Command line SIP dialog matching and searching through offline PCAPs.
$ sudo apt-get install python-libpcap # or yum install..
$ sudo pip install sipzamineA basic example, finding all dialogs that last shorter than 1.5 seconds:
$ sipzamine -m ^BYE -H ^BYE --maxdur 1.5 --pcap 'host 22.22.22.22' stored.pcap
[ [email protected] ]
2011-11-23 22:27:20.746782 22.22.22.22:5060 > 123.123.123.123:5060 102 INVITE
2011-11-23 22:27:20.747508 123.123.123.123:5060 > 22.22.22.22:5060 102 INVITE(100)
2011-11-23 22:27:20.783424 123.123.123.123:5060 > 22.22.22.22:5060 102 INVITE(200)
2011-11-23 22:27:20.783956 22.22.22.22:5060 > 123.123.123.123:5060 102 ACK
2011-11-23 22:27:21.665581 22.22.22.22:5060 > 123.123.123.123:5060 103 BYE <--
2011-11-23 22:27:21.665721 123.123.123.123:5060 > 22.22.22.22:5060 103 BYE(200)Normally you use -m to match a dialog by regular expression. And -p to filter by IP.
To highlight a particular text string in the concise output, use -H.
Basic matching options:
--pcap filter, -p filter
pcap filter expression
--pmatch regex, -m regex
any packet in dialog must match regex (can be used
multiple times), e.g. ^INVITE to match calls
--amatch regex, -M regex
all packets in dialog must match regex (can be used
multiple times), e.g. ^(SIP/2.0|INVITE|BYE) to match
calls without an ACKOutput options:
--contents
show complete packet contents
--dateskew seconds
offset added to all dates, can be negative (use when
pcap clock was off)
--highlight regex, -H regex
highlight first matchgroup in packets (multiple
highlights are identified by letters a..z)Special dialog/packet matching options:
--mindate date
packets must be younger than specified date
--maxdate date
packets must be older than specified date
--mindur seconds
dialogs/transactions must be shorter than duration
--maxdur seconds
dialogs/transactions must be longer than duration
--retransmits count
at least count retransmits must be involved- Add tests: begin with a smallish pcap.
- Add the ability to write pcaps from the filter. Combine capability with sipscrub?
- Compare this to sipgrep (and other tools?). And homer?
How do I get pcap files?
You're encouraged to always write SIP pcaps on your VoIP machine. tcpdump allows you easy rotation of pcaps so you won't run out of disk space. You can use the tcpdump247 init script if you like.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent