[SR-Users] Kamailio to capture mirrored traffic

Mon Oct 28 09:27:19 CET 2019

Hello!

Thanks everyone
Actually setting
listen=udp:127.0.0.1:5060

modparam("sipcapture", "raw_socket_listen", "127.0.0.1:5060")
modparam("sipcapture", "raw_moni_capture_on", 1)
modparam("sipcapture", "raw_interface", "lo")
modparam("sipcapture", "promiscious_on", 1)

And setting one iptables rule
iptables -A PREROUTING -t mangle -i eth0 -p udp --dport 5060 -j TEE --gateway 127.0.0.1
helps to get what I want exactly.
So, Kamailio is just receiving mirrored traffic I can analyze with.
On Oct 28 2019, at 8:20 am, Daniel-Constantin Mierla <miconda at gmail.com> wrote:
>
> Hello,
> network sniffers (such as wireshark, ngrep, tcpdump, sngrep, ...) capture the traffic at network interface layer (well, using some kernel hooks), before getting to application layer (even before the firewall) and I expect is the same for heplify. They do not "receive" the packets like an application that does "listen", just take a copy of the traffic via those kernel hooks and then the packets are sent to the application layer. In other words, heplify doesn't received the sip traffic and then resends it locally, just gets a copy of the traffic.
> Cheers,
> Daniel
>
>
> On 27.10.19 09:16, Igor Olhovskiy wrote:
> > So, at the end it would be like
> > Heplify captures traffic and sending it to localhost, where Kamailio listens.
> > Thanks, will give it a try.
> >
> >
> >
> > Regards, Igor
> > On 26 Oct 2019, 21:21 +0200, Federico Cabiddu <federico.cabiddu at gmail.com> (https://link.getmailspring.com/link/FC58412C-7C8D-41F2-B71C-F5829686C3D8@getmailspring.com/0?redirect=mailto%3Afederico.cabiddu%40gmail.com&recipient=c3ItdXNlcnNAbGlzdHMua2FtYWlsaW8ub3Jn), wrote:
> > > Just use heplify or captagent for this:
> > > https://github.com/sipcapture/heplify (https://link.getmailspring.com/link/FC58412C-7C8D-41F2-B71C-F5829686C3D8@getmailspring.com/1?redirect=https%3A%2F%2Fgithub.com%2Fsipcapture%2Fheplify&recipient=c3ItdXNlcnNAbGlzdHMua2FtYWlsaW8ub3Jn)
> > >
> > >
> > > https://github.com/sipcapture/captagent (https://link.getmailspring.com/link/FC58412C-7C8D-41F2-B71C-F5829686C3D8@getmailspring.com/2?redirect=https%3A%2F%2Fgithub.com%2Fsipcapture%2Fcaptagent&recipient=c3ItdXNlcnNAbGlzdHMua2FtYWlsaW8ub3Jn)
> > > You can run them on the same machines where you're running your sip services and send the captured traffic to a homer instance.
> > >
> > > Cheers,
> > >
> > > Federico
> > > On Sat, 26 Oct 2019, 20:40 Igor Olhovskiy, <igorolhovskiy at gmail.com (mailto:igorolhovskiy at gmail.com)> wrote:
> > > > I'm trying to avoid SIP packet touching at all. Plus, I can't move third-party soft to other port/interface or so.
> > > >
> > > > Idea is I don't want for Kamailio to be a proxy, but a sip packet analyzer for mirrored port, but on same machine.
> > > > On Oct 26 2019, at 6:40 pm, David Villasmil <david.villasmil.work at gmail.com (mailto:david.villasmil.work at gmail.com)> wrote:
> > > > > Why not just receiving with kamailio and transparently proxying to the pbx after capturing? I.e.: kamailio in the middle
> > > > >
> > > > >
> > > > > On Sat, 26 Oct 2019 at 14:46, Igor Olhovskiy <igorolhovskiy at gmail.com (mailto:igorolhovskiy at gmail.com)> wrote:
> > > > > > Hi!
> > > > > >
> > > > > > I'm trying to get Kamailio working as a traffic capture on a same machine with other PBX software installed.
> > > > > > Actually, traffic is mirrored with
> > > > > > iptables -A PREROUTING -t mangle -i eth0 -p udp --dport 5060 -j TEE --gateway 127.0.0.2 (https://link.getmailspring.com/link/AB5F9D36-533D-4A52-ADE3-FB76B813163C@getmailspring.com/0?redirect=127.0.0.2&recipient=c3ItdXNlcnNAbGlzdHMua2FtYWlsaW8ub3Jn)
> > > > > > iptables -t nat -A PREROUTING -d 127.0.0.2 -p udp --dport 5060 -j DNAT --to 127.0.0.1:5062 (https://link.getmailspring.com/link/AB5F9D36-533D-4A52-ADE3-FB76B813163C@getmailspring.com/1?redirect=127.0.0.1%3A5062&recipient=c3ItdXNlcnNAbGlzdHMua2FtYWlsaW8ub3Jn)
> > > > > >
> > > > > >
> > > > > > Kamailio request route is super simple
> > > > > > request_route {
> > > > > > xlog("L_ALERT", "[SIP-PACKET] Got packet [F=$fu R=$ru D=$du M=$rm IP=($si:$sp $Ri:$Rp) ID=$ci]\n");
> > > > > > drop;
> > > > > > }
> > > > > >
> > > > > > I was trying to get Kamailio just listen on interface 127.0.0.1:5062 (http://127.0.0.1:5062), but no luck
> > > > > > listen=udp:127.0.0.1:5062 (http://127.0.0.1:5062)
> > > > > > Next was to use sipcapture module with following parameters
> > > > > > loadmodule "sipcapture.so"
> > > > > > modparam("sipcapture", "db_url", "text:///tmp/")
> > > > > > modparam("sipcapture", "raw_socket_listen", "127.0.0.1:5060-5062")
> > > > > > modparam("sipcapture", "raw_interface", "lo")
> > > > > > modparam("sipcapture", "promiscious_on", 1)
> > > > > >
> > > > > > Also no luck. Means Kamailio can't see packets, but I see em with wireshark on lo interface.
> > > > > > What is best way to get it working? Or I'm missing something?
> > > > > > Thanks!
> > > > > > _______________________________________________
> > > > > > Kamailio (SER) - Users Mailing List
> > > > > > sr-users at lists.kamailio.org (mailto:sr-users at lists.kamailio.org)
> > > > > > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Regards,
> > > > >
> > > > > David Villasmil
> > > > > email: david.villasmil.work at gmail.com (https://link.getmailspring.com/link/440604DA-8F73-4D71-9038-78658920F906@getmailspring.com/0?redirect=mailto%3Adavid.villasmil.work%40gmail.com&recipient=c3ItdXNlcnNAbGlzdHMua2FtYWlsaW8ub3Jn)
> > > > > phone: +34669448337
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Kamailio (SER) - Users Mailing List
> > > > > sr-users at lists.kamailio.org (mailto:sr-users at lists.kamailio.org)
> > > > > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> > > > >
> > > >
> > > > _______________________________________________
> > > > Kamailio (SER) - Users Mailing List
> > > > sr-users at lists.kamailio.org (mailto:sr-users at lists.kamailio.org)
> > > > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
> > >
> > >
> > > _______________________________________________
> > > Kamailio (SER) - Users Mailing List
> > > sr-users at lists.kamailio.org (https://link.getmailspring.com/link/FC58412C-7C8D-41F2-B71C-F5829686C3D8@getmailspring.com/3?redirect=mailto%3Asr-users%40lists.kamailio.org&recipient=c3ItdXNlcnNAbGlzdHMua2FtYWlsaW8ub3Jn)
> > > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users (https://link.getmailspring.com/link/FC58412C-7C8D-41F2-B71C-F5829686C3D8@getmailspring.com/4?redirect=https%3A%2F%2Flists.kamailio.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fsr-users&recipient=c3ItdXNlcnNAbGlzdHMua2FtYWlsaW8ub3Jn)
> >
> >
> >
> > _______________________________________________
> > Kamailio (SER) - Users Mailing List
> > sr-users at lists.kamailio.org (https://link.getmailspring.com/link/FC58412C-7C8D-41F2-B71C-F5829686C3D8@getmailspring.com/5?redirect=mailto%3Asr-users%40lists.kamailio.org&recipient=c3ItdXNlcnNAbGlzdHMua2FtYWlsaW8ub3Jn)https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users (https://link.getmailspring.com/link/FC58412C-7C8D-41F2-B71C-F5829686C3D8@getmailspring.com/6?redirect=https%3A%2F%2Flists.kamailio.org%2Fcgi-bin%2Fmailman%2Flistinfo%2Fsr-users&recipient=c3ItdXNlcnNAbGlzdHMua2FtYWlsaW8ub3Jn)
> --
> Daniel-Constantin Mierla -- www.asipto.com (https://link.getmailspring.com/link/FC58412C-7C8D-41F2-B71C-F5829686C3D8@getmailspring.com/7?redirect=http%3A%2F%2Fwww.asipto.com&recipient=c3ItdXNlcnNAbGlzdHMua2FtYWlsaW8ub3Jn)www.twitter.com/miconda (https://link.getmailspring.com/link/FC58412C-7C8D-41F2-B71C-F5829686C3D8@getmailspring.com/8?redirect=http%3A%2F%2Fwww.twitter.com%2Fmiconda&recipient=c3ItdXNlcnNAbGlzdHMua2FtYWlsaW8ub3Jn) -- www.linkedin.com/in/miconda (https://link.getmailspring.com/link/FC58412C-7C8D-41F2-B71C-F5829686C3D8@getmailspring.com/9?redirect=http%3A%2F%2Fwww.linkedin.com%2Fin%2Fmiconda&recipient=c3ItdXNlcnNAbGlzdHMua2FtYWlsaW8ub3Jn)
> Kamailio Advanced Training, Oct 21-23, 2019, Berlin, Germany -- https://asipto.com/u/kat (https://link.getmailspring.com/link/FC58412C-7C8D-41F2-B71C-F5829686C3D8@getmailspring.com/10?redirect=https%3A%2F%2Fasipto.com%2Fu%2Fkat&recipient=c3ItdXNlcnNAbGlzdHMua2FtYWlsaW8ub3Jn)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20191028/db809986/attachment.html>