[Zeek] Problem with analysing SIP headers
Tomek Koziak
ttomek.koziak at gmail.com
Mon Jun 1 13:55:59 PDT 2020
Hi,
I have been trying to analyze Zeek SIP headers and so far I can perform the
following code succesfully on the .pcap file :
event sip_header(c: connection, is_orig: bool, name: string, value:
string){ print "sip"; print c; print value; } event sip_all_headers(c:
connection, is_orig: bool, hlist: mime_header_list){ print "sip"; }
The issue comes up when I generate the SIP traffic in Python using Scapy,
in the following way:
from telnetlib import IP
from scapy.all import *
from scapy.layers.inet import UDP
sourcePort = 3001
destinationIp = "192.168.1.26"
sourceIp = "192.168.1.107"
ip=IP(src=sourceIp, dst=destinationIp)
# TCP PSH+ACK with Payload
myPayload=(
'INVITE sip:{0}:5060;transport=tcp SIP/2.0\r\n'
'Via: SIP/2.0/TCP 192.168.44.32:5060;branch=1234\r\n'
'From: \"somedevice\"<sip:somedevice at 1.1.1.1:5060>;tag=5678\r\n'
'To: <sip:{0}:5060>\r\n'
'Call-ID: 9abcd\r\n'
'CSeq: 1 INVITE\r\n'
'Max-Forwards: 70\r\n'
'Content-Length: 0\r\n\r\n').format(destinationIp)
layer4 = UDP(dport = 5060,sport = sourcePort)
send(ip/layer4/myPayload)
After running the code, there is no output result in Zeek. Even though in
Wireshark everything seems to be working - I can observe the SIP traffic.
What do you think may cause this problem?
Tomasz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200601/489a1bcc/attachment.html
More information about the Zeek
mailing list