VoIP, SIP, RTP: Voice over IP, Session Initiation Protocol, Real-time Transport Protocol
data carving layer 7 RTP RTCP SIP VoIP
VoIP SIP RTP
This tutorial shows the capabilities of the plugin voipDetector. It displays troubleshooting information of SIP/RTP/RTCP and is able to carve RTP content.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow voipDetector txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here:
Please save them in your ~/data folder.
Now you are all set for analyzing VoIP traffic!
voipDetector
This plugin was originally designed for troubleshooting of telco VoIP communication, therefore RTCP is also decoded which provides additional statistics to the basicStats plugin, such as packets lost and maximal jitter reporting.
Data carving with voipDetector
The configuration listed below, allows the user to enable the RTP content save mode, the length of SIP names in the flow structure, the path where RTP content is saved and the default name as a prefix if no file name can be found.
We also added an configurable offset in the payload of RTP, for special purpose applications.
voipDetector
vi src/voipDetector.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define VOIP_SIP 2 // > 0 Enable SIP decoder, 2: add RTP / SIP findex/ssrc flow correlation
#define VOIP_SIP_PRV 0 // 1: add srcIP for flow correlation, 2: add srcIP of SIP flow (VOIP_SIP=2)
#define VOIP_RTP 1 // Enable RTP/RTCP decoder
#define VOIP_RTCP 1 // Enable RTCP decoder
#define VOIP_ANALEN 0 // Check reported len against snap payload len
#define VOIP_SAVE 0 // Save RTP content
#define VOIP_BUFMODE 1 // Enable buffering of saved RTP content
#define VOIP_SILREST 1 // Restore back G.711 suppressed silences (require VOIP_SAVE=1)
#define VOIP_PLDOFF 0 // Offset for payload to save (require VOIP_SAVE=1)
#define VOIP_SVFDX 1 // Merge ops: 0: SSRC, 1: findex
#define VOIP_MINPKT 1 // Minimum packet length of a flow (require VOIP_SAVE=1)
#define RTPFMAX 20 // Maximal SSRC files (VOIP_SVFDX == 0)
#define SIPNMMAX 35 // Maximal SIP caller name length
#define SIPSTATMAX 8 // Maximal SIP state requests
#define SIPCLMAX 3 // Maximal SIP state requests name length
#define SIPRFXMAX 100 // Maximal SIP IP addr, m=audio / video ports
//#define SIPADDMAX 100 // Maximal SIP addr
#define NUMCSRCMAX 30 // Max number of CSRC to store
#define RTPBUFSIZE 4096 // Size of buffer for RTP content
#define VOIP_PERM S_IRWXU // File permissions
#define RTPMAXVERS 1 // Maximal # version violations
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
#define VOIP_RMDIR 1 // Empty VOIP_V_PATH before starting (require VOIP_SAVE=1)
#define VOIP_V_PATH "/tmp/TranVoIP" // Path for raw VoIP
#define VOIP_FNAME "nudel" // Default content file name prefix
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...We leave VOIP_SAVE=2 in order to demonstrate the SIP RTP flow correlation. VOIP_RMDIR=1
as we like t2 to delete the files between experiments to remove clutter. RTCP decoding stays off as there is not much
to troubleshoot in our pcaps and we like to put an emphasis to the data carving capabilities
of t2.
Use t2conf, recompile and engage t2 on the MagicJack pcap with the packet mode.
t2conf voipDetector -D VOIP_SAVE=1 && t2build voipDetector
t2 -s -r ~/data/MagicJack_short_call.pcap -w ~/resultsi================================================================================ Tranalyzer 0.9.4 (Anteater), Cobra. PID: 78369, Prio: 0, SID: 666 ================================================================================ Date: 1751738570.000284997 sec (Sat 05 Jul 2025 20:02:50 CEST) [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.9.4 02: voipDetector, 0.9.4 03: txtSink, 0.9.4 [INF] IPv4 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 7237865 (7.24 M) [INF] IPv6 Ver: 6, Rev: 02072025, Range Mode: 0, subnet ranges loaded: 1419083 (1.42 M) Processing file: /home/user/data/MagicJack_short_call.pcap Link layer type: Ethernet [EN10MB/1] Snapshot length: 65535 (65.53 K) Dump start: 1334245056.670292000 sec (Thu 12 Apr 2012 15:37:36 GMT) Dump stop : 1334245246.895631000 sec (Thu 12 Apr 2012 15:40:46 GMT) Total dump duration: 190.225339000 sec (3m 10s) Finished processing. Elapsed time: 0.001512618 sec Finished unloading flow memory. Time: 0.001643613 sec Percentage completed: 100.00% Number of processed packets: 1381 (1.38 K) Number of processed bytes: 293315 (293.31 K) Number of raw bytes: 293315 (293.31 K) Number of pad bytes: 490 Number of pcap bytes: 315435 (315.44 K) Number of L2 packets: 21 [1.52%] Number of IPv4 packets: 1360 (1.36 K) [98.48%] Number of A packets: 720 [52.14%] Number of B packets: 661 [47.86%] Number of A bytes: 152644 (152.64 K) [52.04%] Number of B bytes: 140671 (140.67 K) [47.96%] <A packet load>: 212.01 <B packet load>: 212.82 -------------------------------------------------------------------------------- voipDetector: Aggregated voipStat=0x03c5 voipDetector: Aggregated sipMethods=0x000e voipDetector: Number of SIP packets: 11 [0.80%] voipDetector: Number of SIP INVITE packets: 2 [18.18%] voipDetector: Number of SIP ACK packets: 2 [18.18%] voipDetector: Number of SIP BYE packets: 1 [9.09%] voipDetector: Number of SDP packets: 4 [0.29%] voipDetector: Number of unique SDP audio address, port: 2 [50.00%] voipDetector: Number of unique SIP/RTP flow matches: 2 voipDetector: Number of RTP packets: 1268 (1.27 K) [91.82%] voipDetector: Max number of file handles: 2 -------------------------------------------------------------------------------- Headers count: min: 2, max: 3, avg: 2.98 Number of ARP packets: 21 [1.52%] Number of ICMP packets: 10 [0.72%] Number of TCP packets: 31 [2.24%] Number of TCP bytes: 4774 (4.77 K) [1.63%] Number of UDP packets: 1319 (1.32 K) [95.51%] Number of UDP bytes: 286559 (286.56 K) [97.70%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 22 Number of processed L2 flows: 7 [31.82%] Number of processed IPv4 flows: 15 [68.18%] Number of processed A flows: 15 [68.18%] Number of processed B flows: 7 [31.82%] Number of request flows: 15 [68.18%] Number of reply flows: 7 [31.82%] Total A/B flow asymmetry: 0.36 Total req/rply flow asymmetry: 0.36 Number of processed A+B packets/A+B flows: 62.77 Number of processed A packets/A flows: 48.00 Number of processed B packets/ B flows: 94.43 Number of processed total packets/s: 7.26 Number of processed A+B packets/s: 7.26 Number of processed A packets/s: 3.78 Number of processed B packets/s: 3.47 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <Number of processed flows/s>: 0.12 <Bandwidth>: 12278 b/s (12.28 Kb/s) <Raw bandwidth>: 12335 b/s (12.34 Kb/s) Max number of flows in memory: 22 [0.01%] Memory usage: 0.03 GB [0.04%] Aggregated flowStat=0x0400000010004044 [INF] Layer 2 flows [INF] IPv4 flows [INF] ARP [INF] SIP/RTP
The end report tells you that RTP, SIP are detected and he found 2 voice comms being written to your /tmp/TranVoIP/ directory.
tawk -V voipStat=0x03c5The voipStat column with value 0x0385 is to be interpreted as follows: bit | voipStat | Description ============================================================================= 0 | 0x0001 | RTP detected 2 | 0x0004 | SIP detected 6 | 0x0040 | SDP detected 7 | 0x0080 | RTP marker 8 | 0x0100 | RTP content write operation 9 | 0x0200 | SIP audio RTP flow announced
Note that there is no RTCP detected, as it is switched off. First look at the flow file, you see the flows labelled as SIP, or RTP, certain SIP, RTP parameters and the names of extracted content.
tawk 'bitsanyset($voipStat,0x0005)' MagicJack_short_call_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto voipStat voipType voipSSRC voipCSRC voipSRCnt rtpPMCnt rtpPMr sipMethods sipStatCnt sipReqCnt sipUsrAgnt sipRealIP sipFrom sipTo sipCallID sipContact sipStat sipReq sdpSessID sdpRFAdd sdpRAFPrt sdpRVFPrt sdpRTPMap voipFindex rtcpTPCnt rtcpTBCnt rtcpFracLst rtcpCPMCnt rtcpMaxIAT voipFname
A 8 0x0400000000004000 1334245222.765593000 1334245235.575661000 12.810068000 1 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 "!Private network" 49154 216.234.64.16 us "AS-NETZERO" 54550 17 0x0181 0 0x2a173650 0 0 0 0x0000 0 0 "" "" 0 0 0 0 0 "/tmp/TranVoIP/nudel_666_8_G711u_0_A.raw"
B 8 0x0400000000004001 1334245222.821580000 1334245235.307648000 12.486068000 1 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us "AS-NETZERO" 54550 192.168.0.10 07 "!Private network" 49154 17 0x0101 0 0x31be1e0e 0 0 0 0x0000 0 0 "" "" 0 0 0 0 0 "/tmp/TranVoIP/nudel_666_8_G711u_0_B.raw"
A 4 0x0400000000004000 1334245062.390891000 1334245235.625275000 173.234384000 1 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 "!Private network" 59205 216.234.64.8 us "AS-NETZERO" 5070 17 0x0244 0x31be1e0e 0 0 0 0x0006 1 2 "" "" "E646657195201@talk4free.com";"9055551212@talk4free.com" "9055551212@talk4free.com";"E646657195201@talk4free.com" "C5570127C1A6A1ABF7ED9DB9AD608CE00xc" "E646657195201@192.168.0.10:59205" 200 INV;ACK "2209074887" 192.168.0.10 49154 0 0 PCMU/8000;8 PCMA/8000;101 telephone-event/8000;13 CN/8000 8 0 0 0 0 0 ""
B 4 0x0400000000004001 1334245215.755652000 1334245235.514488000 19.758836000 1 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.8 us "AS-NETZERO" 5070 192.168.0.10 07 "!Private network" 59205 17 0x0244 0x2a173650 0 0 0 0x0008 4 1 "" "" "E646657195201@talk4free.com";"9055551212@talk4free.com" "9055551212@talk4free.com";"E646657195201@talk4free.com" "C5570127C1A6A1ABF7ED9DB9AD608CE00xc" "4165551212@216.234.64.8:5070";"9055551212@216.234.64.8:5070" 100;401;183;200 BYE "819596013" 216.234.64.16 54550 0 0 PCMU/8000;101 telephone-event/8000 8 0 0 0 0 0 ""flow 4 is SIP and the corresponding RTP flow is 8 as you can see in column voipFindex in the SIP flow.
The file name denotes the VoIP ID, type of codec, compression type and the flow number, so that each file
can be linked back to the originating flow and vice versa.
/directory/default name_voipID_flowIndex_A|B_CodecCoding.raw
tawk 'flow(4)' ~/results/MagicJack_short_call_packets.txt| tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto voipStat voipType voipSeqN voipTs voipTsDiff voipSSRC l7Content
6 4 0x0400000000004000 1334245062.390891000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 59205 216.234.64.8 us AS-NETZERO 5070 17 0x0004 \r\n
15 4 0x0400000000004000 1334245082.389245000 19.998354000 0.000000000 19.998354000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 59205 216.234.64.8 us AS-NETZERO 5070 17 0x0004 \r\n
17 4 0x0400000000004000 1334245102.387733000 19.998488000 0.000000000 39.996842000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 59205 216.234.64.8 us AS-NETZERO 5070 17 0x0004 \r\n
27 4 0x0400000000004000 1334245122.385808000 19.998075000 0.000000000 59.994917000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 59205 216.234.64.8 us AS-NETZERO 5070 17 0x0004 \r\n
28 4 0x0400000000004000 1334245142.384185000 19.998377000 0.000000000 79.993294000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 59205 216.234.64.8 us AS-NETZERO 5070 17 0x0004 \r\n
29 4 0x0400000000004000 1334245162.382649000 19.998464000 0.000000000 99.991758000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 59205 216.234.64.8 us AS-NETZERO 5070 17 0x0004 \r\n
37 4 0x0400000000004000 1334245182.380802000 19.998153000 0.000000000 119.989911000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 59205 216.234.64.8 us AS-NETZERO 5070 17 0x0004 \r\n
38 4 0x0400000000004000 1334245202.379126000 19.998324000 0.000000000 139.988235000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 59205 216.234.64.8 us AS-NETZERO 5070 17 0x0004 \r\n
46 4 0x0400000000004000 1334245215.711324000 13.332198000 0.000000000 153.320433000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 59205 216.234.64.8 us AS-NETZERO 5070 17 0x0044 INVITE sip:9055551212@talk4free.com SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport\r\nFrom: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nTo: <sip:9055551212@talk4free.com>\r\nContact: <sip:E646657195201@192.168.0.10:59205>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 INVITE\r\nMax-Forwards: 70\r\nUser-Agent: mJ/2.00.632b.11054E4\r\nContent-Length: 307\r\nContent-Type: application/sdp\r\nMin-SE: 90\r\nSession-Expires: 600;refresher=uac\r\nSupported: replaces,norefersub,timer\r\nX-NATType: bPrUmtdEXuiRekQWte1LXTKJ3VNrFPndz3Ft8rPs5TPM7DDT5Nxsa+bhj/YTWmRM\r\n\r\nv=0\r\no=- 2209074887 2209074887 IN IP4 192.168.0.10\r\ns=SJphone\r\nc=IN IP4 192.168.0.10\r\nt=0 0\r\nm=audio 49154 RTP/AVP 0 8 101 13\r\nc=IN IP4 192.168.0.10\r\na=ptime:30\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:8 PCMA/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-16\r\na=rtpmap:13 CN/8000\r\na=setup:active\r\na=sendrecv\r\n
47 4 0x0400000000004001 1334245215.755652000 0.000000000 0.044327936 0.000000000 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.8 us AS-NETZERO 5070 192.168.0.10 07 !Private network 59205 17 0x0004 SIP/2.0 100 Trying\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport=59205;received=206.248.161.77\r\nTo: <sip:9055551212@talk4free.com>\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 INVITE\r\nContent-Length: 0\r\n\r\n
48 4 0x0400000000004001 1334245215.769396000 0.013744000 0.058071936 0.013744000 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.8 us AS-NETZERO 5070 192.168.0.10 07 !Private network 59205 17 0x0004 SIP/2.0 401 Unauthorized\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport=59205;received=206.248.161.77\r\nTo: <sip:9055551212@talk4free.com>\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 INVITE\r\nDate: Thu, 12 Apr 2012 15:40:15 GMT\r\nUser-Agent: ENSR3.2.21.22-IS15-RMRG0-RG900-EP\r\nWWW-Authenticate: Digest nonce="30da0aed2_12170",realm="stratus.com",algorithm=MD5\r\nContent-Length: 0\r\n\r\n
49 4 0x0400000000004000 1334245215.882668000 0.171344000 0.113272064 153.491777000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 59205 216.234.64.8 us AS-NETZERO 5070 17 0x0004 ACK sip:9055551212@talk4free.com SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport\r\nFrom: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nTo: <sip:9055551212@talk4free.com>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 ACK\r\nMax-Forwards: 70\r\nUser-Agent: mJ/2.00.632b.11054E4\r\nContent-Length: 0\r\n\r\n
50 4 0x0400000000004000 1334245215.884964000 0.002296000 0.115568000 153.494073000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 59205 216.234.64.8 us AS-NETZERO 5070 17 0x0044 INVITE sip:9055551212@talk4free.com SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052182706faf2cbf3d;rport\r\nFrom: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nTo: <sip:9055551212@talk4free.com>\r\nContact: <sip:E646657195201@192.168.0.10:59205>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 INVITE\r\nMax-Forwards: 70\r\nUser-Agent: mJ/2.00.632b.11054E4\r\nAuthorization: Digest username="E646657195201",realm="stratus.com",nonce="30da0aed2_12170",uri="sip:9055551212@talk4free.com",response="329e0b8a19bad6f3098c21cd11ec7979",algorithm=MD5\r\nContent-Length: 307\r\nContent-Type: application/sdp\r\nMin-SE: 90\r\nSession-Expires: 600;refresher=uac\r\nSupported: replaces,norefersub,timer\r\nX-NATType: bPrUmtdEXuiRekQWte1LXTKJ3VNrFPndz3Ft8rPs5TPM7DDT5Nxsa+bhj/YTWmRM\r\n\r\nv=0\r\no=- 2209074887 2209074887 IN IP4 192.168.0.10\r\ns=SJphone\r\nc=IN IP4 192.168.0.10\r\nt=0 0\r\nm=audio 49154 RTP/AVP 0 8 101 13\r\nc=IN IP4 192.168.0.10\r\na=ptime:30\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:8 PCMA/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-16\r\na=rtpmap:13 CN/8000\r\na=setup:active\r\na=sendrecv\r\n
51 4 0x0400000000004001 1334245215.931983000 0.162587000 0.047019008 0.176331000 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.8 us AS-NETZERO 5070 192.168.0.10 07 !Private network 59205 17 0x0004 SIP/2.0 100 Trying\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052182706faf2cbf3d;rport=59205;received=206.248.161.77\r\nTo: <sip:9055551212@talk4free.com>\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 INVITE\r\nContent-Length: 0\r\n\r\n
54 4 0x0400000000004001 1334245222.700515000 6.768532000 6.815551040 6.944863000 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.8 us AS-NETZERO 5070 192.168.0.10 07 !Private network 59205 17 0x0044 SIP/2.0 183 Session Progress\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052182706faf2cbf3d;rport=59205;received=206.248.161.77\r\nContact: <sip:4165551212@216.234.64.8:5070>\r\nTo: <sip:9055551212@talk4free.com>;tag=30da0aed-co12170-INS015\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 INVITE\r\nContent-Type: application/sdp\r\nDate: Thu, 12 Apr 2012 15:40:21 GMT\r\nUser-Agent: ENSR3.2.21.22-IS15-RMRG5002-RG900-EP-CPI15-CPO25791\r\nContent-Length: 236\r\nX-Number-Type: 9055551212;type=off-net\r\n\r\nv=0\r\no=- 819596013 819596013 IN IP4 216.234.64.8\r\ns=ENSResip\r\nc=IN IP4 216.234.64.16\r\nt=0 0\r\nm=audio 54550 RTP/AVP 0 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-11\r\na=ptime:20\r\na=setup:active\r\na=sendrecv\r\n
925 4 0x0400000000004001 1334245231.438652000 8.738137000 15.553688032 15.683000000 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.8 us AS-NETZERO 5070 192.168.0.10 07 !Private network 59205 17 0x0044 SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052182706faf2cbf3d;rport=59205;received=206.248.161.77\r\nContact: <sip:9055551212@216.234.64.8:5070>\r\nTo: <sip:9055551212@talk4free.com>;tag=30da0aed-co12170-INS015\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 INVITE\r\nSession-Expires: 600;refresher=uac\r\nContent-Type: application/sdp\r\nDate: Thu, 12 Apr 2012 15:40:30 GMT\r\nUser-Agent: ENSR3.2.21.22-IS15-RMRG5002-RG900-EP-CPI15-CPO25791\r\nContent-Length: 236\r\nX-Number-Type: 9055551212;type=off-net\r\n\r\nv=0\r\no=- 819596013 819596013 IN IP4 216.234.64.8\r\ns=ENSResip\r\nc=IN IP4 216.234.64.16\r\nt=0 0\r\nm=audio 54550 RTP/AVP 0 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-11\r\na=ptime:20\r\na=setup:active\r\na=sendrecv\r\n
953 4 0x0400000000004000 1334245231.720574000 15.835610000 0.281922016 169.329683000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 59205 216.234.64.8 us AS-NETZERO 5070 17 0x0004 ACK sip:9055551212@216.234.64.8:5070 SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a0521bfbabb4b83043f;rport\r\nFrom: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nTo: <sip:9055551212@talk4free.com>;tag=30da0aed-co12170-INS015\r\nContact: <sip:E646657195201@192.168.0.10:59205>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 ACK\r\nMax-Forwards: 70\r\nUser-Agent: mJ/2.00.632b.11054E4\r\nAuthorization: Digest username="E646657195201",realm="stratus.com",nonce="30da0aed2_12170",uri="sip:9055551212@talk4free.com",response="329e0b8a19bad6f3098c21cd11ec7979",algorithm=MD5\r\nContent-Length: 0\r\n\r\n
1324 4 0x0400000000004001 1334245235.514488000 4.075836000 3.793913984 19.758836000 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.8 us AS-NETZERO 5070 192.168.0.10 07 !Private network 59205 17 0x0004 BYE sip:E646657195201@206.248.161.77:59205 SIP/2.0\r\nVia: SIP/2.0/UDP 216.234.64.8:5070;branch=z9hG4bK15d8ea400811cc4503BYE30da0aed4f86f75f\r\nMax-Forwards: 35\r\nTo: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nFrom: <sip:9055551212@talk4free.com>;tag=30da0aed-co12170-INS015\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1217001 BYE\r\nDate: Thu, 12 Apr 2012 15:40:34 GMT\r\nUser-Agent: ENSR3.2.21.22-IS15-RMRG900-RG900-EP-CPI15-CPO25791\r\nContent-Length: 0\r\n\r\n
1329 4 0x0400000000004000 1334245235.625275000 3.904701000 0.110787008 173.234384000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 59205 216.234.64.8 us AS-NETZERO 5070 17 0x0004 SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP 216.234.64.8:5070;branch=z9hG4bK15d8ea400811cc4503BYE30da0aed4f86f75f;received=216.234.64.8\r\nFrom: <sip:9055551212@talk4free.com>;tag=30da0aed-co12170-INS015\r\nTo: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nContact: <sip:E646657195201@192.168.0.10:59205>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1217001 BYE\r\nContent-Length: 0\r\nServer: mJ/2.00.632b.11054E4\r\nSupported: replaces,norefersub,timer\r\nX-RTPStat: RX=626;TX=640;ORD=0;DROP=0;MISS=0;INVPT=0;LOST=0;DUP=0;LATE=0;STOP=0;SR=1;LAST=220\r\nX-NATType: bPrUmtdEXuiRekQWte1LXTKJ3VNrFPndz3Ft8rPs5TPM7DDT5Nxsa+bhj/YTWmRM\r\n\r\nSimilar info is available in the packet file, were you can also track sequence numbers and IDs. If you look at the SIP flow in the packet file you can follow isequence numbers, SSRC, etc. Really useful in analyzing complicated call schemes.
tawk 'flow(8)' ~/results/MagicJack_short_call_packets.txt| tcol
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto voipStat voipType voipSeqN voipTs voipTsDiff voipSSRC l7Content
55 8 0x0400000000004000 1334245222.765593000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 49154 216.234.64.16 us AS-NETZERO 54550 17 0x0081 0 26528 0 0 0x2a173650 ..g.....*.6P.~.~~~~.....~~~~~...~...~}}~.....~~.~}~.....~~}~...~.....~~.~...~}~..~......~}}~.~..~...~~~~....~.~~~~...~..~}}...~....~~~~~..~~....~.~.....~~~~~~.....~~}.~....
57 8 0x0400000000004000 1334245222.795663000 0.030070000 0.000000000 0.030070000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 49154 216.234.64.16 us AS-NETZERO 54550 17 0x0101 0 26529 160 160 0x2a173650 ..g.....*.6P.~~..~.~~.....~.~......~~~~~.~~.....~~.~....~~~~~.~...~.~~~~....~..~.}~.~...~~~~~~.~...~~~}~..~..~.~~~~....~....~.....~~~~~~}~.....~.~~~......~~..~~....~.~~~.~.
58 8 0x0400000000004000 1334245222.796902000 0.001239000 0.000000000 0.031309000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 49154 216.234.64.16 us AS-NETZERO 54550 17 0x0101 0 26530 320 160 0x2a173650 ..g....@*.6P..~~~~.~~~...~}~.~......~}}~......~~~~~~~~..~~~.~...~~.~~~.~}~~~~..~.~~.......~~~.~....~.~~~...~..~.~~....~....~~...~.....~~~.~~...~~~~.~~...~~~}.~......~.~~~~.
59 8 0x0400000000004001 1334245222.821580000 0.000000000 0.024678016 0.000000000 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us AS-NETZERO 54550 192.168.0.10 07 !Private network 49154 17 0x0001 0 18437 1769305803 0 0x31be1e0e ..H.iuv.1..........J8/,,.5B.........Y<1,+,0;V.........D6.,,/8I.........P<3/.07Ci........lG;535:BX.........VF?<=?HV.........mYPNNPXau.................waWOMMOWj.........WH?<<
62 8 0x0400000000004000 1334245222.825426000 0.028524000 0.003845952 0.059833000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 49154 216.234.64.16 us AS-NETZERO 54550 17 0x0101 0 26531 480 160 0x2a173650 ..g.....*.6P..~~~~~~......~~~~....~}~~~~~....~..}~~~~...~..~...~....~~.~.~~~~..~~}~~~~..~.}~..~.....~~~~......~~.~...~.....~~..~~....~~~....~..~~~}~...~..~.}.........~~.~..
63 8 0x0400000000004001 1334245222.828270000 0.006690000 0.002844032 0.006690000 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us AS-NETZERO 54550 192.168.0.10 07 !Private network 49154 17 0x0101 0 18438 1769305963 160 0x31be1e0e ..H.iuwk1...>ET.........ZC:535:Ef........oD70..2;N.........K9/,,.5B.........Z<1,+,0;U.........D6.,,/8H.........Q<3/.07Bg........mG;635:BW.........WG?==?HV.........nZQNNQXau
64 8 0x0400000000004001 1334245222.848215000 0.019945000 0.022788992 0.026635000 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us AS-NETZERO 54550 192.168.0.10 07 !Private network 49154 17 0x0101 0 18439 1769306123 160 0x31be1e0e ..H.iux\v1....................waVOMLOWj.........WH?<<>ES.........ZC:535:Ed........rD80..2;N.........K9/,,.5A|........[=1,+,0;T.........E6.,,/8H.........R=3/.07Bf........oG;6
65 8 0x0400000000004000 1334245222.855383000 0.029957000 0.007168000 0.089790000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 49154 216.234.64.16 us AS-NETZERO 54550 17 0x0101 0 26532 640 160 0x2a173650 ..g.....*.6P.~~.~.~~~..~~|..}~.......~}~.......~~~~~~..~.~~}~~......~~~~.~}~....~....~...~~~~~.~...~}}~~}~~~.........~~~}~..~.....~...}~}~.....~~.~}}....~.~~~~~......~~~...
66 8 0x0400000000004000 1334245222.856587000 0.001204000 0.008372032 0.090994000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 49154 216.234.64.16 us AS-NETZERO 54550 17 0x0101 0 26533 800 160 0x2a173650 ..g.... *.6P.}.~~.~.}.~~...~~}~.....}}........~~}~~.~~..~..~........~~}~.....~~~~~.....~~~~~~~...}..~}~.....~.}~.~...~~~..~~......~~~~~.~....~~~~..~....~~~.}}~~...~.~......
67 8 0x0400000000004001 1334245222.868178000 0.019963000 0.011590976 0.046598000 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us AS-NETZERO 54550 192.168.0.10 07 !Private network 49154 17 0x0101 0 18440 1769306283 160 0x31be1e0e ..H\biux.1...45:BV.........WG?==?HU.........nZQNNQXbu.................x`VOLLNWi.........WH?<<>DR.........[C:535:Dc........uE80..2;M.........K9/,,.4Ay........\\=1,+,0;S.......
68 8 0x0400000000004000 1334245222.885435000 0.028848000 0.017257024 0.119842000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 49154 216.234.64.16 us AS-NETZERO 54550 17 0x0101 0 26534 960 160 0x2a173650 ..g.....*.6P~~~~~.~..}~...~~~.......~}~~.....~~~~~~....~}~...~~...~~}....~~..~~~~~~..~~.~.~~...~..~~}}~~....~~~~....~}....~...~..~~~~}~....}.~..~.~....~.}.~~~~~....~.....~.
69 8 0x0400000000004001 1334245222.887884000 0.019706000 0.002449024 0.066304000 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us AS-NETZERO 54550 192.168.0.10 07 !Private network 49154 17 0x0101 0 18441 1769306443 160 0x31be1e0e ..H\tiuyK1.....E6.,,/7H.........S=4/.07Bd........pH;645:BV.........XG?==?HU.........o[RNORYbu.................x`VOLLNVh.........XH?<<=DR.........[C:534:Da........xE80..2;M..
70 8 0x0400000000004001 1334245222.908335000 0.020451000 0.022899968 0.086755000 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us AS-NETZERO 54550 192.168.0.10 07 !Private network 49154 17 0x0101 0 18442 1769306603 160 0x31be1e0e ..H\niuy.1..........L9/,,.4Au........]=1-+,0;R.........F6.,,/7G.........T=4/.07Ac........sH<6459AU.........XH?==@HU.........o[ROORYbt.................y`VNLLNVh.........XH?<;
71 8 0x0400000000004000 1334245222.915332000 0.029897000 0.006996992 0.149739000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 !Private network 49154 216.234.64.16 us AS-NETZERO 54550 17 0x0101 0 26535 1120 160 0x2a173650 ..g....`*.6P.~.~.~..~~}~....~~~....~~}~......~~~.~~...~~~~.~....~~~~~~~...~~}~~......~~~~~~......~~~~}....~}~~~......~}~~........}~~~~.~~.~..~.........~~~.......~........~.
...In order to listen to the content you need to convert to e.g. .wav format.
Note that the encoding format G711. indicates that the raw stream is mu-law compressed.
Just use ffmpeg which does a fine job.
cd /tmp/TranVoIP
ls
nudel_2a173650_8_A_G711u.raw nudel_31be1e0e_8_B_G711u.raw
ffmpeg -f mulaw -ar 8k -ac 1 -i nudel_2a173650_8_A_G711u.raw nudelA.wav
ffmpeg version n4.3.2 Copyright (c) 2000-2021 the FFmpeg developers
...$ ffmpeg -f mulaw -ar 8k -ac 1 -i nudel_666_8_G711u_0_A.raw nudelA.wav … $ ffmpeg -f mulaw -ar 8k -ac 1 -i nudel_31be1e0e_8_B_G711u.raw nudelB.wav … $
ls
nudel_666_8_G711u_0_A.raw nudel_666_8_G711u_0_B.raw nudelA.wav nudelB.wav
If you use a player such as vlc, then in nudelA.wav you hear the caller
and in nudelB.wav the callee.
In order to see some RTCP output, switch switch it on and recompile
t2conf voipDetector -D VOIP_RTCP=1 && t2build voipDetector
Now try this pcap sip_sjphone_conf.pcap
and execute t2 on it including packet mode.
... -------------------------------------------------------------------------------- voipDetector: Aggregated voipStat=0x03c7 voipDetector: Aggregated sipMethods=0x006e voipDetector: Number of SIP packets: 60 [66.67%] voipDetector: Number of SIP INVITE packets: 10 [16.67%] voipDetector: Number of SIP ACK packets: 10 [16.67%] voipDetector: Number of SIP BYE packets: 4 [6.67%] voipDetector: Number of SIP REGISTER packets: 3 [5.00%] voipDetector: Number of SIP OPTIONS packets: 2 [3.33%] voipDetector: Number of SDP packets: 21 [23.33%] voipDetector: Number of unique SDP audio address, port: 12 [57.14%] voipDetector: Number of unique SIP/RTP flow matches: 4 voipDetector: Number of RTP packets: 16 [17.78%] voipDetector: Number of RTCP packets: 14 [15.56%] voipDetector: Max number of file handles: 1 -------------------------------------------------------------------------------- ...
And the end report tells us, there is indeed RTCP and 4 SIP/RTP voice comms with some packet loss. The extracted content is written to the /tmp/TranVoip directory, but as configured the directory is erased before writing.
tawk -V voipStat=0x03c7The voipStat column with value 0x0387 is to be interpreted as follows: bit | voipStat | Description ============================================================================= 0 | 0x0001 | RTP detected 1 | 0x0002 | RTCP detected 2 | 0x0004 | SIP detected 6 | 0x0040 | SDP detected 7 | 0x0080 | RTP marker 8 | 0x0100 | RTP content write operation 9 | 0x0200 | SIP audio RTP flow announced
In the flow file you can spot the SIP/RTP pairs, the extracte sound files and the RTCP flows
tcol sip_sjphone_conf_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto voipStat voipType voipSSRC voipCSRC voipSRCnt rtpPMCnt rtpPMr sipMethods sipStatCnt sipReqCnt sipUsrAgnt sipRealIP sipFrom sipTo sipCallID sipContact sipStat sipReq sdpSessID sdpRFAdd sdpRAFPrt sdpRVFPrt sdpRTPMap voipFindex rtcpTPCnt rtcpTBCnt rtcpFracLst rtcpCPMCnt rtcpMaxIAT voipFname
A 4 0x0400000000004000 1272330640.436538000 1272330640.472347000 0.035809000 1 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 "!Private network" 13300 10.10.1.159 04 "!Private network" 49152 17 0x0101 0 0x3efeb4de 0 0 0 0x0000 0 0 "" "" 0 0 0 0 0 "/tmp/TranVoIP/nudel_666_4_G711u_0_A.raw"
B 4 0x0400000000004001 1272330640.468537000 1272330640.547489000 0.078952000 1 3 eth:ipv4:udp 00:16:cb:8c:ea:27 00:19:b9:f7:4b:02 0x0800 10.10.1.159 04 "!Private network" 49152 10.10.3.109 04 "!Private network" 13300 17 0x0181 3 0x81bc2252 0 0 0 0x0000 0 0 "" "" 0 0 0 0 0 "/tmp/TranVoIP/nudel_666_4_GSM_3_B.raw"
A 5 0x0400000000004000 1272330645.436875000 1272330665.436731000 19.999856000 1 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 "!Private network" 13301 10.10.1.159 04 "!Private network" 49153 17 0x0002 200;201 0x3efeb4de 1 0 0 0x0000 0 0 "" "" 3 480 0 0 37 ""
A 6 0x0400000000004000 1272330645.455867000 1272330665.455723000 19.999856000 1 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 "!Private network" 18933 10.10.1.203 04 "!Private network" 49153 17 0x0002 201 0x41f3bca2 1 0 0 0x0000 0 0 "" "" 0 0 0 0 16 ""
A 9 0x0400000000004000 1272330666.186196000 1272330666.207883000 0.021687000 1 3 eth:ipv4:udp 00:16:cb:8c:ea:27 00:19:b9:f7:4b:02 0x0800 10.10.1.159 04 "!Private network" 49154 10.10.3.109 04 "!Private network" 11128 17 0x8000 0 0 0 0x0000 0 0 "" "" 0 0 0 0 0 ""
A 7 0x0400000000004000 1272330659.729745000 1272330669.382626000 9.652881000 1 3 eth:ipv4:udp 00:16:cb:ab:a2:2b 00:19:b9:f7:4b:02 0x0800 10.10.1.203 04 "!Private network" 50030 10.10.3.109 04 "!Private network" 5060 17 0x0244 0 0 0 0x0020 3 1 "Telephone 0.14.3" "" "alice@10.10.3.109";"Aaron@10.10.3.109" "alice@10.10.3.109";"alice@10.10.1.203" "7UsL.UI5KOo0OTW6kIAIgjgiMMSOr9Hk";"0f0789f74e063ed55238d1bc1af6fc59@10" "alice@10.10.1.203:50030" 100;180;200 REG "3481319463" 10.10.1.203 4000 0 0 PCMU/8000;101 telephone-event/8000;7 LPC/8000;97 iLBC/8000;111 G726-32/8000 0 0 0 0 0 ""
B 7 0x0400000000004001 1272330659.729874000 1272330669.373073000 9.643199000 1 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 "!Private network" 5060 10.10.1.203 04 "!Private network" 50030 17 0x0244 0 0 0 0x000e 2 3 "Asterisk PBX" "" "alice@10.10.3.109";"Aaron@10.10.3.109" "alice@10.10.3.109";"alice@10.10.1.203:50030" "7UsL.UI5KOo0OTW6kIAIgjgiMMSOr9Hk";"0f0789f74e063ed55238d1bc1af6fc59@10" "alice@10.10.3.109";"alice@10.10.1.203:50030";"Aaron@10.10.3.109" 100;200 INV;ACK;BYE "8369" 10.10.3.109;10.10.1.159 30552;49154 0;0 0 PCMU/8000;3 GSM/8000;8 PCMA/8000;112 AAL2-G726-32/8000;5 DVI4/8000;10 L16/8000;7 LPC/8000;97 iLBC/8000;111 G726-32/8000;101 telephone-event/8000 0 0 0 0 0 ""
A 8 0x0400000000004000 1272330666.144994000 1272330669.382632000 3.237638000 1 3 eth:ipv4:udp 00:16:cb:ab:a2:2b 00:19:b9:f7:4b:02 0x0800 10.10.1.203 04 "!Private network" 4001 10.10.3.109 04 "!Private network" 30553 17 0x0002 202;0 0x33425619 1 0 0 0x0000 0 0 "" "" 0 0 0 0 0 ""
A 1 0x0400000000004000 1272330627.070062000 1272330670.178186000 43.108124000 1 3 eth:ipv4:udp 00:16:cb:8c:ea:27 00:19:b9:f7:4b:02 0x0800 10.10.1.159 04 "!Private network" 5060 10.10.3.109 04 "!Private network" 5060 17 0x0244 0x3efeb4de 0 0 0 0x006e 1 5 "" "" "Aaron@10.10.3.109";"aptos@10.10.3.109";"alice@10.10.3.109" "Aaron@10.10.3.109";"aptos@10.10.3.109";"10.10.3.109";"alice@10.10.3.109" "AA20AC76-1DD1-11B2-8F35-E1DE365F50B";"B0A0D6FC-1DD1-11B2-8F35-E1DE365F50B";"BBE0D896-1DD1-11B2-8F35-E1DE365F50B";"BFDE35BA-1DD1-11B2-8F35-E1DE365F50B" "Aaron@10.10.1.159:5060" 200 REG;INV;ACK;OPT;BYE "3481319437";"3481319463" 10.10.1.159;10.10.1.159 49152;49154 0;0 3 GSM/8000;97 iLBC/8000;98 iLBC/8000;110 speex/8000;8 PCMA/8000;0 PCMU/8000;101 telephone-event/8000 4 0 0 0 0 0 ""
B 1 0x0400000000004001 1272330627.070257000 1272330670.178331000 43.108074000 1 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 "!Private network" 5060 10.10.1.159 04 "!Private network" 5060 17 0x0244 0x81bc2252;0x7ddbd928 0 0 0 0x0006 4 2 "Asterisk PBX" "" "Aaron@10.10.3.109";"aptos@10.10.3.109";"alice@10.10.3.109" "Aaron@10.10.3.109";"aptos@10.10.3.109";"10.10.3.109";"alice@10.10.3.109" "AA20AC76-1DD1-11B2-8F35-E1DE365F50B";"B0A0D6FC-1DD1-11B2-8F35-E1DE365F50B";"BBE0D896-1DD1-11B2-8F35-E1DE365F50B";"BFDE35BA-1DD1-11B2-8F35-E1DE365F50B" "Aaron@10.10.3.109";"Aaron@10.10.1.159:5060";"aptos@10.10.3.109";"10.10.3.109";"alice@10.10.3.109" 100;200;180;183 INV;ACK "8369" 10.10.3.109;10.10.1.203;10.10.3.109;10.10.1.203 13300;49152;11128;4000 0;0;0;0 3 GSM/8000;0 PCMU/8000;8 PCMA/8000;110 speex/8000;97 iLBC/8000;101 telephone-event/8000 4;9 0 0 0 0 0 ""
A 2 0x0400000000004000 1272330633.955796000 1272330670.254882000 36.299086000 1 3 eth:ipv4:udp 00:16:cb:ab:a2:2b 00:19:b9:f7:4b:02 0x0800 10.10.1.203 04 "!Private network" 5060 10.10.3.109 04 "!Private network" 5060 17 0x0244 0 0 0 0x0060 3 2 "" "" "aptos@10.10.3.109";"Aaron@10.10.3.109" "aptos@10.10.3.109";"aptos@10.10.1.203:5060";"10.10.3.109" "AE3A28FA-1DD1-11B2-A21B-EB0302FB93D";"4da654ff563e88e64845418c304a5a5b@10";"C007E0FE-1DD1-11B2-A21B-EB0302FB93D" "aptos@10.10.1.203:5060" 100;180;200 REG;OPT "3481319438" 10.10.1.203 49152 0 0 PCMU/8000;101 telephone-event/8000;3 GSM/8000 0 0 0 0 0 ""
B 2 0x0400000000004001 1272330633.964017000 1272330670.221160000 36.257143000 1 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 "!Private network" 5060 10.10.1.203 04 "!Private network" 5060 17 0x0244 0x2886dfa0 0 0 0 0x000e 2 3 "Asterisk PBX" "" "aptos@10.10.3.109";"Aaron@10.10.3.109" "aptos@10.10.3.109";"aptos@10.10.1.203:5060";"10.10.3.109" "AE3A28FA-1DD1-11B2-A21B-EB0302FB93D";"4da654ff563e88e64845418c304a5a5b@10";"C007E0FE-1DD1-11B2-A21B-EB0302FB93D" "aptos@10.10.3.109";"aptos@10.10.1.203:5060";"Aaron@10.10.3.109";"10.10.3.109" 100;200 INV;ACK;BYE "8369" 10.10.3.109;10.10.1.159 18932;49152 0;0 0 PCMU/8000;3 GSM/8000;8 PCMA/8000;112 AAL2-G726-32/8000;5 DVI4/8000;10 L16/8000;7 LPC/8000;97 iLBC/8000;111 G726-32/8000;101 telephone-event/8000 3 0 0 0 0 0 ""
A 3 0x0400000000004000 1272330640.436361000 1272330670.251905000 29.815544000 1 3 eth:ipv4:udp 00:16:cb:ab:a2:2b 00:19:b9:f7:4b:02 0x0800 10.10.1.203 04 "!Private network" 49152 10.10.3.109 04 "!Private network" 18932 17 0x1181 0 0x2886dfa0 0 1 0.1666667 0x0000 0 0 "" "" 0 0 0 0 0 "/tmp/TranVoIP/nudel_666_3_G711u_0_A.raw"In the flow file you will see that there are many RTCP types being detected, and jitter info was conveyed.
tawk 'bitsanyset($voipStat,0x0002)' ~/results/sip_sjphone_conf_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto voipStat voipType voipSSRC voipCSRC voipSRCnt rtpPMCnt rtpPMr sipMethods sipStatCnt sipReqCnt sipUsrAgnt sipRealIP sipFrom sipTo sipCallID sipContact sipStat sipReq sdpSessID sdpRFAdd sdpRAFPrt sdpRVFPrt sdpRTPMap voipFindex rtcpTPCnt rtcpTBCnt rtcpFracLst rtcpCPMCnt rtcpMaxIAT voipFname
A 5 0x0400000000004000 1272330645.436875000 1272330665.436731000 19.999856000 1 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 "!Private network" 13301 10.10.1.159 04 "!Private network" 49153 17 0x0002 200;201 0x3efeb4de 1 0 0 0x0000 0 0 "" "" 3 480 0 0 37 ""
A 6 0x0400000000004000 1272330645.455867000 1272330665.455723000 19.999856000 1 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 "!Private network" 18933 10.10.1.203 04 "!Private network" 49153 17 0x0002 201 0x41f3bca2 1 0 0 0x0000 0 0 "" "" 0 0 0 0 16 ""
A 8 0x0400000000004000 1272330666.144994000 1272330669.382632000 3.237638000 1 3 eth:ipv4:udp 00:16:cb:ab:a2:2b 00:19:b9:f7:4b:02 0x0800 10.10.1.203 04 "!Private network" 4001 10.10.3.109 04 "!Private network" 30553 17 0x0002 202;0 0x33425619 1 0 0 0x0000 0 0 "" ""Similar info is available on a packet basis.
tawk 'bitsanyset($voipStat,0x0002)' ~/results/sip_sjphone_conf_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc vlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto voipStat voipType voipSeqN voipTs voipTsDiff voipSSRC l7Content
35 5 0x0400000000004000 1272330645.436875000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 !Private network 13301 10.10.1.159 04 !Private network 49153 17 0x0002 200;202 0x3efeb4de ...\f>.......o.T,...@.........."R......}....%............>.......
36 6 0x0400000000004000 1272330645.455867000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 !Private network 18933 10.10.1.203 04 !Private network 49153 17 0x0002 201;202 0x41f3bca2 ....A...(.........^.................A.......
37 5 0x0400000000004000 1272330650.436866000 4.999991000 0.000000000 4.999991000 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 !Private network 13301 10.10.1.159 04 !Private network 49153 17 0x0002 201;202 0x3efeb4de ....>....."R......}....%............>.......
38 6 0x0400000000004000 1272330650.455831000 4.999964000 0.000000000 4.999964000 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 !Private network 18933 10.10.1.203 04 !Private network 49153 17 0x0002 201;202 0x41f3bca2 ....A...(.........^.................A.......
39 5 0x0400000000004000 1272330655.436803000 4.999937000 0.000000000 9.999928000 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 !Private network 13301 10.10.1.159 04 !Private network 49153 17 0x0002 201;202 0x3efeb4de ....>....."R......}....%............>.......
40 6 0x0400000000004000 1272330655.455793000 4.999962000 0.000000000 9.999926000 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 !Private network 18933 10.10.1.203 04 !Private network 49153 17 0x0002 201;202 0x41f3bca2 ....A...(.........^.................A.......
46 5 0x0400000000004000 1272330660.436770000 4.999967000 0.000000000 14.999895000 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 !Private network 13301 10.10.1.159 04 !Private network 49153 17 0x0002 201;202 0x3efeb4de ....>....."R......}....%.....\n......>.......
47 6 0x0400000000004000 1272330660.455760000 4.999967000 0.000000000 14.999893000 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 !Private network 18933 10.10.1.203 04 !Private network 49153 17 0x0002 201;202 0x41f3bca2 ....A...(.........^..........\n......A.......
56 5 0x0400000000004000 1272330665.436731000 4.999961000 0.000000000 19.999856000 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 !Private network 13301 10.10.1.159 04 !Private network 49153 17 0x0002 201;202 0x3efeb4de ....>....."R......}....%............>.......
57 6 0x0400000000004000 1272330665.455723000 4.999963000 0.000000000 19.999856000 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 !Private network 18933 10.10.1.203 04 !Private network 49153 17 0x0002 201;202 0x41f3bca2 ....A...(.........^.................A.......
58 8 0x0400000000004000 1272330666.144994000 0.000000000 0.000000000 0.000000000 3 eth:ipv4:udp 00:16:cb:ab:a2:2b 00:19:b9:f7:4b:02 0x0800 10.10.1.203 04 !Private network 4001 10.10.3.109 04 !Private network 30553 17 0x0002 202 0x33425619 ....3BV...a45f2@pjbbebb2.org....
63 8 0x0400000000004000 1272330666.155469000 0.010475000 0.000000000 0.010475000 3 eth:ipv4:udp 00:16:cb:ab:a2:2b 00:19:b9:f7:4b:02 0x0800 10.10.1.203 04 !Private network 4001 10.10.3.109 04 !Private network 30553 17 0x0002 0x33425619 ....3BV.
75 8 0x0400000000004000 1272330669.372273000 3.216804000 0.000000000 3.227279000 3 eth:ipv4:udp 00:16:cb:ab:a2:2b 00:19:b9:f7:4b:02 0x0800 10.10.1.203 04 !Private network 4001 10.10.3.109 04 !Private network 30553 17 0x0002 202 0x33425619 ....3BV...a135a@pj0cdc76.org....
80 8 0x0400000000004000 1272330669.382632000 0.010359000 0.000000000 3.237638000 3 eth:ipv4:udp 00:16:cb:ab:a2:2b 00:19:b9:f7:4b:02 0x0800 10.10.1.203 04 !Private network 4001 10.10.3.109 04 !Private network 30553 17 0x0002 0x33425619 ....3BV.Conclusion
Try also your own traffic.
Don’t forget to reset the voipDetector plugin configuration:
t2conf --reset voipDetector && t2build voipDetector
Have fun!