sngrep icon indicating copy to clipboard operation
sngrep copied to clipboard
verified publisher icon irontec

Asterisk PJSIP + HEP

Open tiagoggsouza opened this issue 5 years ago • 11 comments

How Can I captured the packets with sngrep in asterisk using webrtc in pjsip..

tiagoggsouza avatar May 22 '20 19:05 tiagoggsouza

Hi @tiagoggsouza

I'm not sure if I'm understanding the question here. With WebRTC you mean you're using SIP over Websockets (RFC 7118)?

If that's the case, you are probably using a secure connection (WSS) and depending of used TLS cipher traffic may not be decrypted. Check capturing and parsing with other tools in doubt.

For asterisk and pjisp, I would recommend using PJSIP HEP module. Configure it to send your traffic to a local sngrep in HEP listen mode and you'll be able to see asterisk traffic.

Kaian avatar May 25 '20 07:05 Kaian

Hello Kaian,

thanks for answered..

I'm using Webrtc(wss) + TLS(pem file) + Pjsip in asterisk 1.6, O.S centos 7

I tried to use EEP/HOMER configuration i sngrep, but when a active Listen for eep packets = on , always happens Segmentation fault (core dumped), I tried in diferent enviroment(hardware) but always I received this error of segmentation fault.

Below a archive when happes the error of segmentation fault :

segmentfault.zip

tiagoggsouza avatar May 25 '20 16:05 tiagoggsouza

Hi @tiagoggsouza

I can open the attached file with sngrep 1.4.7 without problem, so this traffic may not be the one generating the crash. The file doesn't seem to contain any HEP packets either, just UDP traffic for 84 different calls. Also, try to avoid publishing RTP data unless it's test data generated by you :-)

I'm using Webrtc(wss) + TLS(pem file) + Pjsip in asterisk 1.6, O.S centos 7

I guess you mean asterisk 16 here. WSS with TLS most probably uses a cipher that no capture tool can decrpyt, so the only way to make it work is the HEP path.

Can you provider your hep.conf asterisk configuration and the output of sngrep --dump-config? Also the command line you're using to start sngrep in HEP listen mode.

Regards!

Kaian avatar May 26 '20 07:05 Kaian

I discovered the problem with segmentation fault , could be a bug in sngrep, the problems happens always when I actived the option Listen for eep packets = on and tried to open sngrep without select any device, I put the option -d and it is working correctly now.

1 - config hep.conf

[general] enabled = yes
capture_address = 192.168.1.241:9061 capture_password = foo
capture_id = 1234
uuid_type = call-id

Now i understand better the environment tha is necessary, i need one HEP server , I thought that asterisk will do it, the IP above is my asterisk server.

tiagoggsouza avatar May 26 '20 14:05 tiagoggsouza

Yes, you need a HEP server to receive the data asterisk sends. sngrep can act as HEP server if configured properly.

Configure sngrep to listen HEP packets on that address by adding eep settings to your ~/.sngreprc file

cat <<EOT >> ~/.sngreprc
set eep.listen on
set eep.listen.address 192.168.1.241
set eep.listen.port 9061
set eep.listen.pass foo
set eep.listen.uuid on
EOT

And just run sngrep selecting any interface without traffic sngrep -d lo

You will only see the data sent by asterisk to sngrep.

Regards

Kaian avatar May 27 '20 07:05 Kaian

The conf in sngrep is correct, but my asterisk isn't work with hep.conf on, I don't know why, I tried to use tcpdump but nothing is passing by port 9061 in my server, I'm trying to discovery the problem.

tiagoggsouza avatar May 27 '20 18:05 tiagoggsouza

now , I'm receiving from hep.conf throw asterisk in port 9060(I changed to default port).

I tried to configure sngrep to listen the packet's but nothing happes.

I created one archive with tcpdump hep port and udp port's below, I tried to open with sngrep but is empty.

pcap.zip

tiagoggsouza avatar May 28 '20 18:05 tiagoggsouza

What version of sngrep are you using? Can you provide the output of sngrep --version ?

sngrep can only receive HEP Data by listening on a given port, it can not open it from pcap files. I have tested asterisk HEP PJSIP with sngrep 1.4.7 without problems.

Also, from pcap, it seems you're not using any HEP password, I've only tested with default asterisk settings (foo as password and uuid on)

Regards

Kaian avatar May 29 '20 09:05 Kaian

Kaian, now is running, thanks a lot to help me... the problem was that's when a put the local ip adress of my ethernet interface it's coming from lo(127.0.0.1) and i tried to open sngrep with other interface and also my password was wrong a put fool with l in the end in sngrep.

another subject is when a active Listen EEP version=on and tried to open sngrep without interface and always happes segmentation fault and close sngrep immediatly, when i use a specifc interface with option -d open normally, the problem is that i use the command : sngrep -d lo -d enp4s0 -r with two interfaces and when a tried to save pcap file i recevied a messagem from sngrep : Saving is not possible when multiple input sources are specified.

when i use just lo interface to open sngrep i can't see the rtp traffic and when a i open both interface it's possible.

tiagoggsouza avatar May 29 '20 13:05 tiagoggsouza

Kaian, now is running, thanks a lot to help me...

Good to know!

tried to open sngrep without interface and always happes segmentation fault

What device is configured as default in your sngreprc? Usually it's 'any' that is a virtual device that may be the cause of the problem. Change your default interface in configuration or try to get a backtrace of the segfault.

with two interfaces and when a tried to save pcap file i recevied a messagem from sngrep : Saving is not possible when multiple input sources are specified.

That's not an error, it is a known limitation in current version of sngrep because pcap format only supports a linker layer. Why are you capturing in lo interface? Maybe you can remove that interface from the command line and just capture fron enp4s0

when i use just lo interface to open sngrep i can't see the rtp traffic and when a i open both interface it's possible.

That's because RTP traffic is being captured from enp4s0 interface. HEP doesn't send RTP traffic but you can combine HEP received data and enp4s0 captured packets to get RTP streams.

Regards

Kaian avatar May 30 '20 07:05 Kaian

What device is configured as default in your sngreprc? Usually it's 'any' that is a virtual device that may be the cause of the problem. Change your default interface in configuration or try to get a backtrace of the segfault.

Yes, Default is any in sngreprc, beacause of it a use -d option interface

That's not an error, it is a known limitation in current version of sngrep because pcap format only supports a linker layer. Why are you capturing in lo interface? Maybe you can remove that interface from the command line and just capture fron enp4s0

HEP always send the packet's throw lo interface, because of it a use both.

That's because RTP traffic is being captured from enp4s0 interface. HEP doesn't send RTP traffic but you can combine HEP received data and enp4s0 captured packets to get RTP streams.

yes, i need to understand a way to receive both packets in the same interface (isn't in lo interface) i don't know if it is possible..I will search about it

tiagoggsouza avatar May 30 '20 13:05 tiagoggsouza