[Zeek] Problem with analysing SIP headers

Vlad Grigorescu vlad at es.net
Mon Jun 1 14:42:39 PDT 2020


Tomek,

It works for me. I modified your script as follows:

21c21
> < send(ip/layer4/myPayload)
> ---
> > wrpcap('sip.pcap', Ether()/ip/layer4/myPayload)
>

This causes scapy to just write the PCAP instead of sending it. Then, I
uploaded that PCAP here: https://try.zeek.org/#/tryzeek/saved/421825

You can see your output, and if you scroll down, you can see a sip.log file
with the relevant info.

How are you capturing the PCAP? I'm betting that you have an incorrect
checksum, which causes Zeek to discard those packets. You'd get a warning
for TCP traffic, but not for UDP.

  --Vlad

On Mon, Jun 1, 2020 at 3:58 PM Tomek Koziak <ttomek.koziak at gmail.com> wrote:

> Hi,
>
> I have been trying to analyze Zeek SIP headers and so far I can perform
> the following code succesfully on the .pcap file :
>
> event sip_header(c: connection, is_orig: bool, name: string, value:
> string){ print "sip"; print c; print value; } event sip_all_headers(c:
> connection, is_orig: bool, hlist: mime_header_list){ print "sip"; }
> The issue comes up when I generate the SIP traffic in Python using Scapy,
> in the following way:
>
> from telnetlib import IP
> from scapy.all import *
> from scapy.layers.inet import UDP
>
> sourcePort = 3001
> destinationIp = "192.168.1.26"
> sourceIp = "192.168.1.107"
> ip=IP(src=sourceIp, dst=destinationIp)
>
> # TCP PSH+ACK with Payload
> myPayload=(
> 'INVITE sip:{0}:5060;transport=tcp SIP/2.0\r\n'
> 'Via: SIP/2.0/TCP 192.168.44.32:5060;branch=1234\r\n'
> 'From: \"somedevice\"<sip:somedevice at 1.1.1.1:5060>;tag=5678\r\n'
> 'To: <sip:{0}:5060>\r\n'
> 'Call-ID: 9abcd\r\n'
> 'CSeq: 1 INVITE\r\n'
> 'Max-Forwards: 70\r\n'
> 'Content-Length: 0\r\n\r\n').format(destinationIp)
> layer4 = UDP(dport = 5060,sport = sourcePort)
> send(ip/layer4/myPayload)
>
> After running the code, there is no output result in Zeek. Even though in
> Wireshark everything seems to be working -  I can observe the SIP traffic.
> What do you think may cause this problem?
>
> Tomasz
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200601/c23f0aa4/attachment.html 


More information about the Zeek mailing list