OT: Want To Capture All SIP Messages

Home » Asterisk Users » OT: Want To Capture All SIP Messages
Asterisk Users 16 Comments

I want to capture all SIP messages.

I have about 30 hosts in about 6 colos.

My first thought was dumpcap, but the output file name format bugs me.

What do you use for long term SIP capture?

16 thoughts on - OT: Want To Capture All SIP Messages

  • What bugs you about the output format? There are multiple ways to display stored information, wireshark can be extremely usefull (and unstable) or just dump plain text by replaying the pcap with ngrep.

    Ways I used so far:

    -tshark to produce pcap file (-b duration:x to split up files into time intervals
    -“sip set log on” to store it plain text in asterisk log files (or pjsip set logger on)
    -ngrep -W byline to store it in

    Will look into in the near future:
    -Homer via res_hep_pjsip
    -voipmonitor (didn’t know about till just now thanks to Marks reply)

  • Sorry, didn’t see the “long term” bit. voipmonitor or Homer are your best best.

    -Barry Flanagan

  • It’s been a while, but as I recollect, it included the date/timestamp in the file name of the ‘ring buffer’ which meant that each time the host was rebooted, dumpcap didn’t know the files from the previous run should be deleted when they ‘aged out.’

  • A little more specificity…

    I’d like the capture to be in a series of files that can be ‘rotated’ or
    ‘aged out’ so that I can always have x days of traffic on hand but not have to prune the files to keep the storage requirements reasonable.

  • Solvable by by writing a cleanup script that deletes files over a specific age, just a basic find in the daily crontab:
    find /path/to/captures -type f -name ‘pattern*’ -mtime +X -exec rm {} \;

  • On sites where I want an always available packet history I use tcpdump with the -C and -W options to manage a ring buffer of X bytes. Then you can use cool tools like sngrep or really anything that operates on pcap files at whim.



  • Neither dumpcap or tcpdump know what to do with a HUP (I suspect I could configure logrotate to kill dumpcap and then start another instance) but I’m still in a position to have to enable/disable the logrotate script as I change which hosts need monitoring.

    I know… First world problems 🙂

  • Heya Steve

    I use the same Jeff recommended.

    Eg this command would capture SIP traffic in capture files up to 100Mbytes each, with a maximum of 10 files in play and overwriting the oldest automatically:

    tcpdump -i eth0 -w rollingSIPtrace. -C 100 -W 10 port 5060

    Eventually you’d end up with files called ‘rollingSIPtrace.00’ through to ‘rollingSIPtrace.09’, and when rollingSIPtrace.09 reaches 100MB, overwriting of rollingSIPtrace.00 (then rollingSIPtrace.01 etc) would commence.

    Does that achieve your goal?

    Or was the problem that if your server restarts and the command auto-executes at boot time then the first file overwritten will be rollingSIPtrace.00, not necessarily whichever file was the last modified?


  • I’d like it to only overwrite the oldest, but server restarts are rare enough that I think this will be acceptable.

  • In article , Steve Edwards wrote:

    On most of my systems I have a script sip-capture:

  • I use pcapsipdump. It has the added advantage of splitting the captures into individual calls