<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi,</div><div dir="ltr"><br></div><div dir="ltr">I have been trying to analyze Zeek SIP headers and so far I can perform the following code succesfully on the .pcap file :</div><div dir="ltr"><br><span style="font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)"><font color="#6fa8dc">event sip_header(c: connection, is_orig: bool, name: string, value: string){
print "sip";
print c;
print value;
}
event sip_all_headers(c: connection, is_orig: bool, hlist: mime_header_list){
print "sip";
}</font><font color="#000000">
</font></span><span style="color:rgb(255,255,255);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(0,153,255)">
</span></div><div dir="ltr">The issue comes up when I generate the SIP traffic in Python using Scapy, in the following way:</div><div dir="ltr"><br></div><div dir="ltr"><font color="#6fa8dc">from telnetlib import IP<br>from scapy.all import *<br>from scapy.layers.inet import UDP<br><br>sourcePort = 3001<br>destinationIp = "192.168.1.26"<br>sourceIp = "192.168.1.107"<br>ip=IP(src=sourceIp, dst=destinationIp)<br><br># TCP PSH+ACK with Payload<br>myPayload=(<br>'INVITE sip:{0}:5060;transport=tcp SIP/2.0\r\n'<br>'Via: SIP/2.0/TCP 192.168.44.32:5060;branch=1234\r\n'<br>'From: \"somedevice\"<<a href="http://sip:somedevice@1.1.1.1:5060">sip:somedevice@1.1.1.1:5060</a>>;tag=5678\r\n'<br>'To: <sip:{0}:5060>\r\n'<br>'Call-ID: 9abcd\r\n'<br>'CSeq: 1 INVITE\r\n'<br>'Max-Forwards: 70\r\n'<br>'Content-Length: 0\r\n\r\n').format(destinationIp)<br>layer4 = UDP(dport = 5060,sport = sourcePort)<br>send(ip/layer4/myPayload)</font></div><div dir="ltr"><br></div><div>After running the code, there is no output result in Zeek. Even though in Wireshark everything seems to be working - I can observe the SIP traffic. What do you think may cause this problem?<br><br>Tomasz</div></div></div></div>