What's wrong with pcapsipdump? You can pipe input into that I believe... its an old tool but it still works. :-) Nicholas Sten <nicksten at gmail.com> wrote: Kristian, Alex has an elegant and inexpensive (read: basically free!) solution that you might want to check out. Here's a brief description (I've culled from a personal email, so I hope I don't misrepresent it) So I wrote a highly parallelised, multithreaded tool that runs on such a "capture box" and listens to SIP traffic intelligently. It automatically identifies the media ports involved in a call and records both SIP and RTP to distinct capture files in a dated directory hierarchy separated by day and hour. The capture file contains the date, time, ANI, DNIS and Call-ID. You should give him a shout: Alex Balashov <abalashov at evaristesys.com<mailto:abalashov at evaristesys.com>> I can vouch for the quality and effectiveness of his solutions. -N On Wed, Jun 23, 2010 at 9:02 AM, Kristian Kielhofner <kristian.kielhofner at gmail.com<mailto:kristian.kielhofner at gmail.com>> wrote: Hello everyone, Does anyone know of a tool to split PCAP files that is SIP+RTP aware? Ideally I'd be able to record a PCAP file with any number of calls and then have a utility split that file into each separate call? I'm pretty sure I've seen a utility to do this, I just can't remember the name... Thanks! -- Kristian Kielhofner http://www.astlinux.org http://blog.krisk.org http://www.star2star.com http://www.submityoursip.com http://www.voalte.com _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org<mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops
The utility was written by Alex as a replacement for pcapsipdump. pcapsipdump suffers from severe performance and stability problems with any appreciable traffic. I can vouch that Alex's utility is very stable and efficient, but I do have to take exception to the "inexpensive (read: basically free!)" statement, as the utility is wholly owned (as per work-for-hire agreement) by Ifbyphone, Inc. Please contact me off-list if you would like to discuss using the utility. I do not believe there is an issue with us releasing the utility "free as in beer", however I am not the one that can authorize such a release. I will have to confirm this with our upper management. Thanks Brooks R. Bridges Telecommunications Manager Ifbyphone, Inc. Phone: (847) 983-3000 Fax: (847) 676-6553 bbridges at ifbyphone.com http://www.ifbyphone.com From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Darren Schreiber Sent: Wednesday, June 23, 2010 11:58 AM To: Nicholas Sten; Kristian Kielhofner Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] Splitting SIP+RTP PCAP files What's wrong with pcapsipdump? You can pipe input into that I believe... its an old tool but it still works. :-) Nicholas Sten <nicksten at gmail.com> wrote: Kristian, Alex has an elegant and inexpensive (read: basically free!) solution that you might want to check out. Here's a brief description (I've culled from a personal email, so I hope I don't misrepresent it) So I wrote a highly parallelised, multithreaded tool that runs on such a "capture box" and listens to SIP traffic intelligently. It automatically identifies the media ports involved in a call and records both SIP and RTP to distinct capture files in a dated directory hierarchy separated by day and hour. The capture file contains the date, time, ANI, DNIS and Call-ID. You should give him a shout: Alex Balashov <abalashov at evaristesys.com> I can vouch for the quality and effectiveness of his solutions. -N On Wed, Jun 23, 2010 at 9:02 AM, Kristian Kielhofner <kristian.kielhofner at gmail.com> wrote: Hello everyone, Does anyone know of a tool to split PCAP files that is SIP+RTP aware? Ideally I'd be able to record a PCAP file with any number of calls and then have a utility split that file into each separate call? I'm pretty sure I've seen a utility to do this, I just can't remember the name... Thanks! -- Kristian Kielhofner http://www.astlinux.org http://blog.krisk.org http://www.star2star.com http://www.submityoursip.com http://www.voalte.com _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Will it work on data already captured in .pcap files? On 6/23/2010 12:07 PM, Brooks Bridges wrote:
The utility was written by Alex as a replacement for pcapsipdump. pcapsipdump suffers from severe performance and stability problems with any appreciable traffic.
I can vouch that Alex's utility is very stable and efficient, but I do have to take exception to the "inexpensive (read: basically free!)" statement, as the utility is wholly owned (as per work-for-hire agreement) by Ifbyphone, Inc.
Please contact me off-list if you would like to discuss using the utility. I do not believe there is an issue with us releasing the utility "free as in beer", however I am not the one that can authorize such a release. I will have to confirm this with our upper management.
Thanks
/Brooks R. Bridges/
/Telecommunications Manager/
/Ifbyphone, Inc./
/Phone: (847) 983-3000/
/Fax: (847) 676-6553/
/bbridges at ifbyphone.com/
*From:* voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] *On Behalf Of *Darren Schreiber *Sent:* Wednesday, June 23, 2010 11:58 AM *To:* Nicholas Sten; Kristian Kielhofner *Cc:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Splitting SIP+RTP PCAP files
What's wrong with pcapsipdump? You can pipe input into that I believe... its an old tool but it still works. :-)
Nicholas Sten<nicksten at gmail.com> wrote:
Kristian,
Alex has an elegant and inexpensive (read: basically free!) solution that you might want to check out. Here's a brief description (I've culled from a personal email, so I hope I don't misrepresent it)
/So I wrote a highly parallelised, multithreaded tool that runs on such a "capture box" and listens to SIP traffic intelligently. It automatically identifies the media ports involved in a call and records both SIP and RTP to distinct capture files in a dated directory hierarchy separated by day and hour. The capture file contains the date, time, ANI, DNIS and Call-ID./
You should give him a shout: Alex Balashov <abalashov at evaristesys.com <mailto:abalashov at evaristesys.com>>
I can vouch for the quality and effectiveness of his solutions.
-N
On Wed, Jun 23, 2010 at 9:02 AM, Kristian Kielhofner <kristian.kielhofner at gmail.com <mailto:kristian.kielhofner at gmail.com>> wrote:
Hello everyone,
Does anyone know of a tool to split PCAP files that is SIP+RTP aware? Ideally I'd be able to record a PCAP file with any number of calls and then have a utility split that file into each separate call? I'm pretty sure I've seen a utility to do this, I just can't remember the name...
Thanks!
-- Kristian Kielhofner http://www.astlinux.org http://blog.krisk.org http://www.star2star.com http://www.submityoursip.com http://www.voalte.com _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
It does not. We didn't see a need for that, as we use it as a real-time "backlog" of calls for troubleshooting. Brooks R. Bridges Telecommunications Manager Ifbyphone, Inc. Phone: (847) 983-3000 Fax: (847) 676-6553 bbridges at ifbyphone.com http://www.ifbyphone.com From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Lee Riemer Sent: Wednesday, June 23, 2010 12:18 PM To: voiceops at voiceops.org Subject: Re: [VoiceOps] Splitting SIP+RTP PCAP files Will it work on data already captured in .pcap files? On 6/23/2010 12:07 PM, Brooks Bridges wrote: The utility was written by Alex as a replacement for pcapsipdump. pcapsipdump suffers from severe performance and stability problems with any appreciable traffic. I can vouch that Alex's utility is very stable and efficient, but I do have to take exception to the "inexpensive (read: basically free!)" statement, as the utility is wholly owned (as per work-for-hire agreement) by Ifbyphone, Inc. Please contact me off-list if you would like to discuss using the utility. I do not believe there is an issue with us releasing the utility "free as in beer", however I am not the one that can authorize such a release. I will have to confirm this with our upper management. Thanks Brooks R. Bridges Telecommunications Manager Ifbyphone, Inc. Phone: (847) 983-3000 Fax: (847) 676-6553 bbridges at ifbyphone.com http://www.ifbyphone.com From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Darren Schreiber Sent: Wednesday, June 23, 2010 11:58 AM To: Nicholas Sten; Kristian Kielhofner Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] Splitting SIP+RTP PCAP files What's wrong with pcapsipdump? You can pipe input into that I believe... its an old tool but it still works. :-) Nicholas Sten <mailto:nicksten at gmail.com> <nicksten at gmail.com> wrote: Kristian, Alex has an elegant and inexpensive (read: basically free!) solution that you might want to check out. Here's a brief description (I've culled from a personal email, so I hope I don't misrepresent it) So I wrote a highly parallelised, multithreaded tool that runs on such a "capture box" and listens to SIP traffic intelligently. It automatically identifies the media ports involved in a call and records both SIP and RTP to distinct capture files in a dated directory hierarchy separated by day and hour. The capture file contains the date, time, ANI, DNIS and Call-ID. You should give him a shout: Alex Balashov <abalashov at evaristesys.com> I can vouch for the quality and effectiveness of his solutions. -N On Wed, Jun 23, 2010 at 9:02 AM, Kristian Kielhofner <kristian.kielhofner at gmail.com> wrote: Hello everyone, Does anyone know of a tool to split PCAP files that is SIP+RTP aware? Ideally I'd be able to record a PCAP file with any number of calls and then have a utility split that file into each separate call? I'm pretty sure I've seen a utility to do this, I just can't remember the name... Thanks! -- Kristian Kielhofner http://www.astlinux.org http://blog.krisk.org http://www.star2star.com http://www.submityoursip.com http://www.voalte.com _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Hello, With an understanding of Wireshark and/or PCAP file structure and a little Perl magic you can whip up a simple script in less than 100 lines which will pull the exact information you're looking for from existing PCAP files. As for real-time capturing, I can't speak with any familiarity for Alex's product however I can say that scalability of any solutions for real-time capturing/analysis without any type of ASICs or custom hardware have limited scalability, especially if you're capturing all signalling and media for all call legs for several thousands of simultaneous calls at once in a multi-protocol VoIP environment. We have had to rely on a commercial hardware/software vendor solution in order to capture larger volumes of traffic without loss. You can still pull a decent solution together without a full commercial solution using a special NIC, carefully tuned PCAP filters, and a sufficiently distributed L2 switching network. Regards, Justin Randall Team Leader - VoIP Engineering Comwave Telecom Inc. From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Brooks Bridges Sent: June-23-10 2:23 PM To: 'Lee Riemer'; voiceops at voiceops.org Subject: Re: [VoiceOps] Splitting SIP+RTP PCAP files It does not. We didn't see a need for that, as we use it as a real-time "backlog" of calls for troubleshooting. Brooks R. Bridges Telecommunications Manager Ifbyphone, Inc. Phone: (847) 983-3000 Fax: (847) 676-6553 bbridges at ifbyphone.com http://www.ifbyphone.com From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Lee Riemer Sent: Wednesday, June 23, 2010 12:18 PM To: voiceops at voiceops.org Subject: Re: [VoiceOps] Splitting SIP+RTP PCAP files Will it work on data already captured in .pcap files? On 6/23/2010 12:07 PM, Brooks Bridges wrote: The utility was written by Alex as a replacement for pcapsipdump. pcapsipdump suffers from severe performance and stability problems with any appreciable traffic. I can vouch that Alex's utility is very stable and efficient, but I do have to take exception to the "inexpensive (read: basically free!)" statement, as the utility is wholly owned (as per work-for-hire agreement) by Ifbyphone, Inc. Please contact me off-list if you would like to discuss using the utility. I do not believe there is an issue with us releasing the utility "free as in beer", however I am not the one that can authorize such a release. I will have to confirm this with our upper management. Thanks Brooks R. Bridges Telecommunications Manager Ifbyphone, Inc. Phone: (847) 983-3000 Fax: (847) 676-6553 bbridges at ifbyphone.com http://www.ifbyphone.com From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Darren Schreiber Sent: Wednesday, June 23, 2010 11:58 AM To: Nicholas Sten; Kristian Kielhofner Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] Splitting SIP+RTP PCAP files What's wrong with pcapsipdump? You can pipe input into that I believe... its an old tool but it still works. :-) Nicholas Sten <nicksten at gmail.com> <mailto:nicksten at gmail.com> wrote: Kristian, Alex has an elegant and inexpensive (read: basically free!) solution that you might want to check out. Here's a brief description (I've culled from a personal email, so I hope I don't misrepresent it) So I wrote a highly parallelised, multithreaded tool that runs on such a "capture box" and listens to SIP traffic intelligently. It automatically identifies the media ports involved in a call and records both SIP and RTP to distinct capture files in a dated directory hierarchy separated by day and hour. The capture file contains the date, time, ANI, DNIS and Call-ID. You should give him a shout: Alex Balashov <abalashov at evaristesys.com> I can vouch for the quality and effectiveness of his solutions. -N On Wed, Jun 23, 2010 at 9:02 AM, Kristian Kielhofner <kristian.kielhofner at gmail.com> wrote: Hello everyone, Does anyone know of a tool to split PCAP files that is SIP+RTP aware? Ideally I'd be able to record a PCAP file with any number of calls and then have a utility split that file into each separate call? I'm pretty sure I've seen a utility to do this, I just can't remember the name... Thanks! -- Kristian Kielhofner http://www.astlinux.org http://blog.krisk.org http://www.star2star.com http://www.submityoursip.com http://www.voalte.com _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
If you find yourself in that gray area where COTS hardware can't save the day anymore, but you're not looking to spend Empirix money, Endace makes some really good cards on which to develop your own very robust systems: http://www.endace.com/ -N On Wed, Jun 23, 2010 at 11:49 AM, Justin Randall <jrandall at comwave.net>wrote:
Hello,
With an understanding of Wireshark and/or PCAP file structure and a little Perl magic you can whip up a simple script in less than 100 lines which will pull the exact information you?re looking for from existing PCAP files.
As for real-time capturing, I can?t speak with any familiarity for Alex?s product however I can say that scalability of any solutions for real-time capturing/analysis without any type of ASICs or custom hardware have limited scalability, especially if you?re capturing all signalling and media for all call legs for several thousands of simultaneous calls at once in a multi-protocol VoIP environment. We have had to rely on a commercial hardware/software vendor solution in order to capture larger volumes of traffic without loss. You can still pull a decent solution together without a full commercial solution using a special NIC, carefully tuned PCAP filters, and a sufficiently distributed L2 switching network.
Regards,
Justin Randall
Team Leader - VoIP Engineering
Comwave Telecom Inc.
*From:* voiceops-bounces at voiceops.org [mailto: voiceops-bounces at voiceops.org] *On Behalf Of *Brooks Bridges *Sent:* June-23-10 2:23 PM *To:* 'Lee Riemer'; voiceops at voiceops.org
*Subject:* Re: [VoiceOps] Splitting SIP+RTP PCAP files
It does not. We didn?t see a need for that, as we use it as a real-time ?backlog? of calls for troubleshooting.
*Brooks R. Bridges*
*Telecommunications Manager*
*Ifbyphone, Inc.*
*Phone: (847) 983-3000*
*Fax: (847) 676-6553*
*bbridges at ifbyphone.com*
*From:* voiceops-bounces at voiceops.org [mailto: voiceops-bounces at voiceops.org] *On Behalf Of *Lee Riemer *Sent:* Wednesday, June 23, 2010 12:18 PM *To:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Splitting SIP+RTP PCAP files
Will it work on data already captured in .pcap files?
On 6/23/2010 12:07 PM, Brooks Bridges wrote:
The utility was written by Alex as a replacement for pcapsipdump. pcapsipdump suffers from severe performance and stability problems with any appreciable traffic.
I can vouch that Alex?s utility is very stable and efficient, but I do have to take exception to the ?inexpensive (read: basically free!)? statement, as the utility is wholly owned (as per work-for-hire agreement) by Ifbyphone, Inc.
Please contact me off-list if you would like to discuss using the utility. I do not believe there is an issue with us releasing the utility ?free as in beer?, however I am not the one that can authorize such a release. I will have to confirm this with our upper management.
Thanks
*Brooks R. Bridges*
*Telecommunications Manager*
*Ifbyphone, Inc.*
*Phone: (847) 983-3000*
*Fax: (847) 676-6553*
*bbridges at ifbyphone.com*
*From:* voiceops-bounces at voiceops.org [ mailto:voiceops-bounces at voiceops.org <voiceops-bounces at voiceops.org>] *On Behalf Of *Darren Schreiber *Sent:* Wednesday, June 23, 2010 11:58 AM *To:* Nicholas Sten; Kristian Kielhofner *Cc:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Splitting SIP+RTP PCAP files
What's wrong with pcapsipdump? You can pipe input into that I believe... its an old tool but it still works. :-)
Nicholas Sten <nicksten at gmail.com> <nicksten at gmail.com> wrote:
Kristian,
Alex has an elegant and inexpensive (read: basically free!) solution that you might want to check out. Here's a brief description (I've culled from a personal email, so I hope I don't misrepresent it)
*So I wrote a highly parallelised, multithreaded tool that runs on such a "capture box" and listens to SIP traffic intelligently. It automatically identifies the media ports involved in a call and records both SIP and RTP to distinct capture files in a dated directory hierarchy separated by day and hour. The capture file contains the date, time, ANI, DNIS and Call-ID. *
You should give him a shout: Alex Balashov <abalashov at evaristesys.com>
I can vouch for the quality and effectiveness of his solutions.
-N
On Wed, Jun 23, 2010 at 9:02 AM, Kristian Kielhofner < kristian.kielhofner at gmail.com> wrote:
Hello everyone,
Does anyone know of a tool to split PCAP files that is SIP+RTP aware? Ideally I'd be able to record a PCAP file with any number of calls and then have a utility split that file into each separate call? I'm pretty sure I've seen a utility to do this, I just can't remember the name...
Thanks!
-- Kristian Kielhofner http://www.astlinux.org http://blog.krisk.org http://www.star2star.com http://www.submityoursip.com http://www.voalte.com _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________
VoiceOps mailing list
VoiceOps at voiceops.org
https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Pcapsipdump was the tool I needed (this particular situation is pretty low traffic) but this has turned into an interesting discussion... On the subject of packet capture I've always been impressed with Luca's work on ntop, PF_RING, TNAPI, nprobe, etc: http://www.ntop.org/TNAPI.html While I haven't verified the numbers myself it is very interesting work that touches on a lot of technologies at practically every level of commodity hardware (from the C library to the CPU). On Wed, Jun 23, 2010 at 2:56 PM, Nicholas Sten <nicksten at gmail.com> wrote:
If you find yourself in that gray area where COTS hardware can't save the day anymore, but you're not looking to spend Empirix money, Endace makes some really good cards on which to develop your own very robust systems:
-N
-- Kristian Kielhofner http://www.astlinux.org http://blog.krisk.org http://www.star2star.com http://www.submityoursip.com http://www.voalte.com
On Wed, 23 Jun 2010, Nicholas Sten wrote:
If you find yourself in that gray area where COTS hardware can't save the day anymore, but you're not looking to spend Empirix money, Endace makes some really good cards on which to develop your own very robust systems:
Hardware capture cards really become critical as your traffic grows. With cards like Endance your able to do hardware level filtering and your software still gets the nice libpcap interface it has been using. As a bridge gap before you spend the money on hardware capture cards check out PF Ring. http://www.ntop.org/PF_RING.html
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http://www.blinkmind.com
My personal perspective is to emphasize the importance of good programming fundamentals. I cannot emphasise how often I've seen code written for fancy pancy hardware platforms/offboard processors that fails basic CS. Linear lookups instead of hashes or trees, failure to grasp memory fragmentation, unnecessarily heavyweight system calls, that kind of thing. The fast hardware turns out to be necessary just to run something otherwise so defective. I'm not saying good algorithmic and coding practices will overcome the limitations of COTS hardware when trying to capture and process off 10 Gb interfaces at wire speed or anything like that. But it is amazing how far a little optimization will get you. I get the feeling a lot of folks writing this stuff today learned to program in an era when playing save-the-bytes with limited resources was no longer fashionable or, from certain points of view, necessary, so they approach system programming the way they do Java accounting apps. On Jun 25, 2010, at 2:51 PM, Nathan Stratton <nathan at robotics.net> wrote:
On Wed, 23 Jun 2010, Nicholas Sten wrote:
If you find yourself in that gray area where COTS hardware can't save the day anymore, but you're not looking to spend Empirix money, Endace makes some really good cards on which to develop your own very robust systems:
Hardware capture cards really become critical as your traffic grows. With cards like Endance your able to do hardware level filtering and your software still gets the nice libpcap interface it has been using.
As a bridge gap before you spend the money on hardware capture cards check out PF Ring.
http://www.ntop.org/PF_RING.html
<> Nathan Stratton CTO, BlinkMind, Inc. nathan at robotics.net nathan at blinkmind.com http://www.robotics.net http:// www.blinkmind.com
VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
...and time. On 6/23/2010 1:49 PM, Justin Randall wrote:
Hello,
With an understanding of Wireshark and/or PCAP file structure and a little Perl magic you can whip up a simple script in less than 100 lines which will pull the exact information you're looking for from existing PCAP files.
As for real-time capturing, I can't speak with any familiarity for Alex's product however I can say that scalability of any solutions for real-time capturing/analysis without any type of ASICs or custom hardware have limited scalability, especially if you're capturing all signalling and media for all call legs for several thousands of simultaneous calls at once in a multi-protocol VoIP environment. We have had to rely on a commercial hardware/software vendor solution in order to capture larger volumes of traffic without loss. You can still pull a decent solution together without a full commercial solution using a special NIC, carefully tuned PCAP filters, and a sufficiently distributed L2 switching network.
Regards,
Justin Randall
Team Leader - VoIP Engineering
Comwave Telecom Inc.
*From:* voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] *On Behalf Of *Brooks Bridges *Sent:* June-23-10 2:23 PM *To:* 'Lee Riemer'; voiceops at voiceops.org *Subject:* Re: [VoiceOps] Splitting SIP+RTP PCAP files
It does not. We didn't see a need for that, as we use it as a real-time "backlog" of calls for troubleshooting.
/Brooks R. Bridges/
/Telecommunications Manager/
/Ifbyphone, Inc./
/Phone: (847) 983-3000/
/Fax: (847) 676-6553/
/bbridges at ifbyphone.com/
*From:* voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] *On Behalf Of *Lee Riemer *Sent:* Wednesday, June 23, 2010 12:18 PM *To:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Splitting SIP+RTP PCAP files
Will it work on data already captured in .pcap files?
On 6/23/2010 12:07 PM, Brooks Bridges wrote:
The utility was written by Alex as a replacement for pcapsipdump. pcapsipdump suffers from severe performance and stability problems with any appreciable traffic.
I can vouch that Alex's utility is very stable and efficient, but I do have to take exception to the "inexpensive (read: basically free!)" statement, as the utility is wholly owned (as per work-for-hire agreement) by Ifbyphone, Inc.
Please contact me off-list if you would like to discuss using the utility. I do not believe there is an issue with us releasing the utility "free as in beer", however I am not the one that can authorize such a release. I will have to confirm this with our upper management.
Thanks
/Brooks R. Bridges/
/Telecommunications Manager/
/Ifbyphone, Inc./
/Phone: (847) 983-3000/
/Fax: (847) 676-6553/
/bbridges at ifbyphone.com <mailto:bbridges at ifbyphone.com>/
*From:* voiceops-bounces at voiceops.org <mailto:voiceops-bounces at voiceops.org> [mailto:voiceops-bounces at voiceops.org] *On Behalf Of *Darren Schreiber *Sent:* Wednesday, June 23, 2010 11:58 AM *To:* Nicholas Sten; Kristian Kielhofner *Cc:* voiceops at voiceops.org <mailto:voiceops at voiceops.org> *Subject:* Re: [VoiceOps] Splitting SIP+RTP PCAP files
What's wrong with pcapsipdump? You can pipe input into that I believe... its an old tool but it still works. :-)
Nicholas Sten<nicksten at gmail.com> <mailto:nicksten at gmail.com> wrote:
Kristian,
Alex has an elegant and inexpensive (read: basically free!) solution that you might want to check out. Here's a brief description (I've culled from a personal email, so I hope I don't misrepresent it)
/So I wrote a highly parallelised, multithreaded tool that runs on such a "capture box" and listens to SIP traffic intelligently. It automatically identifies the media ports involved in a call and records both SIP and RTP to distinct capture files in a dated directory hierarchy separated by day and hour. The capture file contains the date, time, ANI, DNIS and Call-ID./
You should give him a shout: Alex Balashov <abalashov at evaristesys.com <mailto:abalashov at evaristesys.com>>
I can vouch for the quality and effectiveness of his solutions.
-N
On Wed, Jun 23, 2010 at 9:02 AM, Kristian Kielhofner <kristian.kielhofner at gmail.com <mailto:kristian.kielhofner at gmail.com>> wrote:
Hello everyone,
Does anyone know of a tool to split PCAP files that is SIP+RTP aware? Ideally I'd be able to record a PCAP file with any number of calls and then have a utility split that file into each separate call? I'm pretty sure I've seen a utility to do this, I just can't remember the name...
Thanks!
-- Kristian Kielhofner http://www.astlinux.org http://blog.krisk.org http://www.star2star.com http://www.submityoursip.com http://www.voalte.com _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops
On 06/23/2010 02:49 PM, Justin Randall wrote:
With an understanding of Wireshark and/or PCAP file structure and a little Perl magic you can whip up a simple script in less than 100 lines which will pull the exact information you?re looking for from existing PCAP files.
However, not live traffic.
As for real-time capturing, I can?t speak with any familiarity for Alex?s product however I can say that scalability of any solutions for real-time capturing/analysis without any type of ASICs or custom hardware have limited scalability, especially if you?re capturing all signalling and media for all call legs for several thousands of simultaneous calls at once in a multi-protocol VoIP environment.
Depends on how the capture program is designed. I can tell you for a fact that several thousands of calls at once is not a problem if the process is properly parallelised and lookups are done using efficient data structures (which, of course, has a memory trade-off). Backlog is addressed by proper parallelisation and queueing. This is the insight that makes pcapsipdump such a bad choice; it is single-process, and linear list scans for everything, even the port/IP pairs associated with media packets. It defies CompSci 101. But yes, there is a limit to what can be accomplished with userspace processes on general purpose operating systems using commodity NICs, without the benefit of additional offboard processing and dedicated hardware. You're not going to pull and analyse a gigabit of VoIP traffic at wire speed or anything like that. There will be I/O limits as well if those captures are being written to disk in real-time. If you need to analyse *that* kind of load and can't partition it out, you are probably in need of a very expensive enterprise product designed for just this. -- Alex Balashov - Principal Evariste Systems LLC 1170 Peachtree Street 12th Floor, Suite 1200 Atlanta, GA 30309 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
Just to be clear, by "basically free", I meant that his pricing is historically extremely reasonable. That description was from a personal email (as indicated) and I wasn't sure of it's commercial availability. While we don't actually have a copy of said utility, his work (again historically speaking) is top notch, but I didn't want to leave anyone with the wrong impression about my original email. That said, I'll buy you a few beers, Brooks, if you and yours want to push it out there for others to enjoy. :) On Wed, Jun 23, 2010 at 10:07 AM, Brooks Bridges <bbridges at ifbyphone.com>wrote:
The utility was written by Alex as a replacement for pcapsipdump. pcapsipdump suffers from severe performance and stability problems with any appreciable traffic.
I can vouch that Alex?s utility is very stable and efficient, but I do have to take exception to the ?inexpensive (read: basically free!)? statement, as the utility is wholly owned (as per work-for-hire agreement) by Ifbyphone, Inc.
Please contact me off-list if you would like to discuss using the utility. I do not believe there is an issue with us releasing the utility ?free as in beer?, however I am not the one that can authorize such a release. I will have to confirm this with our upper management.
Thanks
*Brooks R. Bridges*
*Telecommunications Manager*
*Ifbyphone, Inc.*
*Phone: (847) 983-3000*
*Fax: (847) 676-6553*
*bbridges at ifbyphone.com*
*From:* voiceops-bounces at voiceops.org [mailto: voiceops-bounces at voiceops.org] *On Behalf Of *Darren Schreiber *Sent:* Wednesday, June 23, 2010 11:58 AM *To:* Nicholas Sten; Kristian Kielhofner *Cc:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Splitting SIP+RTP PCAP files
What's wrong with pcapsipdump? You can pipe input into that I believe... its an old tool but it still works. :-)
Nicholas Sten <nicksten at gmail.com> wrote:
Kristian,
Alex has an elegant and inexpensive (read: basically free!) solution that you might want to check out. Here's a brief description (I've culled from a personal email, so I hope I don't misrepresent it)
*So I wrote a highly parallelised, multithreaded tool that runs on such a "capture box" and listens to SIP traffic intelligently. It automatically identifies the media ports involved in a call and records both SIP and RTP to distinct capture files in a dated directory hierarchy separated by day and hour. The capture file contains the date, time, ANI, DNIS and Call-ID. *
You should give him a shout: Alex Balashov <abalashov at evaristesys.com>
I can vouch for the quality and effectiveness of his solutions.
-N
On Wed, Jun 23, 2010 at 9:02 AM, Kristian Kielhofner < kristian.kielhofner at gmail.com> wrote:
Hello everyone,
Does anyone know of a tool to split PCAP files that is SIP+RTP aware? Ideally I'd be able to record a PCAP file with any number of calls and then have a utility split that file into each separate call? I'm pretty sure I've seen a utility to do this, I just can't remember the name...
Thanks!
-- Kristian Kielhofner http://www.astlinux.org http://blog.krisk.org http://www.star2star.com http://www.submityoursip.com http://www.voalte.com _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
To everyone that has contacted me about this application, I'm happy to share with you that I have gotten approval from our CEO to release it as a free app, however it will be restricted in some commercial uses (e.g. you can't repackage it and sell it as a product, etc). Once I have it past the lawyers and their standard "if you install this and it starts world war 3, it's not our fault" disclaimers that will have to be added, I will make a point to get it set up somewhere and post a link on this list and a couple others. Please be patient. As we all know, lawyers like to take their time so it appears that we're paying all that money for a reason. ;-) Stay tuned! Brooks R. Bridges Telecommunications Manager Ifbyphone, Inc. Phone: (847) 983-3000 Fax: (847) 676-6553 bbridges at ifbyphone.com http://www.ifbyphone.com Brooks Bridges wrote:
The utility was written by Alex as a replacement for pcapsipdump. pcapsipdump suffers from severe performance and stability problems with any appreciable traffic.
I can vouch that Alex's utility is very stable and efficient, but I do have to take exception to the "inexpensive (read: basically free!)" statement, as the utility is wholly owned (as per work-for-hire agreement) by Ifbyphone, Inc.
Please contact me off-list if you would like to discuss using the utility. I do not believe there is an issue with us releasing the utility "free as in beer", however I am not the one that can authorize such a release. I will have to confirm this with our upper management.
Thanks
/Brooks R. Bridges/
/Telecommunications Manager/
/Ifbyphone, Inc./
/Phone: (847) 983-3000/
/Fax: (847) 676-6553/
/bbridges at ifbyphone.com/
*From:* voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] *On Behalf Of *Darren Schreiber *Sent:* Wednesday, June 23, 2010 11:58 AM *To:* Nicholas Sten; Kristian Kielhofner *Cc:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Splitting SIP+RTP PCAP files
What's wrong with pcapsipdump? You can pipe input into that I believe... its an old tool but it still works. :-)
Nicholas Sten <nicksten at gmail.com> wrote:
Kristian,
Alex has an elegant and inexpensive (read: basically free!) solution that you might want to check out. Here's a brief description (I've culled from a personal email, so I hope I don't misrepresent it)
/So I wrote a highly parallelised, multithreaded tool that runs on such a "capture box" and listens to SIP traffic intelligently. It automatically identifies the media ports involved in a call and records both SIP and RTP to distinct capture files in a dated directory hierarchy separated by day and hour. The capture file contains the date, time, ANI, DNIS and Call-ID./
You should give him a shout: Alex Balashov <abalashov at evaristesys.com <mailto:abalashov at evaristesys.com>>
I can vouch for the quality and effectiveness of his solutions.
-N
On Wed, Jun 23, 2010 at 9:02 AM, Kristian Kielhofner <kristian.kielhofner at gmail.com <mailto:kristian.kielhofner at gmail.com>> wrote:
Hello everyone,
Does anyone know of a tool to split PCAP files that is SIP+RTP aware? Ideally I'd be able to record a PCAP file with any number of calls and then have a utility split that file into each separate call? I'm pretty sure I've seen a utility to do this, I just can't remember the name...
Thanks!
-- Kristian Kielhofner http://www.astlinux.org http://blog.krisk.org http://www.star2star.com http://www.submityoursip.com http://www.voalte.com _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops
------------------------------------------------------------------------
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
This is great & thanks! From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Brooks Bridges Sent: Wednesday, June 23, 2010 8:40 PM To: voiceops at voiceops.org Subject: Re: [VoiceOps] Splitting SIP+RTP PCAP files To everyone that has contacted me about this application, I'm happy to share with you that I have gotten approval from our CEO to release it as a free app, however it will be restricted in some commercial uses (e.g. you can't repackage it and sell it as a product, etc). Once I have it past the lawyers and their standard "if you install this and it starts world war 3, it's not our fault" disclaimers that will have to be added, I will make a point to get it set up somewhere and post a link on this list and a couple others. Please be patient. As we all know, lawyers like to take their time so it appears that we're paying all that money for a reason. ;-) Stay tuned! Brooks R. Bridges Telecommunications Manager Ifbyphone, Inc. Phone: (847) 983-3000 Fax: (847) 676-6553 bbridges at ifbyphone.com<mailto:bbridges at ifbyphone.com> http://www.ifbyphone.com Brooks Bridges wrote: The utility was written by Alex as a replacement for pcapsipdump. pcapsipdump suffers from severe performance and stability problems with any appreciable traffic. I can vouch that Alex's utility is very stable and efficient, but I do have to take exception to the "inexpensive (read: basically free!)" statement, as the utility is wholly owned (as per work-for-hire agreement) by Ifbyphone, Inc. Please contact me off-list if you would like to discuss using the utility. I do not believe there is an issue with us releasing the utility "free as in beer", however I am not the one that can authorize such a release. I will have to confirm this with our upper management. Thanks Brooks R. Bridges Telecommunications Manager Ifbyphone, Inc. Phone: (847) 983-3000 Fax: (847) 676-6553 bbridges at ifbyphone.com<mailto:bbridges at ifbyphone.com> http://www.ifbyphone.com From: voiceops-bounces at voiceops.org<mailto:voiceops-bounces at voiceops.org> [mailto:voiceops-bounces at voiceops.org] On Behalf Of Darren Schreiber Sent: Wednesday, June 23, 2010 11:58 AM To: Nicholas Sten; Kristian Kielhofner Cc: voiceops at voiceops.org<mailto:voiceops at voiceops.org> Subject: Re: [VoiceOps] Splitting SIP+RTP PCAP files What's wrong with pcapsipdump? You can pipe input into that I believe... its an old tool but it still works. :-) Nicholas Sten <nicksten at gmail.com><mailto:nicksten at gmail.com> wrote: Kristian, Alex has an elegant and inexpensive (read: basically free!) solution that you might want to check out. Here's a brief description (I've culled from a personal email, so I hope I don't misrepresent it) So I wrote a highly parallelised, multithreaded tool that runs on such a "capture box" and listens to SIP traffic intelligently. It automatically identifies the media ports involved in a call and records both SIP and RTP to distinct capture files in a dated directory hierarchy separated by day and hour. The capture file contains the date, time, ANI, DNIS and Call-ID. You should give him a shout: Alex Balashov <abalashov at evaristesys.com<mailto:abalashov at evaristesys.com>> I can vouch for the quality and effectiveness of his solutions. -N On Wed, Jun 23, 2010 at 9:02 AM, Kristian Kielhofner <kristian.kielhofner at gmail.com<mailto:kristian.kielhofner at gmail.com>> wrote: Hello everyone, Does anyone know of a tool to split PCAP files that is SIP+RTP aware? Ideally I'd be able to record a PCAP file with any number of calls and then have a utility split that file into each separate call? I'm pretty sure I've seen a utility to do this, I just can't remember the name... Thanks! -- Kristian Kielhofner http://www.astlinux.org http://blog.krisk.org http://www.star2star.com http://www.submityoursip.com http://www.voalte.com _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org<mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops ________________________________ _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org<mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops
Awesome. On 6/23/2010 10:39 PM, Brooks Bridges wrote:
To everyone that has contacted me about this application, I'm happy to share with you that I have gotten approval from our CEO to release it as a free app, however it will be restricted in some commercial uses (e.g. you can't repackage it and sell it as a product, etc).
Once I have it past the lawyers and their standard "if you install this and it starts world war 3, it's not our fault" disclaimers that will have to be added, I will make a point to get it set up somewhere and post a link on this list and a couple others.
Please be patient. As we all know, lawyers like to take their time so it appears that we're paying all that money for a reason. ;-) Stay tuned!
Brooks R. Bridges Telecommunications Manager Ifbyphone, Inc. Phone: (847) 983-3000 Fax: (847) 676-6553 bbridges at ifbyphone.com http://www.ifbyphone.com
Brooks Bridges wrote:
The utility was written by Alex as a replacement for pcapsipdump. pcapsipdump suffers from severe performance and stability problems with any appreciable traffic.
I can vouch that Alex's utility is very stable and efficient, but I do have to take exception to the "inexpensive (read: basically free!)" statement, as the utility is wholly owned (as per work-for-hire agreement) by Ifbyphone, Inc.
Please contact me off-list if you would like to discuss using the utility. I do not believe there is an issue with us releasing the utility "free as in beer", however I am not the one that can authorize such a release. I will have to confirm this with our upper management.
Thanks
/Brooks R. Bridges/
/Telecommunications Manager/
/Ifbyphone, Inc./
/Phone: (847) 983-3000/
/Fax: (847) 676-6553/
/bbridges at ifbyphone.com/
*From:* voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] *On Behalf Of *Darren Schreiber *Sent:* Wednesday, June 23, 2010 11:58 AM *To:* Nicholas Sten; Kristian Kielhofner *Cc:* voiceops at voiceops.org *Subject:* Re: [VoiceOps] Splitting SIP+RTP PCAP files
What's wrong with pcapsipdump? You can pipe input into that I believe... its an old tool but it still works. :-)
Nicholas Sten<nicksten at gmail.com> wrote:
Kristian,
Alex has an elegant and inexpensive (read: basically free!) solution that you might want to check out. Here's a brief description (I've culled from a personal email, so I hope I don't misrepresent it)
/So I wrote a highly parallelised, multithreaded tool that runs on such a "capture box" and listens to SIP traffic intelligently. It automatically identifies the media ports involved in a call and records both SIP and RTP to distinct capture files in a dated directory hierarchy separated by day and hour. The capture file contains the date, time, ANI, DNIS and Call-ID./
You should give him a shout: Alex Balashov <abalashov at evaristesys.com <mailto:abalashov at evaristesys.com>>
I can vouch for the quality and effectiveness of his solutions.
-N
On Wed, Jun 23, 2010 at 9:02 AM, Kristian Kielhofner <kristian.kielhofner at gmail.com <mailto:kristian.kielhofner at gmail.com>> wrote:
Hello everyone,
Does anyone know of a tool to split PCAP files that is SIP+RTP aware? Ideally I'd be able to record a PCAP file with any number of calls and then have a utility split that file into each separate call? I'm pretty sure I've seen a utility to do this, I just can't remember the name...
Thanks!
-- Kristian Kielhofner http://www.astlinux.org http://blog.krisk.org http://www.star2star.com http://www.submityoursip.com http://www.voalte.com _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org> https://puck.nether.net/mailman/listinfo/voiceops
------------------------------------------------------------------------
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
A few random thoughts on the topic of capture/analysis/forensics.... 1. We've found enough interesting SIP packets excluded from wireshark's "voip calls" graph that we only use it as a very rough guide to what might have happened. After all, if UC-1 sends a packet that doesn't match the dialog or transaction identifiers expected by UC-2, that is the packet that will probably kill the call and that is also the packet that will NOT appear to be associated with the call in wireshark's graph. These tools build a subset of reality, and the one interesting packet that you need to see might not be included in that subset. Moreover, you need to allow for the possibility of a defect in the tool's filters. 2. Gulp totally rocks: http://staff.washington.edu/corey/gulp/ C. Since when did the USA play soccer? :) David On Wed, Jun 23, 2010 at 10:20 PM, Lee Riemer <lriemer at bestline.net> wrote:
Awesome.
On 6/23/2010 10:39 PM, Brooks Bridges wrote:
To everyone that has contacted me about this application, I'm happy to share with you that I have gotten approval from our CEO to release it as a free app, however it will be restricted in some commercial uses (e.g. you can't repackage it and sell it as a product, etc).
Once I have it past the lawyers and their standard "if you install this and it starts world war 3, it's not our fault" disclaimers that will have to be added, I will make a point to get it set up somewhere and post a link on this list and a couple others.
Please be patient.? As we all know, lawyers like to take their time so it appears that we're paying all that money for a reason. ;-)? Stay tuned!
Brooks R. Bridges Telecommunications Manager Ifbyphone, Inc. Phone: (847) 983-3000 Fax: (847) 676-6553 bbridges at ifbyphone.com http://www.ifbyphone.com
Brooks Bridges wrote:
The utility was written by Alex as a replacement for pcapsipdump. pcapsipdump suffers from severe performance and stability problems with any appreciable traffic.
I can vouch that Alex?s utility is very stable and efficient, but I do have to take exception to the ?inexpensive (read: basically free!)? statement, as the utility is wholly owned (as per work-for-hire agreement) by Ifbyphone, Inc.
Please contact me off-list if you would like to discuss using the utility. I do not believe there is an issue with us releasing the utility ?free as in beer?, however I am not the one that can authorize such a release.? I will have to confirm this with our upper management.
Thanks
Brooks R. Bridges
Telecommunications Manager
Ifbyphone, Inc.
Phone: (847) 983-3000
Fax: (847) 676-6553
bbridges at ifbyphone.com
From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Darren Schreiber Sent: Wednesday, June 23, 2010 11:58 AM To: Nicholas Sten; Kristian Kielhofner Cc: voiceops at voiceops.org Subject: Re: [VoiceOps] Splitting SIP+RTP PCAP files
What's wrong with pcapsipdump? You can pipe input into that I believe... its an old tool but it still works. :-)
Nicholas Sten <nicksten at gmail.com> wrote:
Kristian,
Alex has an elegant and inexpensive (read: basically free!) solution that you might want to check out.? Here's a brief description (I've culled from a personal email, so I hope I don't misrepresent it)
So I wrote a highly parallelised, multithreaded tool that runs on such a "capture box" and listens to SIP traffic intelligently.? It automatically identifies the media ports involved in a call and records both SIP and RTP to distinct capture files in a dated directory hierarchy separated by day and hour.? The capture file contains the date, time, ANI, DNIS and Call-ID.
You should give him a shout: Alex Balashov <abalashov at evaristesys.com>
I can vouch for the quality and effectiveness of his solutions.
-N
On Wed, Jun 23, 2010 at 9:02 AM, Kristian Kielhofner <kristian.kielhofner at gmail.com> wrote:
Hello everyone,
?Does anyone know of a tool to split PCAP files that is SIP+RTP aware? ?Ideally I'd be able to record a PCAP file with any number of calls and then have a utility split that file into each separate call? ?I'm pretty sure I've seen a utility to do this, I just can't remember the name...
Thanks!
-- Kristian Kielhofner http://www.astlinux.org http://blog.krisk.org http://www.star2star.com http://www.submityoursip.com http://www.voalte.com _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
________________________________ _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
participants (9)
-
abalashov@evaristesys.com -
bbridges@ifbyphone.com -
d@d-man.org -
hiersd@gmail.com -
jrandall@comwave.net -
kristian.kielhofner@gmail.com -
lriemer@bestline.net -
nathan@robotics.net -
nicksten@gmail.com