[Zeek] Problem with analysing SIP headers
Tomek Koziak
ttomek.koziak at gmail.com
Mon Jun 1 15:15:40 PDT 2020
Yes the problem is connected with the incorrect checksum. When I have ran
the Zeek with -C flag it worked well.
pon., 1 cze 2020 o 23:42 Vlad Grigorescu <vlad at es.net> napisał(a):
> Tomek,
>
> It works for me. I modified your script as follows:
>
> 21c21
>> < send(ip/layer4/myPayload)
>> ---
>> > wrpcap('sip.pcap', Ether()/ip/layer4/myPayload)
>>
>
> This causes scapy to just write the PCAP instead of sending it. Then, I
> uploaded that PCAP here: https://try.zeek.org/#/tryzeek/saved/421825
>
> You can see your output, and if you scroll down, you can see a sip.log
> file with the relevant info.
>
> How are you capturing the PCAP? I'm betting that you have an incorrect
> checksum, which causes Zeek to discard those packets. You'd get a warning
> for TCP traffic, but not for UDP.
>
> --Vlad
>
> On Mon, Jun 1, 2020 at 3:58 PM Tomek Koziak <ttomek.koziak at gmail.com>
> wrote:
>
>> Hi,
>>
>> I have been trying to analyze Zeek SIP headers and so far I can perform
>> the following code succesfully on the .pcap file :
>>
>> event sip_header(c: connection, is_orig: bool, name: string, value:
>> string){ print "sip"; print c; print value; } event sip_all_headers(c:
>> connection, is_orig: bool, hlist: mime_header_list){ print "sip"; }
>> The issue comes up when I generate the SIP traffic in Python using Scapy,
>> in the following way:
>>
>> from telnetlib import IP
>> from scapy.all import *
>> from scapy.layers.inet import UDP
>>
>> sourcePort = 3001
>> destinationIp = "192.168.1.26"
>> sourceIp = "192.168.1.107"
>> ip=IP(src=sourceIp, dst=destinationIp)
>>
>> # TCP PSH+ACK with Payload
>> myPayload=(
>> 'INVITE sip:{0}:5060;transport=tcp SIP/2.0\r\n'
>> 'Via: SIP/2.0/TCP 192.168.44.32:5060;branch=1234\r\n'
>> 'From: \"somedevice\"<sip:somedevice at 1.1.1.1:5060>;tag=5678\r\n'
>> 'To: <sip:{0}:5060>\r\n'
>> 'Call-ID: 9abcd\r\n'
>> 'CSeq: 1 INVITE\r\n'
>> 'Max-Forwards: 70\r\n'
>> 'Content-Length: 0\r\n\r\n').format(destinationIp)
>> layer4 = UDP(dport = 5060,sport = sourcePort)
>> send(ip/layer4/myPayload)
>>
>> After running the code, there is no output result in Zeek. Even though in
>> Wireshark everything seems to be working - I can observe the SIP traffic.
>> What do you think may cause this problem?
>>
>> Tomasz
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200602/be43daf4/attachment.html
More information about the Zeek
mailing list