<div dir="ltr"><div>Tomek,</div><div><br></div><div>It works for me. I modified your script as follows:</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>21c21<br>< send(ip/layer4/myPayload)<br>---<br>> wrpcap('sip.pcap', Ether()/ip/layer4/myPayload)</div></blockquote><div><br></div><div>This causes scapy to just write the PCAP instead of sending it. Then, I uploaded that PCAP here: <a href="https://try.zeek.org/#/tryzeek/saved/421825">https://try.zeek.org/#/tryzeek/saved/421825</a></div><div><br></div><div>You can see your output, and if you scroll down, you can see a sip.log file with the relevant info.</div><div><br></div><div>How are you capturing the PCAP? I'm betting that you have an incorrect checksum, which causes Zeek to discard those packets. You'd get a warning for TCP traffic, but not for UDP.</div><div><br></div><div> --Vlad<br> </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 1, 2020 at 3:58 PM Tomek Koziak <<a href="mailto:ttomek.koziak@gmail.com">ttomek.koziak@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi,</div><div dir="ltr"><br></div><div dir="ltr">I have been trying to analyze Zeek SIP headers and so far I can perform the following code succesfully on the .pcap file :</div><div dir="ltr"><br><span style="font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(255,255,255)"><font color="#6fa8dc">event sip_header(c: connection, is_orig: bool, name: string, value: string){
print "sip";
print c;
print value;
}
event sip_all_headers(c: connection, is_orig: bool, hlist: mime_header_list){
print "sip";
}</font><font color="#000000">
</font></span><span style="color:rgb(255,255,255);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(0,153,255)">
</span></div><div dir="ltr">The issue comes up when I generate the SIP traffic in Python using Scapy, in the following way:</div><div dir="ltr"><br></div><div dir="ltr"><font color="#6fa8dc">from telnetlib import IP<br>from scapy.all import *<br>from scapy.layers.inet import UDP<br><br>sourcePort = 3001<br>destinationIp = "192.168.1.26"<br>sourceIp = "192.168.1.107"<br>ip=IP(src=sourceIp, dst=destinationIp)<br><br># TCP PSH+ACK with Payload<br>myPayload=(<br>'INVITE sip:{0}:5060;transport=tcp SIP/2.0\r\n'<br>'Via: SIP/2.0/TCP 192.168.44.32:5060;branch=1234\r\n'<br>'From: \"somedevice\"<<a href="http://sip:somedevice@1.1.1.1:5060" target="_blank">sip:somedevice@1.1.1.1:5060</a>>;tag=5678\r\n'<br>'To: <sip:{0}:5060>\r\n'<br>'Call-ID: 9abcd\r\n'<br>'CSeq: 1 INVITE\r\n'<br>'Max-Forwards: 70\r\n'<br>'Content-Length: 0\r\n\r\n').format(destinationIp)<br>layer4 = UDP(dport = 5060,sport = sourcePort)<br>send(ip/layer4/myPayload)</font></div><div dir="ltr"><br></div><div>After running the code, there is no output result in Zeek. Even though in Wireshark everything seems to be working - I can observe the SIP traffic. What do you think may cause this problem?<br><br>Tomasz</div></div></div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div>