We capture 100% of our SIP traffic using tcpdump and logging 14 files at 100MB per file (1.5GB rough usage). We have at least a few days worth of SIP packets to review if necessary. Use tshark to find sets of connected data. This command line does all the rotation and capture for us: /usr/sbin/tcpdump -qpni eth0 -s 65535 -C 100 -W 14 -Z root -w /var/log/sip.pcap port 5060 -q Quick (quiet?) output. Print less protocol information so output lines are shorter. -p Don?t put the interface into promiscuous mode. -n Don?t convert host addresses to names. -i Interface (eth0 here) -s Snarf snaplen bytes of data from each packet rather than the default of 68. -C Magic Sauce. Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so, close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes). -W Used in conjunction with the -C option, this will limit the number of files created to the specified number, and begin overwriting files from the beginning, thus creating a ?rotating? buffer. In addition, it will name the files with enough leading 0s to support the maximum number of files, allowing them to sort correctly. -Z Drops privileges (if root) and changes user ID to user and the group ID to the primary group of user. This behavior is enabled by default (-Z pcap), and can be disabled by -Z root. -w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ??-??. On Tue, 24 Mar 2015, Nelson Hicks wrote:
I'm looking for options to capture SIP/RTP traffic, index it by call, and make it easy to download the capture for a specific call based on calling/called and time. I want the capture to remain ongoing (rotating capture) with, say, a 96 hour window of calls available. I'm open to hardware and software options.
Right now, I have a server that uses tshark running rotating 1-minute captures, but finding and extracting an individual call out of each of the packet segments and merging them together is a slower and more manual process than I'd like, and I'd like to get our techs direct access to these captures as well.
Thanks,
-- Nelson Hicks Network Operations SOCKET (573) 817-0000 ext. 210 nelsonh at socket.net
--------------------------------------------------------------------------- Peter Beckman Internet Guy beckman at angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------