sngrep icon indicating copy to clipboard operation
sngrep copied to clipboard

Published 20 hours ago verified publisher icon irontec

Adding port to be analysed as SIP

Open alaertegv opened this issue 5 years ago • 4 comments

Hi, appreciate your comment: is it possible add port to be interpreted as SIP in SNGREP?

For example, currently I have SIP messages using port 5090 between two products, SNGREP does not account these packets as SIP.

Best Regards Alaerte

alaertegv avatar Dec 16 '19 01:12 alaertegv

Hi @alaertegv

sngrep analyze all packets unless you use a BPF filter. Most probably the problem is not in the port but an unsupported protocol header.

Could you provide a pcap captured with other tool that doesn't show dialogs in sngrep?

Regards

Kaian avatar Dec 16 '19 07:12 Kaian

Hi Kaian, thanks to look at it. Attached I exported the two INVITEs from WIRESHARK to text; I needed to remove the real numbers, hope this does not impact the analysis. Doing this exercise I see that the 5081 INVITE (the one not displayed in SNGREP) was fragmented into two packets in the source sending it. The second INVITE, even though big packet, is not fragmented as between the two products there is jumbo frame support. Wondering if for this reason - SIP fragmented - SNGREP could not make it.

INVITE not present in SNGREP.docx

Best Regards

alaertegv avatar Dec 18 '19 19:12 alaertegv

Hi Kaian, I did the following test: first generated pcap using tcpdump, running SNGREP on the pcap file. This to see if there was difference in online and offline mode. There is not. Then I noticed the INVITE not present in SNGREP is IPv6 UDP large packet which was segmented in two pieces; the next INVITE that is displayed in SNGREP is IPv6 TCP large packet which also was segmented. It seems SNGREP cannot reassemble when it is UDP. Does it make sense, have you seem behaviour before?

Best Regards

alaertegv avatar Dec 18 '19 22:12 alaertegv

Hi @alaertegv

Sngrep can assembly IP and TCP (UDP fragments are split at IP layer). TCP assembly is very basic and has some limitations (like packet received ordered and without retransmissions), but with UDP (IP) there should be no problem.

Take into account that if you use a port bpf filter (p. e. Running sngrep port 5060), some fragment may be filtered by libpcap so sngrep won't know they exist. Same will happen using any libpcap other tool with the same filter.

The tests you're doing seems promising. If you can generate a pcap that displays the dialog in tcpdump but not sngrep send it to my email. I prefer the anonymous data, but if you can not get it I will delete the file after debugging.

Regards!

Kaian avatar Dec 19 '19 08:12 Kaian