :-)
Also did you use callid is the identifier, cause it seems as if that
is generated by the device itself, and not unique per call
Currently it only takes the call-id, but there's a TODO-comment
somewhere in sip_handler.c to also use the from-tag for better matching.
And for RFC-compliance the to-tag should be used for matching subsequent
messages too.
As I said, it's quite far away from being really useful, but for someone
familiar with libosip, this shouldn't be very difficult to implement.
Andy
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
3:38 p.m.
Evan Borgstrom wrote:
I just grabbed the source as well. As I've been hacking around
trying to get something similar setup (using libpcap but parsing things
myself) I'll see if this might be a better starting point. If anything
comes of it, I'll post it up for grabs.
Great! And btw, I have completely forgotten that I already use from/to
tag matching ;o)
It's just not... well... optimized ;o) because it uses the callid string
as hash value which is compared again for collisions.
However, this is going quite offtopic here, so please PM for further
information.
Andy
13 Oct
13 Oct
3:26 a.m.
New subject: [Serusers] administration of lcr module
Hi all
I have some questions related to the lcr module:
- As far as i understand, the lcr module does not cache gateway or
destination prefix data in RAM but queries the db upon each request, right?
If so, i could do changes to the gateway data directly in the database (else
than with subscriber data that is cached in ser)?
- In the table "gw" the ip address is stored (in ip_addr) in a numeric
format. How is this value calculated from the common ip address format?
- There are 3 tables in the database that are used by lcr module: gw, gw_grp
and lcr?
Thanks a lot for your help.
Regards
Frank
3:51 p.m.
New subject: [Serusers] administration of lcr module
Frank Fischer writes:
- As far as i understand, the lcr module does not
cache gateway or
destination prefix data in RAM but queries the db upon each request, right?
If so, i could do changes to the gateway data directly in the database (else
than with subscriber data that is cached in ser)?
lcr module does cache gw information, but not routing information. if
you add/delete gws, you have to reload the cache using fifo command.
- In the table "gw" the ip address is stored
(in ip_addr) in a numeric
format. How is this value calculated from the common ip address
format?
search the archives for code and description.
- There are 3 tables in the database that are used by
lcr module: gw, gw_grp
and lcr?
yes, but gw_grp is not needed for request routing.
-- juha
4:18 p.m.
New subject: AW: [Serusers] administration of lcr module
Hi juha
Thanks a lot for your response.
One additional question regading "searching the archives": Of course that's
what i use to try first before posting a question, but i couldn't find a
search functionality for the mailing list archives, only the Archives sorted
by months (which makes it quite hard to search). Is there anyway to search
through the whole archive or do i really have to search posting for posting?
Kind Regards
Frank
- As far as i
understand, the lcr module does not cache
gateway or > destination prefix data
in RAM but queries the
db upon each request, right?
If so, i could do changes to the gateway data
directly in
the database (else > than with subscriber data that is
cached in ser)?
lcr module does cache gw information, but not routing
information. if you add/delete gws, you have to reload the
cache using fifo command.
- In the table "gw" the ip address is
stored (in ip_addr)
in a numeric > format. How is this value calculated from
the
common ip address > format?
search the archives for code and description.
- There are 3 tables in the database that are
used by lcr
module: gw, gw_grp > and lcr?
yes, but gw_grp is not needed for request routing.
-- juha
5:05 p.m.
New subject: [Serusers] administration of lcr module
Try using google.com to search the archives like this...
site:mail.iptel.org my_keyword_or_phrase
- Daryl
On 10/13/05, Frank Fischer <frank.fischer(a)digitalnomads.ch> wrote:
Hi juha
Thanks a lot for your response.
One additional question regading "searching the archives": Of course
that's
what i use to try first before posting a question, but i couldn't find a
search functionality for the mailing list archives, only the Archives sorted
by months (which makes it quite hard to search). Is there anyway to search
through the whole archive or do i really have to search posting for posting?
Kind Regards
Frank
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
- As far
as i understand, the lcr module does not cache
gateway or > destination prefix
data in RAM but queries the
db upon each request, right?
If so, i could do changes to the gateway data
directly in
the database (else > than with subscriber data that is
cached in ser)?
lcr module does cache gw information, but not routing
information. if you add/delete gws, you have to reload the
cache using fifo command.
- In the table "gw" the ip address is
stored (in ip_addr)
in a numeric > format. How is this value calculated from
the
common ip address > format?
search the archives for code and description.
- There are 3 tables in the database that are
used by lcr
module: gw, gw_grp > and lcr?
yes, but gw_grp is not needed for request routing.
-- juha
14 Oct
14 Oct
12:50 a.m.
New subject: AW: [Serusers] administration of lcr module
Frank Fischer writes:
One additional question regading "searching the
archives": Of course that's
what i use to try first before posting a question, but i couldn't find a
search functionality for the mailing list archives, only the Archives sorted
by months (which makes it quite hard to search). Is there anyway to search
through the whole archive or do i really have to search posting for
posting?
try googling with site:mail.iptel.org.
-- juha
6842
days inactive
6853
days old
16 comments
10 participants
participants (10)
-
Andreas Granig -
Atle Samuelsen -
Daryl Sanders -
Evan Borgstrom -
Frank Fischer -
Greger V. Teigre -
Iqbal -
Juha Heinanen -
Klaus Darilion -
Paul Hazlett