Newbie question regarding Homer/Capturagent

[Douglas Oman]

Hi everyone. I want to make sure I am on the right path. I have a need to log SIP traffic as well as RTP traffic in our environment. I have decided the best way to do this in my particular instance is to port mirror. I have installed the Sipcapture/Homer using the auto install process listed in the Wiki. The system is running and I can access the web page. I then installed the capture agent on a secondary server again utilizing the Wiki instructions. The capture server has two Ethernet interfaces. One is the IP Interface and the other is the Mirrored interface. I have verified that the Capture agent is receiving mirrored traffic using TCP dump and I verified that the Homer server is receiving traffic on port 9061 but I am not seeing any data in the Homer Interface.

I followed the instructions the best I could and from what I can tell it looks correct but still doesn't work. My question is two parts: Given the fact that I need to capture data via Port Mirror is this setup the correct way to go about it (Using Capture Agent)? If so could you assist or guide me troubleshoot my issue?

OS Version is CentOS 7

Thanks in advanced

Doug

[Andre Gronwald]

kamailio is per default listening on port 9060 - check that and correct your captagent to send to port 9060. then it should work immediately i hope.
for capturing rtp as well i recommend heplify, which is developed by eugen biegler. heplify is much more simpler and allows to store pcaps in parallel.

regards,
andre

[Andre Gronwald]

kamailio is per default listening on port 9060 - check that and correct your captagent to send to port 9060. then it should work immediately i hope.
for capturing rtp as well i recommend heplify, which is developed by eugen biegler. heplify is much more simpler and allows to store pcaps in parallel.

regards,
andre


Am Montag, 11. Dezember 2017 20:56:21 UTC+1 schrieb Douglas Oman:

[Douglas Oman]

Andre - Thank you for your reply. I updated the captagent to send on 9060 and also verified the kamailio.cfg located at /usr/src/homer-config/db/pgsql and updated the listen line to the following "listen=udp:10.250.1.2:9060", restarted the service and I am still not getting data. 

Regarding heplify: Are you suggesting using that for the SIP and RTP rather than the captagent? My understanding is the captaget is capable of capturing both but I could be wrong. Also, can I run either heplify or captagent co-resident on the homer server without issue?

Thanks,

Doug

[Andre Gronwald]

Andre - Thank you for your reply. I updated the captagent to send on 9060 and also verified the kamailio.cfg located at /usr/src/homer-config/db/pgsql and updated the listen line to the following "listen=udp:10.250.1.2:9060", restarted the service and I am still not getting data. 

can you verify that hep-packets are sent out to port 9060 of your kamailioserver?

Regarding heplify: Are you suggesting using that for the SIP and RTP rather than the captagent? My understanding is the captaget is capable of capturing both but I could be wrong. Also, can I run either heplify or captagent co-resident on the homer server without issue?

 

no, it depends on your needs. i needed an agent turning sip into hep and on the other hand i wanted to capture rtp-streams to analyze them manually in case of any complaints. for this heplify is perfect - one process for "hepping" sip and capturing all sip and rtp traffic into pcaps for later analysis. before i had to use captagent (which is mightier, but not yet necessary for me) and a tcpdump in parallel for capturing pcaps.

[Andre Gronwald]

Is anything in MySQL Database?

I would enable debug for kamailio and MySQL . Wenn should See Something in kamailio and If Something is There WE should See it Afterwards in MySQL Log AS Well.

Am 12.12.2017 9:02 nachm. schrieb "Douglas Oman" <do...@powerstroke.us>:

Andre - I had some issues so I re-installed CentOS and Homer. I have verified via netstat the kamailo is listening on 9060 and also verified that the captagent is sending data on port 9060 via tcpdump on the homer server. but I am not seeing anything in the homer web UI. Also, I was wrong about the path in my previous post so you can disregard that portion but the second part still remains.

Thanks,

Doug

--
You received this message because you are subscribed to a topic in the Google Groups "Homer Capture Server. sipcapture.org" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/homer-discuss/YSuH5N13W4A/unsubscribe.
To unsubscribe from this group and all its topics, send an email to homer-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Douglas Oman]

I have verified that the homer server is receiving packets on 9060 via tcpdump and I have verified that Kamailio is running on 9060 but I still see nothing in the WebUI.

Its possible this application isn't what I need but the app was suggested by a college/friend of mine. What my need is to log the SIP messages as well as capture RTP packets from a mirrored port for troubleshooting issues. My goal is to keep logs/RTP for at least 4 days at a time. Currently how I am doing this is relying on Syslog and TCPDump/Wireshark to get what I need but that is clumsy and now an 'Always on' solution. 



Thanks,

Doug

[Douglas Oman]

I will have to check. I am not proficient in Linux so it might take me a bit to figure this out.

Thanks,

Doug

To unsubscribe from this group and all its topics, send an email to homer-discus...@googlegroups.com.

[Andre Gronwald]

in kamailio.cfg set

debug = 4

# if necessary 6 or 9, but i think with 4 you should see something

for mysql have a look in 

/etc/mysql/my.cnf

general_log_file        = /var/log/mysql/mysql.log

general_log             = 1

that logs everything into the log-file. be aware, every sql-statement is logged there, that file might get very large.

restart both services after changing that file.

kind regards,

andre

[Douglas Oman]

Andre,

 Made the changes you mediation and I am not seeing much being written to SQL. From what I can tell it is logging the WebUI requests. As for Kamailio I am not sure where that is logging? Based on the .cfg file it is logging to a file called "homer" but no path is defied and I tried to perform a search but was unable to locate it.

Thanks,

Doug

[Andre Gronwald]

Just specify the path for the logfile. That shoukd work. Otherwise the file is stored in the working Directory. I guess that is where the bin is executed
regards André

Von meinem c64mobile gesendet

[Douglas Oman]

I tried that just now and I still don't see a log. Here is a snippet of the .cfg file:

####### Global Parameters #########

debug = 4

log_stderror=no

log_name="/var/log/homer.log"

memdbg=5

memlog=5

##!define KAMAILIO_4_3

##!define WITH_HOMER_GEO

##!define WITH_HOMER_CUSTOM_STATS #enable it for HTTP custom stats

log_facility=LOG_LOCAL1

fork=yes

children=5

/* uncomment the next line to disable TCP (default on) */

disable_tcp=yes

/* IP and port for HEP capturing) */

listen=HOMER_LISTEN_PROTO:HOMER_LISTEN_IF:HOMER_LISTEN_PORT

#!ifdef WITH_HOMER_CUSTOM_STATS

listen=HOMER_STATS_SERVER

#!endif

[Andre Gronwald]

Aah.

Please have a look to your syslog (or Messages). I think it is sent to syslog.

Von meinem c64mobile gesendet

[Douglas Oman]

Yes now I see the logs in /var/logs/messages - I don't see much in there relating to 'Homer' - The last thing is well over an hour ago:

Dec 13 12:16:42 msp109 /var/log/homer.log[13600]: NOTICE: <core> [main.c:695]: handle_sigs(): Thank you for flying kamailio!!!

Dec 13 12:16:42 msp109 /var/log/homer.log[13609]: INFO: <core> [main.c:810]: sig_usr(): signal 15 received

Dec 13 12:16:42 msp109 /var/log/homer.log[13608]: INFO: <core> [main.c:810]: sig_usr(): signal 15 received

Dec 13 12:16:42 msp109 /var/log/homer.log[13607]: INFO: <core> [main.c:810]: sig_usr(): signal 15 received

Dec 13 12:16:42 msp109 /var/log/homer.log[13606]: INFO: <core> [main.c:810]: sig_usr(): signal 15 received

Dec 13 12:16:42 msp109 /var/log/homer.log[13605]: INFO: <core> [main.c:810]: sig_usr(): signal 15 received

Dec 13 12:16:42 msp109 /var/log/homer.log[13604]: INFO: <core> [main.c:810]: sig_usr(): signal 15 received

Dec 13 12:16:42 msp109 /var/log/homer.log[13603]: INFO: <core> [main.c:810]: sig_usr(): signal 15 received

Dec 13 12:16:42 msp109 /var/log/homer.log[13602]: INFO: <core> [main.c:810]: sig_usr(): signal 15 received

Dec 13 12:16:42 msp109 /var/log/homer.log[13601]: INFO: <core> [main.c:810]: sig_usr(): signal 15 received

Dec 13 12:16:42 msp109 /var/log/homer.log[13600]: INFO: <core> [sctp_core.c:53]: sctp_core_destroy(): SCTP API not initialized

I am assuming this means that the Captagent is not actually sending anything?

Thanks,

Doug

[Andre Gronwald]

Change logname to "Homer" instead of /var/Log .

I guess kamailio is Not doing anything. Seems No heps are getting to kamailio or Routing section on kamailio config is wrong.

Von meinem c64mobile gesendet

[Douglas Oman]

I already went back and changed it back to Homer. Now I really didn't do anything for configuration on this aside from the auto installer located on the Wiki site. What do you mean the Routing section?. How can I verify that the Captagent is sending everything it is supposed to? I did see in tcpdump traffic from the captagent to the homer/kamailio server on 9060 but for the amount of SIP traffic coming into the captagent I would expect more.

Thanks,

Doug

[Andre Gronwald]

Increase debug Level of captagent to See what it is doing and Start in foreground Not as daemon

Von meinem c64mobile gesendet

[KNERD]

I am having this exact same issue on a new install except I am using HEP from Asterisk14. The /var/log/messages log is showing the same thing


 /var/log/homer[27143]: INFO: <core> [main.c:810]: sig_usr(): signal 15 received
 /var/log/homer[27131]: INFO: <core> [sctp_core.c:53]: sctp_core_destroy(): SCTP API not initial         ized


Using tcpdump, I can see HEP side is sending,and the Homer side is receiving.