[Zeek] Problem with analysing SIP headers

Tomek Koziak ttomek.koziak at gmail.com
Mon Jun 1 13:55:59 PDT 2020


I have been trying to analyze Zeek SIP headers and so far I can perform the
following code succesfully on the .pcap file :

event sip_header(c: connection, is_orig: bool, name: string, value:
string){ print "sip"; print c; print value; } event sip_all_headers(c:
connection, is_orig: bool, hlist: mime_header_list){ print "sip"; }
The issue comes up when I generate the SIP traffic in Python using Scapy,
in the following way:

from telnetlib import IP
from scapy.all import *
from scapy.layers.inet import UDP

sourcePort = 3001
destinationIp = ""
sourceIp = ""
ip=IP(src=sourceIp, dst=destinationIp)

# TCP PSH+ACK with Payload
'INVITE sip:{0}:5060;transport=tcp SIP/2.0\r\n'
'Via: SIP/2.0/TCP;branch=1234\r\n'
'From: \"somedevice\"<sip:somedevice at>;tag=5678\r\n'
'To: <sip:{0}:5060>\r\n'
'Call-ID: 9abcd\r\n'
'CSeq: 1 INVITE\r\n'
'Max-Forwards: 70\r\n'
'Content-Length: 0\r\n\r\n').format(destinationIp)
layer4 = UDP(dport = 5060,sport = sourcePort)

After running the code, there is no output result in Zeek. Even though in
Wireshark everything seems to be working -  I can observe the SIP traffic.
What do you think may cause this problem?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200601/489a1bcc/attachment.html 

More information about the Zeek mailing list