I want to capture all my Asterisk traffic (including RTP) and then analyse it. My plan was to use tcpdump and then analyse with Wireshark. The following works: tcpdump -i eth0 -s 0 -w /tmp/tcpdump.1 But I want to be a bit more selective: tcpdump -C 100 -W 10 -w /tmp/tcpdump -i eth1 -s 0 udp and dst port >= 5060 This doesn't capture the RTP traffic. Could anyone advise what I'm doing wrong or suggest a better way? Thanks Cameron
I think you want: tcpdump -C 100 -W 10 -w /tmp/tcpdump -i eth1 -s 0 udp dst portrange 5060-65534 dst port port True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a destination port value of port. The port can be a number or a name used in /etc/services (see tcp(4P) and udp(4P)). If a name is used, both the port number and protocol are checked. If a number or ambiguous name is used, only the port number is checked (e.g., dst port 513 will print both tcp/login traffic and udp/who traffic, and port domain will print both tcp/domain and udp/domain traffic). src port port True if the packet has a source port value of port. port port True if either the source or destination port of the packet is port. dst portrange port1-port2 True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a destination port value between port1 and port2. port1 and port2 are interpreted in the same fashion as the port parameter for port. src portrange port1-port2 True if the packet has a source port value between port1 and port2. portrange port1-port2 True if either the source or destination port of the packet is between port1 and port2. Any of the above port or port range expressions can be prepended with the keywords, tcp or udp, as in: -------------------------------------------------- Salvatore Giudice Salvatore.Giudice@VoIPSecurityTraining.com VoIP Security Training, LLC http://VoIPSecurityTraining.com 848 N. Rainbow Blvd. #1676 Las Vegas, NV 89107 Phone: (617) 959-7625 Fax: (214) 279-2906 -----Original Message----- From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of CSB Sent: Tuesday, May 01, 2007 1:32 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] OT: Capture Asterisk traffic I want to capture all my Asterisk traffic (including RTP) and then analyse it. My plan was to use tcpdump and then analyse with Wireshark. The following works: tcpdump -i eth0 -s 0 -w /tmp/tcpdump.1 But I want to be a bit more selective: tcpdump -C 100 -W 10 -w /tmp/tcpdump -i eth1 -s 0 udp and dst port >= 5060 This doesn't capture the RTP traffic. Could anyone advise what I'm doing wrong or suggest a better way? Thanks Cameron _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
The RTP traffic is not going to be on port 5060, that is the sip only. Check your rtp.conf file in asterisk for the port range used for RTP traffic. On 5/1/07, CSB <cameron.beattie@appsteam.co.nz> wrote:> > I want to capture all my Asterisk traffic (including RTP) and then analyse > it. > > My plan was to use tcpdump and then analyse with Wireshark. The following > works: > tcpdump -i eth0 -s 0 -w /tmp/tcpdump.1 > > But I want to be a bit more selective: > tcpdump -C 100 -W 10 -w /tmp/tcpdump -i eth1 -s 0 udp and dst port >= 5060 > > This doesn't capture the RTP traffic. Could anyone advise what I'm doing > wrong or suggest a better way? > > Thanks > > Cameron > > > _______________________________________________ > --Bandwidth and Colocation provided by Easynews.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-- Bruce Reeves Nortex Networks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20070501/74775e13/attachment.htm
wireshark can further filter out what you don't want, you can also pipe the dump to "grep" and match only what you want On May 1, 2007, at 11:32 AM, CSB wrote:> I want to capture all my Asterisk traffic (including RTP) and then > analyse it. > > My plan was to use tcpdump and then analyse with Wireshark. The > following works: > tcpdump -i eth0 -s 0 -w /tmp/tcpdump.1 > > But I want to be a bit more selective: > tcpdump -C 100 -W 10 -w /tmp/tcpdump -i eth1 -s 0 udp and dst port > >= 5060 > > This doesn't capture the RTP traffic. Could anyone advise what I'm > doing > wrong or suggest a better way? > > Thanks > > Cameron > > > _______________________________________________ > --Bandwidth and Colocation provided by Easynews.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
CSB wrote:> I want to capture all my Asterisk traffic (including RTP) and then > analyse it. > > My plan was to use tcpdump and then analyse with Wireshark. The > following works: > tcpdump -i eth0 -s 0 -w /tmp/tcpdump.1 > > But I want to be a bit more selective: > tcpdump -C 100 -W 10 -w /tmp/tcpdump -i eth1 -s 0 udp and dst port >= 5060 > > This doesn't capture the RTP traffic. Could anyone advise what I'm doing > wrong or suggest a better way?Well, the first thing I notice is that your first tcpdump example is listening on eth0, and the second is listening on eth1. What happens when you do tcpdump -i eth1 -s 0 -w /tmp/tcpdump.1 Do you see the RTP traffic then? -Stephen-
> -----Original Message----- > From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users- > bounces@lists.digium.com] On Behalf Of Joe acquisto > Sent: Wednesday, May 02, 2007 6:08 AM > To: Asterisk Users Mailing List - Non-Commercial Discussion > Subject: Re: [asterisk-users] OT: Capture Asterisk traffic > > . . . > > man tcpdump indicates that I should be able to use >= syntax but it > > doesn't > > work as expected. Any further advice appreciated. > > > > Cameron > > When interested in packets, I usually use ethereal and a 4 port hub, > plugging the ethereal and asterisk boxs into the hub and uplink thehub to> where the asterisk box plugged into. It does require more hardwareand a> momentary interruption of communications, but seems more flexible andless> intrusive (to asterisk) to me. > > joe a. >If you have a halfway decent manageable switch, you can mirror one port to another. Just mirror the I/O of the port that has the interesting traffic to an empty port and hookup your laptop running ethereal to that port. There is no interruption in communications this way and it should be totally invisible to everything. One caveat, just because a switch can mirror ports does not mean that it won't affect the data. Older Cisco switches have port monitor options but the Packets Per Second (PPS) proved to be a bottleneck (these are 10/100 manageable switches from a couple years ago in my experience). Check the PPS figure in the docs for your switch. Thanks, Steve Totaro http://www.asteriskhelpdesk.com KB3OPB