How i can classify sip traffic (voip)?? I try dst 5060 udp port, but dont''work. sip sesion use dynamic port. Sniffing packets with windows net-peeker, I see that packets lenghts is always=87 How i can filter, by packet lenght, with u32? Regards Fabian
On Mar 26 juillet 2005 15:02, Fabian Gervan a écrit :> How i can classify sip traffic (voip)?? > > I try dst 5060 udp port, but dont''work. sip sesion use dynamic port. > > Sniffing packets with windows net-peeker, I see that packets lenghts > is always=87 > How i can filter, by packet lenght, with u32? > > Regards > Fabian > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >You may want to use l7-filters and mark the packets with iptables. Regards, -- Sylvain Bertrand Paris, FRANCE +33 (0)6 64 43 17 69
Fabian, on IP/UDP header you have the Length field, you can try to match this. Regards, Alessandro Ungaro x-arnie Fabian Gervan wrote:> How i can classify sip traffic (voip)?? > > I try dst 5060 udp port, but dont''work. sip sesion use dynamic port. > > Sniffing packets with windows net-peeker, I see that packets lenghts > is always=87 > How i can filter, by packet lenght, with u32? > > Regards > Fabian > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > >
> Fabian, > > Try adding the following Iptable rule with a filter for the mark value.. > iptables -t mangle -A PREROUTING -p udp -m lenght <length value> -j > MARK --set-mark 1 > > Regards, > Vinod CFabian Gervan wrote:>How i can classify sip traffic (voip)?? > >I try dst 5060 udp port, but dont''work. sip sesion use dynamic port. > >Sniffing packets with windows net-peeker, I see that packets lenghts >is always=87 >How i can filter, by packet lenght, with u32? > >Regards >Fabian >_______________________________________________ >LARTC mailing list >LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > >
SIP uses 5060. What is hard is to classify is the RTP streams since they use pretty much any port. Its best to classify the SIP and RTP traffic at the endpoints and honor the labeled packets through the network. Fabian Gervan wrote:> How i can classify sip traffic (voip)?? > > I try dst 5060 udp port, but dont''work. sip sesion use dynamic port. > > Sniffing packets with windows net-peeker, I see that packets lenghts > is always=87 > How i can filter, by packet lenght, with u32? > > Regards > Fabian > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > >