pcapsipdump – Dump SIP Signalling and RTP Streams Per Call Leg into Separate Pcap Files

For a VoIP administrator, in order to properly diagnose and troubleshoot issues sometimes, you need the ability to go to be able to go back in time and dig deep within packet traces to get to the heart of the problem. Unfortunately, this means following the NSA’s policy and doing blanket data collection if you can handle the disk storage requirements.

Sure if the problem is easily reproducible, then you can either do a SIP trace in your VoIP software to get just the signalling data or if you need the RTP streams too, you can use “tcpdump” to capture the packets and avoid this scenario altogether but that isn’t always the case and using tcpdump certainly does have it’s limitations.

Capture (pcap) files get huge and harder to work with, you have to create filters to find the data you need, the list goes on and on. Of course, there are some helpful switches you can use to try to get around this when trying to capture data for long periods of time but then you still run into the problem of needing to run the application as a daemon, rotating log files, and then you still have to dig extensively for the data you need.

Don’t get me wrong, I’m not harping on tcpdump, the application kicks ass, I just had the need for more granularity and the ability to be able to separate each call leg into it’s own pcap file. Ultimately, this led to me searching the internet and finally finding an app on SourceForge called “pcapsipdump” that claims it can do exactly that and you can run it as a daemon.

At first, I downloaded the current version of the software (version 0.2) and tried to install it on a Ubuntu server and it kept crashing during the “make” process. Nothing I was doing was working to get it to install so I had to consult the bug reports on the website for answers. Eventually I ended up downloading the latest trunk version with subversion and all was well.

Here are the steps to install “pcapsipdump” as root on Ubuntu server:

cd /usr/src/
apt-get install subversion libpcap0.8 libpcap-dev build-essential
svn checkout svn://svn.code.sf.net/p/pcapsipdump/code/trunk pcapsipdump-code
cd pcapsipdump-code
make all
make install-debian
update-rc.d pcapsipdump defaults
nano /etc/default/pcapsipdump
-- Edit the following lines for your own requirements --
PCAPSIDUMP_ENABLE=true
DEVICE=eth0
SPOOLDIR=/var/spool/pcapsipdump
RETENTION=7
Ctrl+x type "y" to save
service pcapsipdump start

The program even creates directories for each day and hourly to help sort the pcap files and adds the date, the source, session number, IP address, and port number from the SIP header in the filename, which was an unexpected bonus. I have to say, I was definitely irritated at first when I couldn’t even get the program to install but now I am very impressed. This is exactly what I needed!

One Reply to “pcapsipdump – Dump SIP Signalling and RTP Streams Per Call Leg into Separate Pcap Files”

  1. It looks like the retention period variable in the config file doesn’t actually do anything so I ended up writing a bash script to rotate the PCAP directories. You can download it here.

Leave a Reply