[sr-dev] [kamailio/kamailio] sipcapture: Fragmented packets are not captured on mirror port (#1049)

Sebastian Damm notifications at github.com
Thu Mar 30 17:16:08 CEST 2017


### Description

We are running a Kamailio on a mirror port for capturing traffic. This works as long as the packets are not fragmented. If they are fragmented, the packet is not seen inside Kamailio.

On the regular SIP servers, those fragmented packets are successfully reassembled and processed.

I guess this is an issue for @adubovikov.

#### Reproduction

Setup a Kamailio with sipcapture in mirror mode. These are the config parameters we use:
```
modparam("sipcapture", "capture_on", 1)
modparam("sipcapture", "raw_moni_capture_on", 1)
modparam("sipcapture", "raw_socket_listen", "10.0.0.1:5060")
modparam("sipcapture", "raw_interface", "eth1")
modparam("sipcapture", "raw_sock_children", 6)
modparam("sipcapture", "promiscious_on", 1)
modparam("sipcapture", "raw_moni_bpf_on", 1)
modparam("sipcapture", "db_url", "mysql://root:XXXXX@127.0.0.1/sipcapture")
```
And this is what our route says:
```
request_route {

        if ($sp == 5060 || $Rp == 5060) {
                xlog("L_INFO", "Request received from $si:$sp to $Ri:$Rp :\n$mb\n");
                exit;
        }
}
```

Now if you craft really big INVITEs (e.g. with a snom phone turning on encryption and long SDP and stuff), the first INVITE without Auth will still show up because it is below 1500 bytes, the second one will exceed 1500 bytes and won't appear in Kamailio.

#### Debugging Data

In tcpdump I can see the the missing packet:

```
17:07:33.568718 IP 82.116.x.y.11223 > 217.10.79.9.5060: SIP: INVITE sip:0163xxxxxxx at sipgate.de;user=phone SIP/2.0
17:07:33.572659 IP 217.10.79.9.5060 > 82.116.x.y.11223: SIP: SIP/2.0 407 Proxy Authentication Required
17:07:33.951787 IP 82.116.x.y.11223 > 217.10.79.9.5060: SIP: ACK sip:0163xxxxxxx at sipgate.de;user=phone SIP/2.0
17:07:33.980561 IP 82.116.x.y.11223 > 217.10.79.9.5060: SIP: INVITE sip:0163xxxxxxx at sipgate.de;user=phone SIP/2.0
17:07:33.980566 IP 82.116.x.y > 217.10.79.9: ip-proto-17
17:07:33.995269 IP 217.10.79.9.5060 > 82.116.x.y.11223: SIP: SIP/2.0 100 trying -- your call is important to us
```

### Additional Information

  * **Kamailio Version** - output of `kamailio -v`

```
version: kamailio 5.0.0 (x86_64/linux)
flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown
compiled with gcc 4.9.2
```

* **Operating System**:

```
Linux hostname 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux
```


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/1049
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20170330/6f0756f6/attachment-0001.html>


More information about the sr-dev mailing list