Tutorial: Voice over IP (VoIP), Session Initiation Protocol (SIP), Real-time Transport Protocol (RTP)
data carving layer 7 RTP RTCP SIP VoIPVoIP SIP RTP
This tutorial shows the capabilities of the plugin voipDetector. It displays troubleshooting information of SIP/RTP/RTCP and is able to carve RTP content.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow voipDetector txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here:
Please save them in your ~/data folder.
Now you are all set for analyzing FTP traffic!
voipDetector
This plugin was originally designed for troubleshooting of telco VoIP communication, therefore RTCP is also decoded which provides additional statistics to the basicStats plugin, such as packets lost and maximal jitter reporting.
Data Carving with voipDetector
The configuration listed below, allows the user to enable the RTP content save mode, the length of SIP names in the flow structure, the path where RTP content is saved and the default name as a prefix if no file name can be found.
We also added an configurable offset in the payload of RTP, for special purpose applications.
voipDetector
vi src/voipDetector.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define VOIP_ANALEN 0 // chk report len against snap payload len
#define VOIP_SAVE 0 // save RTP content
#define VOIP_RMDIR 1 // empty VOIP_V_PATH before starting (require VOIP_SAVE=1)
#define VOIP_PLDOFF 0 // if (VOIP_SAVE) offset for payload to be saved
#define SIPNMMAX 40 // maximal SIP caller name length
#define SIPSTATMAX 6 // maximal SIP state requests
#define SIPCLMAX 3 // maximal SIP state requests name length
#define VOIP_V_PATH "/tmp/TranVoIP/" // Path for raw voip
#define VOIP_FNAME "nudel" // default content file name prefix
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...For now we switch on VOIP_SAVE=1 and keep VOIP_RMDIR=0 as we like t2 to delete the files between experiments to rm clutter. If you like to keep the extracted files switch VOIP_RMDIR=1.
Use t2conf, recompile and engage t2 on the MagicJack pcap with the packet mode.
t2conf voipDetector -D VOIP_SAVE=1 && t2build voipDetector
t2 -r ~/test_data/data/MagicJack+_short_call.pcap -w ~/results/ -s================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 63271 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: voipDetector, 0.8.14 03: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/MagicJack-_short_call.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1334245056.670292 sec (Thu 12 Apr 2012 15:37:36 GMT) Dump stop : 1334245246.895631 sec (Thu 12 Apr 2012 15:40:46 GMT) Total dump duration: 190.225339 sec (3m 10s) Finished processing. Elapsed time: 0.015442 sec Finished unloading flow memory. Time: 0.015711 sec Percentage completed: 100.00% Number of processed packets: 1381 (1.38 K) Number of processed bytes: 293315 (293.31 K) Number of raw bytes: 293315 (293.31 K) Number of pad bytes: 130 Number of pcap bytes: 315435 (315.44 K) Number of IPv4 packets: 1360 (1.36 K) [98.48%] Number of A packets: 720 [52.14%] Number of B packets: 661 [47.86%] Number of A bytes: 152644 (152.64 K) [52.04%] Number of B bytes: 140671 (140.67 K) [47.96%] Average A packet load: 212.01 Average B packet load: 212.82 -------------------------------------------------------------------------------- voipDetector: Aggregated voipStat=0x0185 voipDetector: Max number of file handles: 2 voipDetector: Number of SIP/RTP/RTCP packets: 1287 (1.29 K) [93.19%] -------------------------------------------------------------------------------- Headers count: min: 2, max: 3, average: 2.98 Number of ICMP packets: 10 [0.72%] Number of TCP packets: 31 [2.24%] Number of TCP bytes: 4774 (4.77 K) [1.63%] Number of UDP packets: 1319 (1.32 K) [95.51%] Number of UDP bytes: 286559 (286.56 K) [97.70%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 22 Number of processed A flows: 15 [68.18%] Number of processed B flows: 7 [31.82%] Number of request flows: 15 [68.18%] Number of reply flows: 7 [31.82%] Total A/B flow asymmetry: 0.36 Total req/rply flow asymmetry: 0.36 Number of processed packets/flows: 62.77 Number of processed A packets/flows: 48.00 Number of processed B packets/flows: 94.43 Number of processed total packets/s: 7.26 Number of processed A+B packets/s: 7.26 Number of processed A packets/s: 3.78 Number of processed B packets/s: 3.47 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 0.12 Average full raw bandwidth: 12335 b/s (12.34 Kb/s) Average full bandwidth : 12278 b/s (12.28 Kb/s) Max number of flows in memory: 22 [0.01%] Memory usage: 0.01 GB [0.02%] Aggregated flowStat=0x0400000010004044 [INF] Layer 2 flows [INF] IPv4 flows [INF] ARP [INF] SIP/RTP
The end report tells you that RTP, SIP are detected and he found 2 voice comms being written to your /tmp/TranVoIP/ directory.
tawk -V voipStat=0x0185
The voipStat column with value 0x0185 is to be interpreted as follows:
bit | voipStat | Description
=============================================================================
0 | 0x0001 | RTP detected
2 | 0x0004 | SIP detected
7 | 0x0080 | RTP marker
8 | 0x0100 | RTP content write operation
First look at the flow file, you see the flows labelled as SIP, or RTP, certain SIP, RTP parameters and the names of extracted content.
tcol ~/results/MagicJack+_short_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto voipStat voipTyp voipID voipSRCnt voipPMCnt voipPMr voipSIPStatCnt voipSIPReqCnt voipUsrAgnt voipSIPCID voipSIPStat voipSIPReq voipTPCnt voipTBCnt voipFracLst voipCPMCnt voipMaxIAT voipFname
A 7 0x0000000000000044 1334245104.331341 1334245104.331341 0.000000 1 2 eth:arp 00:0e:53:1c:7e:b2 ff:ff:ff:ff:ff:ff 0x0806 - - "-" 0 - - "-" 0 0 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
A 3 0x0000000000000044 1334245061.682774 1334245220.746608 159.063834 1 2 eth:arp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0806 - - "-" 0 - - "-" 0 0 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
B 3 0x0000000000000045 1334245061.683269 1334245220.747090 159.063821 1 2 eth:arp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0806 - - "-" 0 - - "-" 0 0 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
A 8 0x0400000000004000 1334245222.765593 1334245235.575661 12.810068 1 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 "Private network" 49154 216.234.64.16 us "Ymax Communications Corp" 54550 17 0x0181 0 0x2a173650 0 0 0 0 0 "" "" 0 0 0 0 0 "/tmp/TranVoIP/nudel_2a173650_8_A_G711u.raw"
B 8 0x0400100000004001 1334245222.821580 1334245235.307648 12.486068 1 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us "Ymax Communications Corp" 54550 192.168.0.10 07 "Private network" 49154 17 0x0101 0 0x31be1e0e 0 0 0 0 0 "" "" 0 0 0 0 0 "/tmp/TranVoIP/nudel_31be1e0e_8_B_G711u.raw"
A 4 0x0400000000004000 1334245062.390891 1334245235.625275 173.234384 1 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 "Private network" 59205 216.234.64.8 us "Ymax Communications Corp" 5070 17 0x0004 0x00000000 0 0 0 1 4 "" "" 200 INV;ACK;INV;ACK 0 0 0 0 0 ""
B 4 0x0400100000004001 1334245215.755652 1334245235.514488 19.758836 1 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.8 us "Ymax Communications Corp" 5070 192.168.0.10 07 "Private network" 59205 17 0x0004 0x00000000 0 0 0 5 1 "" "9055551212@talk4free.com" 100;401;100;183;200 BYE 0 0 0 0 0 ""
A 1 0x0400000000004000 1334245056.670292 1334245236.655187 179.984895 1 3 eth:ipv4:icmp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 "Private network" 0 192.168.0.1 07 "Private network" 0 1 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
B 1 0x0400000000004001 1334245056.686806 1334245236.671664 179.984858 1 3 eth:ipv4:icmp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 192.168.0.1 07 "Private network" 0 192.168.0.10 07 "Private network" 0 1 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
A 6 0x0000000000000044 1334245068.782499 1334245241.665789 172.883290 1 2 eth:arp 68:7f:74:1d:5f:eb 00:16:ec:e2:0d:f8 0x0806 - - "-" 0 - - "-" 0 0 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
B 6 0x0000000000000045 1334245068.782544 1334245241.665836 172.883292 1 2 eth:arp 00:16:ec:e2:0d:f8 68:7f:74:1d:5f:eb 0x0806 - - "-" 0 - - "-" 0 0 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
A 5 0x0400000000004000 1334245067.177032 1334245246.583157 179.406125 1 3 eth:ipv4:udp 00:09:6b:bf:ae:7d ff:ff:ff:ff:ff:ff 0x0800 192.168.0.4 07 "Private network" 138 192.168.0.15 07 "Private network" 138 17 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
A 9 0x0400000000004000 1334245246.582974 1334245246.583443 0.000469 1 3 eth:ipv4:udp 00:16:ec:e2:0d:f8 ff:ff:ff:ff:ff:ff 0x0800 192.168.0.2 07 "Private network" 138 192.168.0.15 07 "Private network" 138 17 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
A 11 0x0000000000000044 1334245246.604931 1334245246.604931 0.000000 1 2 eth:arp 00:16:ec:e2:0d:f8 ff:ff:ff:ff:ff:ff 0x0806 - - "-" 0 - - "-" 0 0 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
A 12 0x0000000000000044 1334245246.604940 1334245246.604940 0.000000 1 2 eth:arp 00:09:6b:bf:ae:7d 00:16:ec:e2:0d:f8 0x0806 - - "-" 0 - - "-" 0 0 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
A 10 0x0400000000004000 1334245246.604739 1334245246.608019 0.003280 1 3 eth:ipv4:udp 00:09:6b:bf:ae:7d ff:ff:ff:ff:ff:ff 0x0800 192.168.0.4 07 "Private network" 137 192.168.0.15 07 "Private network" 137 17 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
A 13 0x0400000000004000 1334245246.605043 1334245246.608186 0.003143 1 3 eth:ipv4:udp 00:16:ec:e2:0d:f8 00:09:6b:bf:ae:7d 0x0800 192.168.0.2 07 "Private network" 137 192.168.0.4 07 "Private network" 137 17 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
A 15 0x0400000000004000 1334245246.608310 1334245246.608310 0.000000 1 3 eth:ipv4:icmp 00:09:6b:bf:ae:7d 00:16:ec:e2:0d:f8 0x0800 192.168.0.4 07 "Private network" 0 192.168.0.2 07 "Private network" 0 1 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
B 15 0x0400000000004001 1334245246.608429 1334245246.608429 0.000000 1 3 eth:ipv4:icmp 00:16:ec:e2:0d:f8 00:09:6b:bf:ae:7d 0x0800 192.168.0.2 07 "Private network" 0 192.168.0.4 07 "Private network" 0 1 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
A 2 0x0400100000004000 1334245056.687467 1334245246.665263 189.977796 1 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 00:16:ec:e2:0d:f8 0x0800 192.168.0.1 07 "Private network" 32772 192.168.0.2 07 "Private network" 2972 17 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
A 14 0x0400000000004000 1334245246.605115 1334245246.895631 0.290516 1 3 eth:ipv4:tcp 00:09:6b:bf:ae:7d 00:16:ec:e2:0d:f8 0x0800 192.168.0.4 07 "Private network" 2139 192.168.0.2 07 "Private network" 139 6 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""
B 14 0x0400000000004001 1334245246.605293 1334245246.745603 0.140310 1 3 eth:ipv4:tcp 00:16:ec:e2:0d:f8 00:09:6b:bf:ae:7d 0x0800 192.168.0.2 07 "Private network" 139 192.168.0.4 07 "Private network" 2139 6 0x0000 0x00000000 0 0 0 0 0 "" "" 0 0 0 0 0 ""The file name coding denotes the VoIP ID, type of codec, compression type and which flow, so that each file can be linked back to the originating flow and vice versa.
/directory/default name_voipID_flowIndex_A|B_CodecCoding.raw
Similar info is available in the packet file, were you can also track sequence numbers and IDs.
tcol ~/results/MagicJack+_short_packets.txt
%pktNo flowInd flowStat time pktIAT flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto voipStat voipType voipSeqN voipID l7Content
...
44 6 0x0000000000000045 1334245210.507043 28.838831 141.724503 2 eth:arp 00:16:ec:e2:0d:f8 68:7f:74:1d:5f:eb 0x0806 ............\r.....h.t._.......................
45 2 0x0400100000004000 1334245211.522083 5.763982 154.834610 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 00:16:ec:e2:0d:f8 0x0800 192.168.0.1 07 Private network 32772 192.168.0.2 07 Private network 2972 17 <12>Apr 12 11:40:10 kernel: DROP IN=ppp0 OUT= MAC= SRC=108.173.102.108 DST=206.248.161.77 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=419 DF PROTO=TCP SPT=64590 DPT=27488 SEQ=3689285428 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405AC01010402) \n
46 4 0x0400000000004000 1334245215.711324 13.332198 153.320435 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 Private network 59205 216.234.64.8 us Ymax Communications Corp 5070 17 0x0004 INVITE sip:9055551212@talk4free.com SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport\r\nFrom: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nTo: <sip:9055551212@talk4free.com>\r\nContact: <sip:E646657195201@192.168.0.10:59205>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 INVITE\r\nMax-Forwards: 70\r\nUser-Agent: mJ/2.00.632b.11054E4\r\nContent-Length: 307\r\nContent-Type: application/sdp\r\nMin-SE: 90\r\nSession-Expires: 600;refresher=uac\r\nSupported: replaces,norefersub,timer\r\nX-NATType: bPrUmtdEXuiRekQWte1LXTKJ3VNrFPndz3Ft8rPs5TPM7DDT5Nxsa+bhj/YTWmRM\r\n\r\nv=0\r\no=- 2209074887 2209074887 IN IP4 192.168.0.10\r\ns=SJphone\r\nc=IN IP4 192.168.0.10\r\nt=0 0\r\nm=audio 49154 RTP/AVP 0 8 101 13\r\nc=IN IP4 192.168.0.10\r\na=ptime:30\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:8 PCMA/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-16\r\na=rtpmap:13 CN/8000\r\na=setup:active\r\na=sendrecv\r\n
47 4 0x0400000000004001 1334245215.755652 0.000000 0.000000 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.8 us Ymax Communications Corp 5070 192.168.0.10 07 Private network 59205 17 0x0004 SIP/2.0 100 Trying\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport=59205;received=206.248.161.77\r\nTo: <sip:9055551212@talk4free.com>\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 INVITE\r\nContent-Length: 0\r\n\r\n
48 4 0x0400000000004001 1334245215.769396 0.013744 0.013744 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.8 us Ymax Communications Corp 5070 192.168.0.10 07 Private network 59205 17 0x0004 SIP/2.0 401 Unauthorized\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport=59205;received=206.248.161.77\r\nTo: <sip:9055551212@talk4free.com>\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 INVITE\r\nDate: Thu, 12 Apr 2012 15:40:15 GMT\r\nUser-Agent: ENSR3.2.21.22-IS15-RMRG0-RG900-EP\r\nWWW-Authenticate: Digest nonce="30da0aed2_12170",realm="stratus.com",algorithm=MD5\r\nContent-Length: 0\r\n\r\n
49 4 0x0400000000004000 1334245215.882668 0.171344 153.491776 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 Private network 59205 216.234.64.8 us Ymax Communications Corp 5070 17 0x0004 ACK sip:9055551212@talk4free.com SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052181bc3f7ea3253c;rport\r\nFrom: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nTo: <sip:9055551212@talk4free.com>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 1 ACK\r\nMax-Forwards: 70\r\nUser-Agent: mJ/2.00.632b.11054E4\r\nContent-Length: 0\r\n\r\n
50 4 0x0400000000004000 1334245215.884964 0.002296 153.494080 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 Private network 59205 216.234.64.8 us Ymax Communications Corp 5070 17 0x0004 INVITE sip:9055551212@talk4free.com SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052182706faf2cbf3d;rport\r\nFrom: "unknown" <sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nTo: <sip:9055551212@talk4free.com>\r\nContact: <sip:E646657195201@192.168.0.10:59205>\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 INVITE\r\nMax-Forwards: 70\r\nUser-Agent: mJ/2.00.632b.11054E4\r\nAuthorization: Digest username="E646657195201",realm="stratus.com",nonce="30da0aed2_12170",uri="sip:9055551212@talk4free.com",response="329e0b8a19bad6f3098c21cd11ec7979",algorithm=MD5\r\nContent-Length: 307\r\nContent-Type: application/sdp\r\nMin-SE: 90\r\nSession-Expires: 600;refresher=uac\r\nSupported: replaces,norefersub,timer\r\nX-NATType: bPrUmtdEXuiRekQWte1LXTKJ3VNrFPndz3Ft8rPs5TPM7DDT5Nxsa+bhj/YTWmRM\r\n\r\nv=0\r\no=- 2209074887 2209074887 IN IP4 192.168.0.10\r\ns=SJphone\r\nc=IN IP4 192.168.0.10\r\nt=0 0\r\nm=audio 49154 RTP/AVP 0 8 101 13\r\nc=IN IP4 192.168.0.10\r\na=ptime:30\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:8 PCMA/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-16\r\na=rtpmap:13 CN/8000\r\na=setup:active\r\na=sendrecv\r\n
51 4 0x0400100000004001 1334245215.931983 0.162587 0.176331 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.8 us Ymax Communications Corp 5070 192.168.0.10 07 Private network 59205 17 0x0004 SIP/2.0 100 Trying\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052182706faf2cbf3d;rport=59205;received=206.248.161.77\r\nTo: <sip:9055551212@talk4free.com>\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 INVITE\r\nContent-Length: 0\r\n\r\n
52 3 0x0000000000000044 1334245220.746608 39.078480 159.063828 2 eth:arp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0806 ........h.t._..............\n...............m..
53 3 0x0000000000000045 1334245220.747090 39.078465 159.063828 2 eth:arp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0806 ........l3.aM....\nh.t._....................m..
54 4 0x0400100000004001 1334245222.700515 6.768532 6.944863 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.8 us Ymax Communications Corp 5070 192.168.0.10 07 Private network 59205 17 0x0004 SIP/2.0 183 Session Progress\r\nVia: SIP/2.0/UDP 192.168.0.10:59205;branch=z9hG4bKc0a8000a052182706faf2cbf3d;rport=59205;received=206.248.161.77\r\nContact: <sip:4165551212@216.234.64.8:5070>\r\nTo: <sip:9055551212@talk4free.com>;tag=30da0aed-co12170-INS015\r\nFrom: "unknown"<sip:E646657195201@talk4free.com>;tag=2afc8c735218176\r\nCall-ID: C5570127C1A6A1ABF7ED9DB9AD608CE00xc0a8000a\r\nCSeq: 2 INVITE\r\nContent-Type: application/sdp\r\nDate: Thu, 12 Apr 2012 15:40:21 GMT\r\nUser-Agent: ENSR3.2.21.22-IS15-RMRG5002-RG900-EP-CPI15-CPO25791\r\nContent-Length: 236\r\nX-Number-Type: 9055551212;type=off-net\r\n\r\nv=0\r\no=- 819596013 819596013 IN IP4 216.234.64.8\r\ns=ENSResip\r\nc=IN IP4 216.234.64.16\r\nt=0 0\r\nm=audio 54550 RTP/AVP 0 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-11\r\na=ptime:20\r\na=setup:active\r\na=sendrecv\r\n
55 8 0x0400000000004000 1334245222.765593 0.000000 0.000000 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 Private network 49154 216.234.64.16 us Ymax Communications Corp 54550 17 0x0081 0 26528 0x2a173650 ..g.....*.6P.~.~~~~.....~~~~~...~...~}}~.....~~.~}~.....~~}~...~.....~~.~...~}~..~......~}}~.~..~...~~~~....~.~~~~...~..~}}...~....~~~~~..~~....~.~.....~~~~~~.....~~}.~....
56 2 0x0400100000004000 1334245222.779378 11.257295 166.091904 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 00:16:ec:e2:0d:f8 0x0800 192.168.0.1 07 Private network 32772 192.168.0.2 07 Private network 2972 17 <12>Apr 12 11:40:21 kernel: ACCEPT IN=br0 OUT=ppp0 SRC=192.168.0.10 DST=216.234.64.16 LEN=200 TOS=0x00 PREC=0x00 TTL=63 ID=11188 PROTO=UDP SPT=49154 DPT=54550 LEN=180 \n
57 8 0x0400000000004000 1334245222.795663 0.030070 0.030070 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 Private network 49154 216.234.64.16 us Ymax Communications Corp 54550 17 0x0181 0 26529 0x2a173650 ..g.....*.6P.~~..~.~~.....~.~......~~~~~.~~.....~~.~....~~~~~.~...~.~~~~....~..~.}~.~...~~~~~~.~...~~~}~..~..~.~~~~....~....~.....~~~~~~}~.....~.~~~......~~..~~....~.~~~.~.
58 8 0x0400000000004000 1334245222.796902 0.001239 0.031309 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 Private network 49154 216.234.64.16 us Ymax Communications Corp 54550 17 0x0181 0 26530 0x2a173650 ..g....@*.6P..~~~~.~~~...~}~.~......~}}~......~~~~~~~~..~~~.~...~~.~~~.~}~~~~..~.~~.......~~~.~....~.~~~...~..~.~~....~....~~...~.....~~~.~~...~~~~.~~...~~~}.~......~.~~~~.
59 8 0x0400000000004001 1334245222.821580 0.000000 0.000000 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us Ymax Communications Corp 54550 192.168.0.10 07 Private network 49154 17 0x0001 0 18437 0x31be1e0e ..H.iuv.1..........J8/,,.5B.........Y<1,+,0;V.........D6.,,/8I.........P<3/.07Ci........lG;535:BX.........VF?<=?HV.........mYPNNPXau.................waWOMMOWj.........WH?<<
60 2 0x0400100000004000 1334245222.822292 0.042914 166.134827 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 00:16:ec:e2:0d:f8 0x0800 192.168.0.1 07 Private network 32772 192.168.0.2 07 Private network 2972 17 <12>Apr 12 11:40:22 kernel: ACCEPT IN=br0 OUT=ppp0 SRC=192.168.0.10 DST=216.234.64.16 LEN=200 TOS=0x00 PREC=0x00 TTL=63 ID=11189 PROTO=UDP SPT=49154 DPT=54550 LEN=180 \n
61 2 0x0400100000004000 1334245222.822473 0.000181 166.135010 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 00:16:ec:e2:0d:f8 0x0800 192.168.0.1 07 Private network 32772 192.168.0.2 07 Private network 2972 17 <12>Apr 12 11:40:22 kernel: ACCEPT IN=br0 OUT=ppp0 SRC=192.168.0.10 DST=216.234.64.16 LEN=200 TOS=0x00 PREC=0x00 TTL=63 ID=11190 PROTO=UDP SPT=49154 DPT=54550 LEN=180 \n
62 8 0x0400000000004000 1334245222.825426 0.028524 0.059833 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 Private network 49154 216.234.64.16 us Ymax Communications Corp 54550 17 0x0181 0 26531 0x2a173650 ..g.....*.6P..~~~~~~......~~~~....~}~~~~~....~..}~~~~...~..~...~....~~.~.~~~~..~~}~~~~..~.}~..~.....~~~~......~~.~...~.....~~..~~....~~~....~..~~~}~...~..~.}.........~~.~..
63 8 0x0400000000004001 1334245222.828270 0.006690 0.006690 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us Ymax Communications Corp 54550 192.168.0.10 07 Private network 49154 17 0x0101 0 18438 0x31be1e0e ..H.iuwk1...>ET.........ZC:535:Ef........oD70..2;N.........K9/,,.5B.........Z<1,+,0;U.........D6.,,/8H.........Q<3/.07Bg........mG;635:BW.........WG?==?HV.........nZQNNQXau
64 8 0x0400100000004001 1334245222.848215 0.019945 0.026635 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us Ymax Communications Corp 54550 192.168.0.10 07 Private network 49154 17 0x0101 0 18439 0x31be1e0e ..H.iux.1....................waVOMLOWj.........WH?<<>ES.........ZC:535:Ed........rD80..2;N.........K9/,,.5A|........[=1,+,0;T.........E6.,,/8H.........R=3/.07Bf........oG;6
65 8 0x0400000000004000 1334245222.855383 0.029957 0.089790 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 Private network 49154 216.234.64.16 us Ymax Communications Corp 54550 17 0x0181 0 26532 0x2a173650 ..g.....*.6P.~~.~.~~~..~~|..}~.......~}~.......~~~~~~..~.~~}~~......~~~~.~}~....~....~...~~~~~.~...~}}~~}~~~.........~~~}~..~.....~...}~}~.....~~.~}}....~.~~~~~......~~~...
66 8 0x0400000000004000 1334245222.856587 0.001204 0.090994 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 Private network 49154 216.234.64.16 us Ymax Communications Corp 54550 17 0x0181 0 26533 0x2a173650 ..g.... *.6P.}.~~.~.}.~~...~~}~.....}}........~~}~~.~~..~..~........~~}~.....~~~~~.....~~~~~~~...}..~}~.....~.}~.~...~~~..~~......~~~~~.~....~~~~..~....~~~.}}~~...~.~......
67 8 0x0400100000004001 1334245222.868178 0.019963 0.046598 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us Ymax Communications Corp 54550 192.168.0.10 07 Private network 49154 17 0x0101 0 18440 0x31be1e0e ..H.iux.1...45:BV.........WG?==?HU.........nZQNNQXbu.................x`VOLLNWi.........WH?<<>DR.........[C:535:Dc........uE80..2;M.........K9/,,.4Ay........\=1,+,0;S.......
68 8 0x0400000000004000 1334245222.885435 0.028848 0.119842 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 Private network 49154 216.234.64.16 us Ymax Communications Corp 54550 17 0x0181 0 26534 0x2a173650 ..g.....*.6P~~~~~.~..}~...~~~.......~}~~.....~~~~~~....~}~...~~...~~}....~~..~~~~~~..~~.~.~~...~..~~}}~~....~~~~....~}....~...~..~~~~}~....}.~..~.~....~.}.~~~~~....~.....~.
69 8 0x0400100000004001 1334245222.887884 0.019706 0.066304 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us Ymax Communications Corp 54550 192.168.0.10 07 Private network 49154 17 0x0101 0 18441 0x31be1e0e ..H\tiuyK1.....E6.,,/7H.........S=4/.07Bd........pH;645:BV.........XG?==?HU.........o[RNORYbu.................x`VOLLNVh.........XH?<<=DR.........[C:534:Da........xE80..2;M..
70 8 0x0400100000004001 1334245222.908335 0.020451 0.086755 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us Ymax Communications Corp 54550 192.168.0.10 07 Private network 49154 17 0x0101 0 18442 0x31be1e0e ..H\niuy.1..........L9/,,.4Au........]=1-+,0;R.........F6.,,/7G.........T=4/.07Ac........sH<6459AU.........XH?==@HU.........o[ROORYbt.................y`VNLLNVh.........XH?<;
71 8 0x0400000000004000 1334245222.915332 0.029897 0.149739 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 Private network 49154 216.234.64.16 us Ymax Communications Corp 54550 17 0x0181 0 26535 0x2a173650 ..g....`*.6P.~.~.~..~~}~....~~~....~~}~......~~~.~~...~~~~.~....~~~~~~~...~~}~~......~~~~~~......~~~~}....~}~~~......~}~~........}~~~~.~~.~..~.........~~~.......~........~.
72 8 0x0400000000004000 1334245222.916573 0.001241 0.150980 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 Private network 49154 216.234.64.16 us Ymax Communications Corp 54550 17 0x0181 0 26536 0x2a173650 ..g.....*.6P~~~}.~..~~~~~...~.....~~~}~....~~~~~}~....~}..~~....~~..~~}....~.~~.~~....}~~|......~~.~~}.....~}}~......}~~...~....~~~~.....~~~.~~....~..~~~....~~~~~........~~
73 8 0x0400100000004001 1334245222.927796 0.019461 0.106216 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us Ymax Communications Corp 54550 192.168.0.10 07 Private network 49154 17 0x0101 0 18443 0x31be1e0e ..H.iuz.1...=DQ.........\D:5349C`........{E80..2:L.........L9/,,.4@q........^=2-+,0:Q.........F7/,,/7G.........U=4/.07Aa........vI<6459AU.........YH?==@HU}........p[SOORYbt
74 8 0x0400000000004000 1334245222.945426 0.028853 0.179833 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 Private network 49154 216.234.64.16 us Ymax Communications Corp 54550 17 0x0181 0 26537 0x2a173650 ..g.....*.6P~~~.....}}}~....~.~..~}.~~.~...~..~......~~~~~.~~..~.~~~......~.~..~.....~~~~....~~..~~.~~.....~~~~......~~}.~......~~~~~~....~~.~.~~...~~~~~~.~~}~...~~....~..~
75 8 0x0400100000004001 1334245222.947757 0.019961 0.126177 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us Ymax Communications Corp 54550 192.168.0.10 07 Private network 49154 17 0x0101 0 18444 0x31be1e0e ..H.iu{+1..........~.........y`VNLKNUg.........XH?<;=CP.........]D:5249C_.........F80..1:L.........M9/,,.4@n........_=2-+,/:P.........G7/,,/7F.........V=4/.07A_........yI<6
76 8 0x0400100000004001 1334245222.967973 0.020216 0.146393 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us Ymax Communications Corp 54550 192.168.0.10 07 Private network 49154 17 0x0101 0 18445 0x31be1e0e ..H\riu{.1...459AT.........YH?==@HU|........r\SOOSYct.......~.........y`UNKKMUf.........XH?<;=CP.........]D:5249C^.........F80..1:K.........M:/,,-4?l........`>2-+,/:O.......
77 8 0x0400000000004000 1334245222.975446 0.030020 0.209853 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 Private network 49154 216.234.64.16 us Ymax Communications Corp 54550 17 0x0181 0 26538 0x2a173650 ..g....@*.6P.~.~....~~~~~~~~.....~~~~}.....~..~~.~..~..~~~}....~~}..~.......~~.~......~~~~.~~..~~~.~~~~~....~.~~.~...~}}}..~~....~~~~.~...|..~........~~~~~~~...}}~..~~.....
78 8 0x0400000000004000 1334245222.976670 0.001224 0.211077 3 eth:ipv4:udp 6c:33:a9:61:4d:17 68:7f:74:1d:5f:eb 0x0800 192.168.0.10 07 Private network 49154 216.234.64.16 us Ymax Communications Corp 54550 17 0x0181 0 26539 0x2a173650 ..g.....*.6P~~~~....~~.~~...~..~...~}.......~~.~.~.....~}~~.~...~}~}........~..~....~.~.}~~~~..~~}~~}}~....~~}~~...~~~~.~.......~~~}~}..~~..~.~~...~..~~~.}}~~.....~......~~
79 8 0x0400100000004001 1334245222.988158 0.020185 0.166578 3 eth:ipv4:udp 68:7f:74:1d:5f:eb 6c:33:a9:61:4d:17 0x0800 216.234.64.16 us Ymax Communications Corp 54550 192.168.0.10 07 Private network 49154 17 0x0101 0 18446 0x31be1e0e ..H.iu|k1.....G7/,,/7F.........W>4/.06A_........|I<6459AT.........ZI@==@HTz........s\TOOSZct.......}.........z`UNKKMTe.........YH?<;=CO.........^D:4249B].........F80..1:K..
...In order to listen to the content you need to convert to e.g. .wav format. Note that the encoding format G711. indicates that the raw stream is mu-law compressed. Just use ffmpeg which does a fine job.
cd /tmp/TranVoIP
ls
nudel_2a173650_8_A_G711u.raw nudel_31be1e0e_8_B_G711u.raw
ffmpeg -f mulaw -ar 8k -ac 1 -i nudel_2a173650_8_A_G711u.raw nudelA.wav
ffmpeg version n4.3.2 Copyright (c) 2000-2021 the FFmpeg developers
...ffmpeg -f mulaw -ar 8k -ac 1 -i nudel_31be1e0e_8_B_G711u.raw nudelB.wav
ls
nudel_2a173650_8_A_G711u.raw nudel_31be1e0e_8_B_G711u.raw nudelA.wav nudelB.wav
If you use a player such as vlc, then in nudelA.wav you hear the caller and in nudelB.wav the callee.
In order to see some RTCP output, try this pcap sip_sjphone_conf.pcap and execute t2 on it including packet mode.
================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 63357 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 Active plugins: 01: basicFlow, 0.8.14 02: voipDetector, 0.8.14 03: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/sip_sjphone_conf.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1272330627.070062 sec (Tue 27 Apr 2010 01:10:27 GMT) Dump stop : 1272330670.254882 sec (Tue 27 Apr 2010 01:11:10 GMT) Total dump duration: 43.184820 sec Finished processing. Elapsed time: 0.002087 sec Finished unloading flow memory. Time: 0.002292 sec Percentage completed: 100.00% Number of processed packets: 90 Number of processed bytes: 39025 (39.02 K) Number of raw bytes: 39025 (39.02 K) Number of pad bytes: 20 Number of pcap bytes: 40489 (40.49 K) Number of IPv4 packets: 90 [100.00%] Number of A packets: 50 [55.56%] Number of B packets: 40 [44.44%] Number of A bytes: 17146 (17.15 K) [43.94%] Number of B bytes: 21879 (21.88 K) [56.06%] Average A packet load: 342.92 Average B packet load: 546.98 -------------------------------------------------------------------------------- voipDetector: Aggregated voipStat=0x1187 voipDetector: Max number of file handles: 4 voipDetector: Number of SIP/RTP/RTCP packets: 90 [100.00%] -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, average: 3.00 Number of UDP packets: 90 [100.00%] Number of UDP bytes: 39025 (39.02 K) [100.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 13 Number of processed A flows: 9 [69.23%] Number of processed B flows: 4 [30.77%] Number of request flows: 9 [69.23%] Number of reply flows: 4 [30.77%] Total A/B flow asymmetry: 0.38 Total req/rply flow asymmetry: 0.38 Number of processed packets/flows: 6.92 Number of processed A packets/flows: 5.56 Number of processed B packets/flows: 10.00 Number of processed total packets/s: 2.08 Number of processed A+B packets/s: 2.08 Number of processed A packets/s: 1.16 Number of processed B packets/s: 0.93 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 0.30 Average full raw bandwidth: 7229 b/s (7.23 Kb/s) Average full bandwidth : 7226 b/s (7.22 Kb/s) Max number of flows in memory: 13 [0.00%] Memory usage: 0.01 GB [0.02%] Aggregated flowStat=0x0400000010004000 [INF] IPv4 flows [INF] SIP/RTP
And the end report tells us, there is indeed RTCP and 4 voice comms with some packet loss. The extracted content is written to the /tmp/TranVoip directory, but as configured the directory is erased before writing.
tawk -V voipStat=0x1187The voipStat column with value 0x1187 is to be interpreted as follows: bit | voipStat | Description ============================================================================= 0 | 0x0001 | RTP detected 1 | 0x0002 | RTCP detected 2 | 0x0004 | SIP detected 7 | 0x0080 | RTP marker 8 | 0x0100 | RTP content write operation 12 | 0x1000 | RTP packet loss detected
In the flow file you will see that there are many RTCP types being detected, and jitter info was conveyed.
tcol ~/results/sip_sjphone_conf_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto voipStat voipTyp voipID voipSRCnt voipPMCnt voipPMr voipSIPStatCnt voipSIPReqCnt voipUsrAgnt voipSIPCID voipSIPStat voipSIPReq voipTPCnt voipTBCnt voipFracLst voipCPMCnt voipMaxIAT voipFname
A 4 0x0400100000004000 1272330640.436538 1272330640.472347 0.035809 1 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 "Private network" 13300 10.10.1.159 04 "Private network" 49152 17 0x0101 0 0x3efeb4de 0 0 0 0 0 "" "" 0 0 0 0 0 "/tmp/TranVoIP/nudel_3efeb4de_4_A_G711u.raw"
B 4 0x0400000000004001 1272330640.468537 1272330640.547489 0.078952 1 3 eth:ipv4:udp 00:16:cb:8c:ea:27 00:19:b9:f7:4b:02 0x0800 10.10.1.159 04 "Private network" 49152 10.10.3.109 04 "Private network" 13300 17 0x0181 3 0x81bc2252 0 0 0 0 0 "" "" 0 0 0 0 0 "/tmp/TranVoIP/nudel_81bc2252_4_B_GSM.raw"
A 5 0x0400100000004000 1272330645.436875 1272330665.436731 19.999856 1 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 "Private network" 13301 10.10.1.159 04 "Private network" 49153 17 0x0002 200;202 0x3efeb4de 1 0 0 0 0 "" "" 3 480 0 0 37 ""
A 6 0x0400100000004000 1272330645.455867 1272330665.455723 19.999856 1 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 "Private network" 18933 10.10.1.203 04 "Private network" 49153 17 0x0002 201;202 0x41f3bca2 1 0 0 0 0 "" "" 0 0 0 0 16 ""
A 9 0x0400000000004000 1272330666.186196 1272330666.207883 0.021687 1 3 eth:ipv4:udp 00:16:cb:8c:ea:27 00:19:b9:f7:4b:02 0x0800 10.10.1.159 04 "Private network" 49154 10.10.3.109 04 "Private network" 11128 17 0x0181 3 0x7ddbd928 0 0 0 0 0 "" "" 0 0 0 0 0 "/tmp/TranVoIP/nudel_7ddbd928_9_A_GSM.raw"
A 7 0x0400000000004000 1272330659.729745 1272330669.382626 9.652881 1 3 eth:ipv4:udp 00:16:cb:ab:a2:2b 00:19:b9:f7:4b:02 0x0800 10.10.1.203 04 "Private network" 50030 10.10.3.109 04 "Private network" 5060 17 0x0004 0x00000000 0 0 0 6 1 "" "alice@10.10.3.109" 100;180;200;200;200;200 REG 0 0 0 0 0 ""
B 7 0x0400000000004001 1272330659.729874 1272330669.373073 9.643199 1 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 "Private network" 5060 10.10.1.203 04 "Private network" 50030 17 0x0004 0x00000000 0 0 0 2 6 "" "alice@10.10.3.109" 100;200 INV;ACK;INV;ACK;INV;ACK 0 0 0 0 0 ""
A 8 0x0400000000004000 1272330666.144994 1272330669.382632 3.237638 1 3 eth:ipv4:udp 00:16:cb:ab:a2:2b 00:19:b9:f7:4b:02 0x0800 10.10.1.203 04 "Private network" 4001 10.10.3.109 04 "Private network" 30553 17 0x0002 202;203 0x33425619 1 0 0 0 0 "" "" 0 0 0 0 0 ""
A 1 0x0400000000004000 1272330627.070062 1272330670.178186 43.108124 1 3 eth:ipv4:udp 00:16:cb:8c:ea:27 00:19:b9:f7:4b:02 0x0800 10.10.1.159 04 "Private network" 5060 10.10.3.109 04 "Private network" 5060 17 0x0004 0x00000000 0 0 0 2 6 "" "Aaron@10.10.3.109" 200;200 REG;INV;ACK;OPT;INV;ACK 0 0 0 0 0 ""
B 1 0x0400000000004001 1272330627.070257 1272330670.178331 43.108074 1 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 "Private network" 5060 10.10.1.159 04 "Private network" 5060 17 0x0004 0x00000000 0 0 0 6 4 "" "Aaron@10.10.3.109" 100;200;100;180;183;200 INV;ACK;INV;ACK 0 0 0 0 0 ""
A 2 0x0400000000004000 1272330633.955796 1272330670.254882 36.299086 1 3 eth:ipv4:udp 00:16:cb:ab:a2:2b 00:19:b9:f7:4b:02 0x0800 10.10.1.203 04 "Private network" 5060 10.10.3.109 04 "Private network" 5060 17 0x0004 0x00000000 0 0 0 6 2 "" "aptos@10.10.3.109" 100;180;200;200;200;200 REG;OPT 0 0 0 0 0 ""
B 2 0x0400000000004001 1272330633.964017 1272330670.221160 36.257143 1 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 "Private network" 5060 10.10.1.203 04 "Private network" 5060 17 0x0004 0x00000000 0 0 0 3 6 "" "aptos@10.10.3.109" 100;200;200 INV;ACK;INV;ACK;INV;ACK 0 0 0 0 0 ""
A 3 0x0400000000004000 1272330640.436361 1272330670.251905 29.815544 1 3 eth:ipv4:udp 00:16:cb:ab:a2:2b 00:19:b9:f7:4b:02 0x0800 10.10.1.203 04 "Private network" 49152 10.10.3.109 04 "Private network" 18932 17 0x1181 0 0x2886dfa0 0 1 0 0 0 "" "" 0 0 0 0 0 "/tmp/TranVoIP/nudel_2886dfa0_3_A_G711u.raw"Similar info is available on a packet basis.
tcol ~/results/sip_sjphone_conf_packets.txt
%pktNo flowInd flowStat time pktIAT flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto voipStat voipType voipSeqN voipID l7Content
...
26 4 0x0400000000004001 1272330640.511952 0.023427 0.043415 3 eth:ipv4:udp 00:16:cb:8c:ea:27 00:19:b9:f7:4b:02 0x0800 10.10.1.159 04 Private network 49152 10.10.3.109 04 Private network 13300 17 0x0181 3 32179 0x81bc2252 ..}....@.."R..d.....=m.....;.......sH......g"
27 1 0x0400000000004000 1272330640.526424 2.534303 13.456362 3 eth:ipv4:udp 00:16:cb:8c:ea:27 00:19:b9:f7:4b:02 0x0800 10.10.1.159 04 Private network 5060 10.10.3.109 04 Private network 5060 17 0x0004 ACK sip:aptos@10.10.3.109 SIP/2.0\r\nVia: SIP/2.0/UDP 10.10.1.159;rport;branch=z9hG4bK0a0a019f000000184bd639902fc4a3ef00000009\r\nContent-Length: 0\r\nCall-ID: B0A0D6FC-1DD1-11B2-8F35-E1DE365F50B8@10.10.1.159\r\nCSeq: 1 ACK\r\nFrom: "unknown"<sip:Aaron@10.10.3.109>;tag=1020318343398661549\r\nMax-Forwards: 70\r\nTo: <sip:aptos@10.10.3.109>;tag=as609c9373\r\nUser-Agent: SJphone/1.60.299a/L (SJ Labs)\r\n\r\n
28 4 0x0400000000004001 1272330640.526430 0.014478 0.057893 3 eth:ipv4:udp 00:16:cb:8c:ea:27 00:19:b9:f7:4b:02 0x0800 10.10.1.159 04 Private network 49152 10.10.3.109 04 Private network 13300 17 0x0181 3 32180 0x81bc2252 ..}......."R.id... ...J......2............q9%
29 1 0x0400000000004001 1272330640.526519 0.086535 13.456262 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 Private network 5060 10.10.1.159 04 Private network 5060 17 0x0004 INVITE sip:Aaron@10.10.1.159:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.10.3.109:5060;branch=z9hG4bK54699aaa;rport\r\nFrom: <sip:aptos@10.10.3.109>;tag=as609c9373\r\nTo: "unknown"<sip:Aaron@10.10.3.109>;tag=1020318343398661549\r\nContact: <sip:aptos@10.10.3.109>\r\nCall-ID: B0A0D6FC-1DD1-11B2-8F35-E1DE365F50B8@10.10.1.159\r\nCSeq: 102 INVITE\r\nUser-Agent: Asterisk PBX\r\nMax-Forwards: 70\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY\r\nSupported: replaces\r\nContent-Type: application/sdp\r\nContent-Length: 236\r\n\r\nv=0\r\no=root 8369 8371 IN IP4 10.10.1.203\r\ns=session\r\nc=IN IP4 10.10.1.203\r\nt=0 0\r\nm=audio 49152 RTP/AVP 0 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-16\r\na=silenceSupp:off - - - -\r\na=ptime:20\r\na=sendrecv\r\n
30 2 0x0400000000004000 1272330640.529086 0.089419 6.573290 3 eth:ipv4:udp 00:16:cb:ab:a2:2b 00:19:b9:f7:4b:02 0x0800 10.10.1.203 04 Private network 5060 10.10.3.109 04 Private network 5060 17 0x0004 SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP 10.10.3.109:5060;rport=5060;received=10.10.3.109;branch=z9hG4bK24bf4caf\r\nContent-Length: 217\r\nContact: <sip:aptos@10.10.1.203:5060>\r\nCall-ID: 4da654ff563e88e64845418c304a5a5b@10.10.3.109\r\nContent-Type: application/sdp\r\nCSeq: 103 INVITE\r\nFrom: "Aaron"<sip:Aaron@10.10.3.109>;tag=as657066cb\r\nServer: SJphone/1.60.299a/L (SJ Labs)\r\nTo: "unknown"<sip:aptos@10.10.1.203:5060>;tag=10203183971857523383\r\n\r\nv=0\r\no=- 3481319438 3481319438 IN IP4 10.10.1.203\r\ns=SJphone\r\nc=IN IP4 10.10.1.203\r\nt=0 0\r\na=direction:active\r\nm=audio 49152 RTP/AVP 0 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-11,16\r\n
31 2 0x0400000000004001 1272330640.529186 0.089136 6.565169 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 Private network 5060 10.10.1.203 04 Private network 5060 17 0x0004 ACK sip:aptos@10.10.1.203:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.10.3.109:5060;branch=z9hG4bK0509c90c;rport\r\nFrom: "Aaron" <sip:Aaron@10.10.3.109>;tag=as657066cb\r\nTo: <sip:aptos@10.10.1.203:5060>;tag=10203183971857523383\r\nContact: <sip:Aaron@10.10.3.109>\r\nCall-ID: 4da654ff563e88e64845418c304a5a5b@10.10.3.109\r\nCSeq: 103 ACK\r\nUser-Agent: Asterisk PBX\r\nMax-Forwards: 70\r\nContent-Length: 0\r\n\r\n
32 4 0x0400000000004001 1272330640.547489 0.021059 0.078952 3 eth:ipv4:udp 00:16:cb:8c:ea:27 00:19:b9:f7:4b:02 0x0800 10.10.1.159 04 Private network 49152 10.10.3.109 04 Private network 13300 17 0x0181 3 32181 0x81bc2252 ..}......."R.(l....:..C.....u.a.@.].......m..
33 1 0x0400000000004000 1272330640.577891 0.051467 13.507829 3 eth:ipv4:udp 00:16:cb:8c:ea:27 00:19:b9:f7:4b:02 0x0800 10.10.1.159 04 Private network 5060 10.10.3.109 04 Private network 5060 17 0x0004 SIP/2.0 200 OK\r\nVia: SIP/2.0/UDP 10.10.3.109:5060;rport=5060;received=10.10.3.109;branch=z9hG4bK54699aaa\r\nContent-Length: 217\r\nContact: <sip:Aaron@10.10.1.159:5060>\r\nCall-ID: B0A0D6FC-1DD1-11B2-8F35-E1DE365F50B8@10.10.1.159\r\nContent-Type: application/sdp\r\nCSeq: 102 INVITE\r\nFrom: <sip:aptos@10.10.3.109>;tag=as609c9373\r\nServer: SJphone/1.60.299a/L (SJ Labs)\r\nTo: "unknown"<sip:Aaron@10.10.3.109>;tag=1020318343398661549\r\n\r\nv=0\r\no=- 3481319437 3481319438 IN IP4 10.10.1.159\r\ns=SJphone\r\nc=IN IP4 10.10.1.159\r\nt=0 0\r\na=direction:active\r\nm=audio 49152 RTP/AVP 0 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-11,16\r\n
34 1 0x0400000000004001 1272330640.577989 0.051470 13.507732 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 Private network 5060 10.10.1.159 04 Private network 5060 17 0x0004 ACK sip:Aaron@10.10.1.159:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.10.3.109:5060;branch=z9hG4bK5d190680;rport\r\nFrom: <sip:aptos@10.10.3.109>;tag=as609c9373\r\nTo: "unknown"<sip:Aaron@10.10.3.109>;tag=1020318343398661549\r\nContact: <sip:aptos@10.10.3.109>\r\nCall-ID: B0A0D6FC-1DD1-11B2-8F35-E1DE365F50B8@10.10.1.159\r\nCSeq: 102 ACK\r\nUser-Agent: Asterisk PBX\r\nMax-Forwards: 70\r\nContent-Length: 0\r\n\r\n
35 5 0x0400000000004000 1272330645.436875 0.000000 0.000000 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 Private network 13301 10.10.1.159 04 Private network 49153 17 0x0002 200;202 32181 0x3efeb4de ....>.......o.T,...@.........."R......}....%............>.......
36 6 0x0400000000004000 1272330645.455867 0.000000 0.000000 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 Private network 18933 10.10.1.203 04 Private network 49153 17 0x0002 201;202 24249 0x41f3bca2 ....A...(.........^.................A.......
37 5 0x0400000000004000 1272330650.436866 4.999991 4.999991 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 Private network 13301 10.10.1.159 04 Private network 49153 17 0x0002 201;202 32181 0x3efeb4de ....>....."R......}....%............>.......
38 6 0x0400000000004000 1272330650.455831 4.999964 4.999964 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 Private network 18933 10.10.1.203 04 Private network 49153 17 0x0002 201;202 24249 0x41f3bca2 ....A...(.........^.................A.......
39 5 0x0400100000004000 1272330655.436803 4.999937 9.999928 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:8c:ea:27 0x0800 10.10.3.109 04 Private network 13301 10.10.1.159 04 Private network 49153 17 0x0002 201;202 32181 0x3efeb4de ....>....."R......}....%............>.......
40 6 0x0400100000004000 1272330655.455793 4.999962 9.999926 3 eth:ipv4:udp 00:19:b9:f7:4b:02 00:16:cb:ab:a2:2b 0x0800 10.10.3.109 04 Private network 18933 10.10.1.203 04 Private network 49153 17 0x0002 201;202 24249 0x41f3bca2 ....A...(.........^.................A.......
...Conclusion
Try your own traffic or the ones on the site listed earlier.
Don’t forget to reset the voipDetector plugin configuration:
t2conf --reset voipDetector && t2build voipDetector
Have fun!