ISUP examples

[Andy Thompson]

Hello

I've noticed people posting picture of ISUP traffic in Homer and SIP<->ISUP correlation.

Can you please create some ISUP information/examples on HomerWiki and/or CaptAgentWiki ?

Thanks!

//Andy 

[Markus]

Hi Andy,

we will do. We are still testing the new stuff so we did not had

time to add docu for this.

For short:

you have to load "protocol_ss7" within "captagent.xml"

and add protocol_ss7.xml

<?xml version="1.0"?>
<document type="captagent_module/xml">
    <module name="protocol_ss7" description="SS7 Protocol suite" serial="20161010">
        <profile name="proto_ss7" description="PROTO SS7" enable="true" serial="20161010">
            <settings>
            </settings>
        </profile>
    </module>
</document>

this should enable sctp analysing for m2ua/m2pa and send the ISUP Messages via HEP to

a sipcapture server (kamailio).

In Kamailio, add ..

modparam("sipcapture", "nonsip_hook", 1)

event_route[sipcapture:request] {

        xlog("HEP Request!\n");
        xlog("received sipcapture request from $si:$sp\r\n");
        xlog("HEP VERSION $hep(version) request from $si:$sp\r\n");
        xlog("HEP CHUNK Source IP $hep(0x002) request from $si:$sp\r\n");
        #Is it SIP ?
        if($hep(0x00b) == 1){

                #Do parsing internal
                return 1;
        }
        else if ($hep(0x00b) == 8) {
                # We are parsing M2UA now and want ISUP from it
                $var(payload) = $hep(0x00f);
                $var(res) = isup_to_json(8);

                # It is ISUP so let us try to insert it into a database
                if ($var(res) == 1) {
                        route(STORE_ISUP);
                        drop;
                }

                return 0;
        }
        else if ($hep(0x00b) == 13) {
                $var(payload) = $hep(0x00f);
                $var(res) = isup_to_json(13);

                # It is ISUP so let us try to insert it into a database
                if ($var(res) == 1) {
                        route(STORE_ISUP);
                        drop;
                }

                return 0;
        }
        else
        {
                #If report lets proceed here with payload
                xlog("HEP CHUNK PAYLOAD $hep(0x00f) request from $si:$sp\r\n");
                return 0;  
        }
}


route[STORE_ISUP] {
        $var(json) = $(isup(1){sql.val});
        $var(method) = $(isup(method){sql.val});
        $var(opc) = $isup(opc);
        $var(dpc) = $isup(dpc);
        $var(cic) = $isup(cic);
        if ($var(opc) > $var(dpc)) {
                $var(corr_id) = "" + $var(opc) + "-" + $var(dpc) + "-" + $var(cic);
        } else {
                $var(corr_id) = "" + $var(dpc) + "-" + $var(opc) + "-" + $var(cic);
        }

        # Generic IPv4 data... assume that
        $var(src_ip) = $(hep(0x003){sql.val});
        $var(dst_ip) = $(hep(0x004){sql.val});
        $var(src_port) = $(hep(0x007){sql.val});
        $var(dst_port) = $(hep(0x008){sql.val});
        xlog("HEP: src_ip: $var(src_ip) dst_ip: $var(dst_ip) src_port: $var(src_port) dst_port: $var(dst_port)\r\n");
        $var(time_sec) = $(hep(0x009){sql.val});
        $var(time_usec) = $(hep(0x00a){sql.val});
        $var(proto) = $(hep(0x00b){sql.val});

        $var(called_inn) = $(isup(called_inn){sql.val});
        $var(called_ton) = $(isup(called_ton){sql.val});
        $var(called_npi) = $(isup(called_npi){sql.val});
        $var(called_num) = $(isup(called_num){sql.val});
        $var(calling_ni) = $(isup(calling_ni){sql.val});
        $var(calling_res) = $(isup(calling_restrict){sql.val});
        $var(calling_scr) = $(isup(calling_screened){sql.val});
        $var(calling_ton) = $(isup(calling_ton){sql.val});
        $var(calling_npi) = $(isup(calling_npi){sql.val});
        $var(calling_num) = $(isup(calling_num){sql.val});
        $var(calling_cat) = $(isup(calling_category){sql.val});
        $var(cause_std) = $(isup(cause_standard){sql.val});
        $var(cause_loc) = $(isup(cause_location){sql.val});
        $var(cause_cls) = $(isup(cause_itu_class){sql.val});
        $var(cause_num) = $(isup(cause_itu_num){sql.val});
        $var(event_num) = $(isup(event_num){sql.val});
        $var(hop_count) = $(isup(hop_counter){sql.val});
        $var(nci_sat) = $(isup(nature_of_conn_sat){sql.val});
        $var(nci_con) = $(isup(nature_of_conn_con_check){sql.val});
        $var(nci_ech) = $(isup(nature_of_conn_echo_device){sql.val});
        $var(fwd_nic) = $(isup(fwd_call_international){sql.val});
        $var(fwd_interw) = $(isup(fwd_call_interworking){sql.val});
        $var(fwd_eemeth) = $(isup(fwd_call_end_to_end_method){sql.val});
        $var(fwd_eeinf) = $(isup(fwd_call_end_to_end_method){sql.val});
        $var(fwd_isup) = $(isup(fwd_call_isup){sql.val});
        $var(fwd_isupp) = $(isup(fwd_call_isup_preference){sql.val});
        $var(fwd_sccp) = $(isup(fwd_call_sccp_method){sql.val});
        $var(fwd_isdn) = $(isup(fwd_call_isdn){sql.val});
        $var(trans_med) = $(isup(transmission_medium){sql.val});
        $var(ui_coding) = $(isup(user_info_coding_standard){sql.val});
        $var(ui_tracap) = $(isup(user_info_transfer_cap){sql.val});
        $var(ui_tramde) = $(isup(user_info_transfer_mode){sql.val});
        $var(ui_trarte) = $(isup(user_info_transfer_rate){sql.val});
        $var(ui_l1idnt) = $(isup(user_info_layer1_ident){sql.val});
        $var(ui_l1prot) = $(isup(user_info_layer1_protocol){sql.val});
        $var(utc) = $utimef(%Y%m%d);

        $var(table) = "isup_capture_all_" + $var(utc);
        sql_query("is", "INSERT INTO $var(table)
                                (correlation_id, method, opc, dpc, cic, called_inn, called_ton,
                                 called_npi, called_number, calling_ni, calling_restrict,
                                 calling_screened, calling_ton, calling_npi, calling_number,
                                 calling_category, cause_standard, cause_location, cause_itu_class,
                                 cause_itu_cause, event_num, hop_counter, nci_satellite,
                                 nci_continuity_check, nci_echo_device, fwc_nic, fwc_etem,
                                 fwc_iw, fwc_etei, fwc_isup, fwc_isup_pref, fwc_ia, fwc_sccpm,
                                 transmission_medium, user_coding_standard,
                                 user_transfer_cap, user_transfer_mode,
                                 user_transfer_rate, user_layer1_ident, user_layer1_proto,
                                 source_ip, source_port, destination_ip, destination_port,
                                 proto, date, micro_ts, msg)
                                VALUES($(var(corr_id){sql.val}), $var(method), $(var(opc){sql.val}),
                                        $(var(dpc){sql.val}), $(var(cic){sql.val}), $var(called_inn),
                                        $var(called_ton), $var(called_npi), $var(called_num),
                                        $var(calling_ni), $var(calling_res), $var(calling_scr),
                                        $var(calling_ton), $var(calling_npi), $var(calling_num),
                                        $var(calling_cat), $var(cause_std), $var(cause_loc),
                                        $var(cause_cls), $var(cause_num), $var(event_num),
                                        $var(hop_counter), $var(nci_sat), $var(nci_con),
                                        $var(nci_ech), $var(fwd_nic), $var(fwd_eemeth),
                                        $var(fwd_interw), $var(fwd_eeinf), $var(fwd_isup),
                                        $var(fwd_isupp), $var(fwd_isdn), $var(fwd_sccp),
                                        $var(trans_med), $var(ui_coding), $var(ui_tracap),
                                        $var(ui_tramde), $var(ui_trarte), $var(ui_l1idnt),
                                        $var(ui_l1prot), $var(src_ip), $var(src_port),
                                        $var(dst_ip), $var(dst_port), $var(proto),
                                        from_unixtime($var(time_sec)), $var(time_sec) * 1000000 + $var(time_usec),
                                        $var(json));");

DB Schema looks like this:

CREATE TABLE `isup_capture_all_20170122` (
  `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT,
  `date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
  `micro_ts` bigint(18) NOT NULL DEFAULT '0',
  `method` varchar(4) NOT NULL DEFAULT '',
  `correlation_id` varchar(256) NOT NULL DEFAULT '',
  `opc` int(10) NOT NULL DEFAULT '0',
  `dpc` int(10) NOT NULL DEFAULT '0',
  `cic` int(10) NOT NULL DEFAULT '0',
  `called_number` varchar(16) DEFAULT '',
  `called_ton` int(10) DEFAULT '0',
  `called_npi` int(10) DEFAULT '0',
  `called_inn` int(10) DEFAULT '0',
  `calling_number` varchar(16) DEFAULT '',
  `calling_ton` int(10) DEFAULT '0',
  `calling_npi` int(10) DEFAULT '0',
  `calling_ni` int(10) DEFAULT '0',
  `calling_restrict` int(10) DEFAULT '0',
  `calling_screened` int(10) DEFAULT '0',
  `calling_category` int(10) DEFAULT '0',
  `cause_standard` int(10) DEFAULT '0',
  `cause_location` int(10) DEFAULT '0',
  `cause_itu_class` int(10) DEFAULT '0',
  `cause_itu_cause` int(10) DEFAULT '0',
  `event_num` int(10) DEFAULT '0',
  `hop_counter` int(10) DEFAULT '0',
  `nci_satellite` int(10) DEFAULT '0',
  `nci_continuity_check` int(10) DEFAULT '0',
  `nci_echo_device` int(10) DEFAULT '0',
  `fwc_nic` int(10) DEFAULT '0',
  `fwc_etem` int(10) DEFAULT '0',
  `fwc_iw` int(10) DEFAULT '0',
  `fwc_etei` int(10) DEFAULT '0',
  `fwc_isup` int(10) DEFAULT '0',
  `fwc_isup_pref` int(10) DEFAULT '0',
  `fwc_ia` int(10) DEFAULT '0',
  `fwc_sccpm` int(10) DEFAULT '0',
  `transmission_medium` int(10) DEFAULT '0',
  `user_coding_standard` int(10) DEFAULT '0',
  `user_transfer_cap` int(10) DEFAULT '0',
  `user_transfer_mode` int(10) DEFAULT '0',
  `user_transfer_rate` int(10) DEFAULT '0',
  `user_layer1_ident` int(10) DEFAULT '0',
  `user_layer1_proto` int(10) DEFAULT '0',
  `source_ip` varchar(60) NOT NULL DEFAULT '',
  `source_port` int(10) NOT NULL DEFAULT '0',
  `destination_ip` varchar(60) NOT NULL DEFAULT '',
  `destination_port` int(10) NOT NULL DEFAULT '0',
  `proto` int(5) NOT NULL DEFAULT '0',
  `family` int(1) DEFAULT NULL,
  `type` int(5) NOT NULL DEFAULT '0',
  `node` varchar(125) NOT NULL DEFAULT '',
  `msg` varchar(5000) NOT NULL DEFAULT '',
  `expires` int(5) NOT NULL DEFAULT '-1',
  PRIMARY KEY (`id`,`date`),
  KEY `date` (`date`),
  KEY `called_number` (`called_number`),
  KEY `calling_number` (`calling_number`),
  KEY `correlationid` (`correlation_id`(255))
) ENGINE=InnoDB

Might be this helps you to start testing this awesome new Feature.

Best Regards

 Markus

--
You received this message because you are subscribed to the Google Groups "Homer Capture Server. sipcapture.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Andy Thompson]

Thanks Markus,

This feature is super cool and thanks for providing the excellent example!

I'll give the SS7 stack with else if ($hep(0x00b) == 9) - should be M3UA right? - a run and see how it goes.

Simply put, great work!

//Andreas

[Markus]

Hi Andreas,

captagent today only supports m2ua/m2pa

https://github.com/sipcapture/captagent/blob/master/src/modules/protocol/ss7/protocol_ss7.c

So kamailio will not see any other protocols from the ss7 stack in this case.

Best Regards

 Markus

--

[Markus]

Hi Andreas,

i missed some more details for captagent:

socket_pcap.xml

<?xml version="1.0"?>
<document type="captagent_module/xml">

        <module name="socket_pcap" description="HEP Socket" serial="2014010402">
                <profile name="socketspcap_isup" description="HEP Socket" enable="true" serial="2014010402">
                        <settings>
                                <param name="dev" value="bond0"/>
                                <param name="promisc" value="false"/>
                                <param name="reasm" value="true"/>
                                <param name="ipv4fragments" value="true"/>
                                <param name="ipv6fragments" value="true"/>
                                <param name="proto-type" value="sip"/>
                                <param name="capture-plan" value="isup_capture_plan.cfg"/>
                                <param name="filter">
                                        <value>sctp</value>
                                </param>
                        </settings>
                </profile>
        </module>
</document>

captureplan:isup:capture_plan.cfg

capture[pcap] {
        if (parse_isup()) {
                if(!send_hep("homer")) {
                        clog("ERROR", "ISUP: Error sending HEP!!!!");
                }
        }
        drop;
}

[Krzysztof Drewicz]

Hi guys,

Great work on ss7 part.

I try just to add captagent to working homer  (5.0.1) , my ss7 is not a eth* listening, but i've got simple (IAM, ACM, RST,RLC) pcap to test, so i need to add as i presume:

 case DLT_MTP2_WITH_PHDR:

                link_offset = ?GUESS?;

                break;

and play with cmd line like that:

 ./captagent -n -D /tmp/SS7.pcap

[NOTICE] Loaded core config

[DEBUG] modules.c:50 Loading module: [transport_hep]

[NOTICE] Loaded transport_hep

[DEBUG] modules.c:50 Loading module: [database_hash]

[NOTICE] Loaded database_hash

[DEBUG] modules.c:50 Loading module: [protocol_rtcp]

[NOTICE] Loaded protocol_rtcp

[DEBUG] modules.c:50 Loading module: [protocol_ss7]

[DEBUG] modules.c:50 Loading module: [socket_pcap]

[NOTICE] Loaded socket_pcap

[DEBUG] socket_pcap.c:571 Activating device: (null)

[NOTICE] Sending file: /tmp/SS7.pcap

[DEBUG] conf_function.c:453 find_export_record: found <send_hep> in module transport_hep [/usr/local/captagent/lib/captagent/modules]

[DEBUG] captagent.c:316 The Captagent is ready

[DEBUG] socket_pcap.c:769 Link offset interface type [139] [139] [4]

[DEBUG] socket_pcap.c:775 loop stopped by EOF

[DEBUG] socket_pcap.c:799 exit loop

do i need to use the newest homer from git to utilze ss7 part? 

(my ss7 is on the gateways, i got it by -> ssh to gateway, do some foo-shmo and pcap file starts to stream via ssh - only singalling no RTP, wireshark is able to work in this way and decode isup stack)

[Markus]

Hi Krzysztof,

yes, you need the newest homer-web and homer-api. Futhermore

you have to install kamailio version 5.

If everything is configured correct, you should see HEP Packets

from captagent towards kamailio/sipcapture node.

Best Regards

 Markus

--

[Krzysztof Drewicz]

Hello Marcus

2017-03-08 10:07 GMT+01:00 Markus <mmo...@gmail.com>:

If everything is configured correct, you should see HEP Packets

from captagent towards kamailio/sipcapture node.

I done that, only the 'sipcapture -D file.pcap' does look like not using config file and does not send packets to  127.0.0.1:9060 (that's my kamalio is listening for HEP).

running sipcapture by hand, with tcpreplay somefilewithsipcalls.pcap on the other hand - does the job done, i see proper records in mysql db.

now, the hardest part, how to put pcap from stdio stream (got it with ssh tunel, one tunel/stream == one media gateway, could be many opc/dpc etc but only isup no rtp ) - 

pcap says 'DLT type: SS7 MTP2 with Pseudo-header (0x8b)' (so frametype 139 in dec).

should i write my own socket_* ? 

 

[Jarek Jarzebowski]

Hi,

I added config modifications you wrote but in kamailio logs errors apeared:

homer[12583]: ERROR: <script>: HEP VERSION 3 request from 10.42.101.245:54117
homer[12583]: ERROR: <script>: HEP CHUNK Source IP 10.42.101.245 request from 10.42.101.245:54117
homer[12582]: ERROR: <core> [core/parser/parse_fline.c:257]: parse_first_line(): parse_first_line: bad message (offset: 0)
homer[12582]: ERROR: <core> [core/parser/msg_parser.c:671]: parse_msg(): ERROR: parse_msg: message=<HEP3#003▒>

No records in  isup_capture_all_* table are inserted.

Could you help, please?

Regards.

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discus...@googlegroups.com.

[Markus]

Hi,

could you trace the HEP Pakets via Wireshark and check, that ss7 is included in HEP?

Best Regards

 Markus

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.

[Jarek Jarzebowski]

Markus,

I captured packets received on Homer host on UDP/9060 port (kamailio is listening on 9060) but this is not what you want me to do I think..
How can I trace HEP packets in proper way?

Jarek

[Markus]

Hi,

you can capture the traffic to a pcap file with tcpdump or ngrep and then open it with

wireshark to check the content.

Best Regards

 markus

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.

[Jarek Jarzebowski]

Markus,

I downloaded hep.lua plugin to Wireshark and installed it into plugins directory to see HEP packets.
Next, I capture packets arriving to Homer host on port UDP/9060 and save it to a file. When I open this PCAP I can only see UDP datagrams.

[Lorenzo Mangani]

Hi Jarek,

Try to "decode as... " as protocol HEP and it should start decoding.

Kind Regards,

Lorenzo Mangani

Managing Director and Core Dev

QXIP BV - Capture Engineering

Amsterdam, The Netherlands

Desk: +31 20 8080468 / +1 202-632-7227

Mobile: +31 6 4603-2730

Email: in...@qxip.net

Find our more about HOMER, PCAPTURE, CAPTAGENT and all our Services and Solutions at http://qxip.net 

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential or legally privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of this original message. 

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.

[Krzysztof Drewicz]

for me problem was - receiving MTP frames, not M2PA/M3UA - if it helps

--

Krzysztof Drewicz

Senior Infrastructure Administrator 

E: kdrewicz@cludo.pl

T: +48 22 122 30 30 x415

Cludo Sp. z o.o. z siedzibą w Warszawie (03-840), ul. Grochowska 306/308

wpisana  do rejestru przedsiębiorców Krajowego Rejestru Sądowego 
prowadzonego przez Sąd Rejonowy dla m.st. Warszawy w Warszawie 
pod nr. KRS 0000421318, NIP 701-034-11-14

Facebook • LinkedIn

[Jarek Jarzebowski]

Thanks Lorenzo,

now HEP is decoded but it contains no ISUP messages.

The whole picture is:
- on host-1 - I have captagent installed and some PCAP files stored - PCAP contains ISUP messages
- on host-2 - Homer with Kamailio5 installed with ISUP enabled
- on host-1 - I run ./captagent -D ISUP.PCAP to send HEP to Homer on host-2
- CAP from UDP/9060 (mentioned above)  seems to doesn't contain ISUP messages

I am guessing captagent just not sends propper ISUP messages inside HEP.

My captagent config:

t# cat captagent.xml
<?xml version="1.0"?>
<document type="captagent/xml">
        <configuration name="core.conf" description="CORE Settings" serial="2014024212">
            <settings>
                <param name="debug" value="3"/>
                <param name="version" value="2"/>
                <param name="serial" value="2014056501"/>
                <param name="uuid" value="00781a4a-5b69-11e4-9522-bb79a8fcf0f3"/>
                <param name="daemon" value="false"/>
                <param name="syslog" value="false"/>
                <param name="pid_file" value="/var/run/captagent.pid"/>
                <!-- Configure using installation path if different from default -->
                <param name="module_path" value="/usr/local/captagent/lib/captagent/modules"/>
                <param name="config_path" value="/usr/local/captagent/etc/captagent/"/>
                <param name="capture_plans_path" value="/usr/local/captagent/etc/captagent/captureplans"/>
                <param name="backup" value="/usr/local/captagent/etc/captagent/backup"/>
                <param name="chroot" value="/usr/local/captagent/etc/captagent"/>
            </settings>
        </configuration>
        <configuration name="modules.conf" description="Modules">
            <modules>

                <load module="transport_hep" register="local"/>
                <load module="protocol_sip" register="local"/>
                <load module="database_hash" register="local"/>
                <load module="protocol_rtcp" register="local"/>
                <load module="socket_pcap" register="local"/>
                <load module="socket_raw" register="local"/>
                <load module="protocol_ss7" register="local"/>
                <load module="socket_rtcpxr" register="local"/>
        <!--
                <load module="socket_rtcpxr" register="local"/>
                <load module="socket_tzsp" register="local"/>
                <load module="protocol_ss7" register="local"/>
                <load module="protocol_tcp" register="local"/>
                <load module="transport_json" register="local"/>
                <load module="protocol_rtcp" register="local"/>
                <load module="interface_http" register="local"/>
                <load module="database_redis" register="local"/>
                <load module="socket_pfring" register="local"/>
            -->
            </modules>
        </configuration>
</document>

-----------------------------------------------------------------------------------------------------------------------

root@homer-client:/etc/captagent# cat socket_pcap.xml

<?xml version="1.0"?>
<document type="captagent_module/xml">
    <module name="socket_pcap" description="HEP Socket" serial="2014010402">

        <profile name="socketspcap_sip" description="HEP Socket" enable="true" serial="2014010402">
            <settings>
                <param name="dev" value="any"/>
                <param name="promisc" value="true"/>
                <param name="reasm" value="false"/>
                <param name="tcpdefrag" value="false"/>
                <param name="capture-plan" value="sip_capture_plan.cfg"/>
                <param name="filter">
                    <value>portrange 5060-5091</value>
                </param>
            </settings>
        </profile>
        <profile name="socketspcap_isup" description="HEP Socket" enable="false" serial="2014010402">
            <settings>
                <param name="dev" value="any"/>
                <param name="promisc" value="true"/>

                <param name="reasm" value="true"/>
                <param name="ipv4fragments" value="true"/>
                <param name="ipv6fragments" value="true"/>
                <param name="proto-type" value="sip"/>
                <param name="capture-plan" value="isup_capture_plan.cfg"/>
                <param name="filter">
                   <value>sctp</value>
                </param>
            </settings>
        </profile>

        <profile name="socketspcap_rtcp" description="RTCP Socket" enable="false" serial="2014010402">
            <settings>
                <param name="dev" value="any"/>
                <param name="promisc" value="true"/>
                <param name="reasm" value="false"/>
                <!-- size in MB -->
                <param name="ring-buffer" value="20"/>
                <!-- for rtp && rtcp < 250 -->
                <param name="snap-len" value="256"/>
                <param name="capture-filter" value="rtcp"/>
                <param name="capture-plan" value="rtcp_capture_plan.cfg"/>
                <param name="filter">
                    <value>portrange 5060-50000 and len >=50 </value>

                </param>
            </settings>
        </profile>
    </module>
</document>

----------------------------------------------------------------------------------------------------------

root@homer-client:/etc/captagent/captureplans# cat isup_capture_plan.cfg

capture[pcap] {
        if (parse_isup()) {
                if(!send_hep("homer")) {
                        clog("ERROR", "ISUP: Error sending HEP!!!!");
                }
        }
        drop;
}

Maybe problem is somewhere in captagent config.

Regards,
--
Jarek

[Markus]

Hi ,

could you share one ss7 paket (wireshark screenshot) from host 1?

Maybe the protocoll stack is not fully supported.

Best Regards

 Markus

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.

[Jarek Jarzebowski]

Is it enough?

[Markus]

Hi,

that looks okay for me

> - on host-1 - I run ./captagent -D ISUP.PCAP to send HEP to Homer on host-2

maybe captagent is using a default config insteed of yours? Could you force captagent

with -f to use yours.

Best Regards

 Markus

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.

[Jarek Jarzebowski]

Markus,

I used captagent with -f <conf-file> and grabbed PCAP on the host where captagent was fired up, and HEP doesn't contain ISUP messages so it show that captagent is not filtering ISUPs at all.
That's my thoughts.

--
Jarek

[Jarek Jarzebowski]

Update:

I didn't noticed that:

<profile name="socketspcap_isup" description="HEP Socket" enable="false" serial="2014010402">

I changed enable="false" to "true" and now, captagent output shows::
WARNING: run_actions: null action list (rec_level=2)

ISUP mesgs are still not present in HEP.

--
Jarek

[Markus]

Just found in our config, that we have brackets arround sctp. Not sure if this matters, but please try

<value>(sctp)</value>

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.

[Holger Freyther]

On Thursday, April 13, 2017 at 10:36:37 PM UTC+2, Jarek Jarzebowski wrote:

I changed enable="false" to "true" and now, captagent output shows::
WARNING: run_actions: null action list (rec_level=2)

ISUP mesgs are still not present in HEP.

Can you share/upload your PCAP file somewhere?  This most likely means that no action in your capture plan matched and nothing was executed? As I have seen MTP in your previous comment, do you use SIGTRAN or another encapsulation?

[Jarek Jarzebowski]

Adding brackets doesn't helped but output changed to:

WARNING: run_actions: null action list (rec_level=2)

[ERR] protocol_sip.c:378 sipPacket CALLID has 0 len
[ERR] protocol_sip.c:354 SIP PARSE ERROR [-1]

WARNING: run_actions: null action list (rec_level=2)

[ERR] protocol_sip.c:378 sipPacket CALLID has 0 len
[ERR] protocol_sip.c:354 SIP PARSE ERROR [-1]

[ERR] protocol_sip.c:378 sipPacket CALLID has 0 len
[ERR] protocol_sip.c:354 SIP PARSE ERROR [-1]

[ERR] protocol_sip.c:378 sipPacket CALLID has 0 len
[ERR] protocol_sip.c:354 SIP PARSE ERROR [-1]

[ERR] protocol_sip.c:378 sipPacket CALLID has 0 le

[Jarek Jarzebowski]

Holger I can attach "Protocol Hierarchy" from Wireshark, maybe this will help to find out if some encapsulation is on.
This is live traffic CAPs so I would not like to publish them I hope you can understand me..
If there is other way I can check - I will sure do.

[Markus Monka]

What happens if you disable sip parsing?

Looks like csptagent trys to jump into a rule

to parse sip.

Best Regards

 Markus

[Jarek Jarzebowski]

I set:
<profile name="socketspcap_sip" description="HEP Socket" enable="false" serial="2014010402">

Captagent is not sending packets at all now.

Regards
--
Jarek

--
You received this message because you are subscribed to the Google Groups "Homer Capture Server. <a href="http://sipcapture.org" rel="nofollow" target="_blank" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fsipcapture.org\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEMPIey9XBdTWTUPIYOQyf6M62Z9A';return true;" onclick="this.href='http://www.google.com/url?

[Jarek Jarzebowski]

In Wireshark I set a filter to:
sctp and (sctp.port == 2905 or sctp.port == 2907)

and packet are filtered correctly so it looks like a captureagents' profile definition is not filtering in proper way.

[Jarek Jarzebowski]

I have some progress.
1. Running ./captagent -D while daemon is running in background is not a good idea ;-) Daemon probably catches all packets, so no configuratiion changes was commited.
2. captagent.xml: order of "load module" raws does matter - I moved "protocol_ss7" above "protocol_sip" and HEP messages start to flow but they don't contain ISUP info:

[Jarek Jarzebowski]

And moreover, captagent debug 10 shows in logs:
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] sctp_support.c:75 sctp: chunk type ignored 3
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] sctp_support.c:75 sctp: chunk type ignored 3
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] sctp_support.c:75 sctp: chunk type ignored 3
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] protocol_ss7.c:286 ISUP service indicator not ISUP but 1
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] sctp_support.c:75 sctp: chunk type ignored 3
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] sctp_support.c:75 sctp: chunk type ignored 3
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] sctp_support.c:75 sctp: chunk type ignored 3
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] sctp_support.c:75 sctp: chunk type ignored 3

[Markus]

Hi,

we updated our github reporo and added the config for homer/ss7

https://github.com/sipgate/homer

Best Regards

 Markus

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.

[Holger Freyther]

On Friday, April 14, 2017 at 11:35:15 PM UTC+2, Jarek Jarzebowski wrote:

"Protocol Unknown" is because you are using M2PA encapsulation and it is a recent addition. 

[Holger Freyther]

On Friday, April 14, 2017 at 11:36:20 PM UTC+2, Jarek Jarzebowski wrote:

And moreover, captagent debug 10 shows in logs:
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] sctp_support.c:75 sctp: chunk type ignored 3
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] sctp_support.c:75 sctp: chunk type ignored 3
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] sctp_support.c:75 sctp: chunk type ignored 3
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] protocol_ss7.c:286 ISUP service indicator not ISUP but 1
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] sctp_support.c:75 sctp: chunk type ignored 3
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] sctp_support.c:75 sctp: chunk type ignored 3
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] sctp_support.c:75 sctp: chunk type ignored 3
Apr 14 23:23:46 homer-client captagent[2385]: [DEBUG] sctp_support.c:75 sctp: chunk type ignored 3

chunk type == 3.. is SACK and doesn't contain data. It is a debug log to see if something is not parsed that should be parsed.

MTP L3 SI type 1 is not ISUP so it is not parsed either. So nothing wrong with these debug outputs.

 

[Holger Freyther]

On Monday, April 24, 2017 at 10:09:42 AM UTC+2, Markus wrote:

Hi,

we updated our github reporo and added the config for homer/ss7

https://github.com/sipgate/homer

Thank you! The config files look like they should work. :) 

[Jarek Jarzebowski]

So if I am correct I should update captagent and retest?

[Holger Freyther]

On Monday, April 24, 2017 at 3:18:09 PM UTC+2, Jarek Jarzebowski wrote:

So if I am correct I should update captagent and retest?

There was no ISUP specific update. I am sorry you are having such a trouble with the captagent. So from the configs published by sipgate you will need:

* load the ss7 protocol as you can see in the config

* Select the right ports/protocol to capture

* Use captureplan to send out data

Not sure how we provide more on-line assistance.

[Jarek Jarzebowski]

Thank you Holger for your time and help.
I must have a bad luck or something.. I set up fresh Debian 8 install with the latest captagent installed and can not start it up:

root@homer-client-2:/etc/captagent# /usr/local/captagent/sbin/captagent -D /usr/local/captagent/etc/captagent/captagent.xml
[NOTICE] Loaded core config
[ERR] socket_pcap.c:614 socket_pcap: Failed to open packet sniffer on /usr/local/captagent/etc/captagent/captagent.xml: pcap_open_offline(): unknown file format
Segmentation fault

[Lorenzo Mangani]

What configuration are you using for the socket?

Kind Regards,

Lorenzo Mangani

Managing Director and Core Dev

QXIP BV - Capture Engineering

Amsterdam, The Netherlands

Desk: +31 20 8080468 / +1 202-632-7227

Mobile: +31 6 4603-2730

Email: in...@qxip.net

Find our more about HOMER, PCAPTURE, CAPTAGENT and all our Services and Solutions at http://qxip.net 

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential or legally privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of this original message. 

--

You received this message because you are subscribed to the Google Groups "Homer Capture Server. sipcapture.org" group.

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.

[Alexandr Dubovikov]

Why you start it with -D ? the config file flag is -f . 

-D is read pcap file...

--

You received this message because you are subscribed to the Google Groups "Homer Capture Server. sipcapture.org" group.

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.

[Jarek Jarzebowski]

Good point.. -f fixed the launch problem.
Thank you.

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discus...@googlegroups.com.

[Jarek Jarzebowski]

So there is no solution to M2PA encapsulaton issue for me at the moment?

[Markus]

Hi,

the protocoll_ss7 modul should extract ISUP signalling encapsulated inside m2pa or m2ua.

Best Regards

 Markus

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.

[Jarek Jarzebowski]

Maybe I make some mistake in config or my PCAPs are wrong but can not get it to work.
Have you got some example ISUP PCAP working with captagent?

Regards
--
Jarek

[Holger Freyther]

On Tuesday, April 25, 2017 at 3:42:01 PM UTC+2, Jarek Jarzebowski wrote:

Maybe I make some mistake in config or my PCAPs are wrong but can not get it to work.
Have you got some example ISUP PCAP working with captagent?

 I have updated the hep-wireshark lua plugin to display/decode M2PA. For M2UA a change in wireshark is needed. But you have already seen M2PA messages being forwarded, you should be able to see if these are ISUP now. Just verify that this stell happens. Both changes are not merged yet but available as pull request.

The second question is what arrives at your kamailio? Can you verify that HEP for M2PA is arriving threre?

[Jarek Jarzebowski]

Holger, all PCAPs I sent to you and the group was captured on captagent host so it shows what was sent.
I didn't take a look on what Kamailio received - only I saw the isup_* tables are empty while sip_* tables are filled with SIP info.

I will try too pull changes you mentioned and will give a feedback.

Thanks.

[Jarek Jarzebowski]

I have patched hep.lua and I can see Protocol Type = M2UA in HEP instead of Protocol Unknown but LUE Error apears:



Regards
--
Jarek

[Holger Freyther]

On Thursday, April 27, 2017 at 12:03:00 AM UTC+2, Jarek Jarzebowski wrote:

I have patched hep.lua and I can see Protocol Type = M2UA in HEP instead of Protocol Unknown but LUE Error apears:

Sure. The patch in wireshark to export the "m2ua" dissector was only merged yesterday. But you had M2PA as well, this should be decodable right now. Can you see ISUP being forwarded? But most likely your issue is not with captagent but how/if kamailio is importing your data. Sipgate included kamailio.cfg that looked reasonable complete as well.

If you have an existing capture setup then one required change stands out:

modparam("sipcapture", "nonsip_hook", 1)

This enables receiving HEP through the Hook. This hook will detect M2PA/M2UA hep payload.

[Jarek Jarzebowski]

Guys, eventualy, I can see in kamailio logs HEP Request is arriving.. but some SQL errors apeared:

Apr 27 14:00:32 homer-isup homer[1601]: ERROR: <script>: HEP Request!
Apr 27 14:00:32 homer-isup homer[1601]: ERROR: <script>: received sipcapture request from 10.42.101.244:56211
Apr 27 14:00:32 homer-isup homer[1601]: ERROR: <script>: HEP VERSION 3 request from 10.42.101.244:56211
Apr 27 14:00:32 homer-isup homer[1601]: ERROR: <script>: HEP CHUNK Source IP 10.42.101.244 request from 10.42.101.244:56211
Apr 27 14:00:32 homer-isup homer[1601]: ERROR: <script>: HEP Mark=0 10.42.101.244:56211
Apr 27 14:00:32 homer-isup homer[1600]: ERROR: <script>: HEP ISUP: src_ip: '10.42.116.11' dst_ip: '10.42.116.15' src_port: 2907 dst_port: 2905
Apr 27 14:00:32 homer-isup homer[1600]: ERROR: db_mysql [km_dbase.c:128]: db_mysql_submit_query(): driver error on query: Table 'homer_statistic.isup_capture_all_20170427' doesn't exist (1146)
Apr 27 14:00:32 homer-isup homer[1600]: ERROR: <core> [db_query.c:181]: db_do_raw_query(): error while submitting query
Apr 27 14:00:32 homer-isup homer[1600]: ERROR: sqlops [sql_api.c:265]: sql_do_query(): cannot do the query [INSERT INTO isup_capture_all_201]
Apr 27 14:00:32 homer-isup homer[1600]: ERROR: <core> [core/parser/parse_fline.c:257]: parse_first_line(): parse_first_line: bad message (offset: 0)
Apr 27 14:00:32 homer-isup homer[1600]: ERROR: <core> [core/parser/msg_parser.c:671]: parse_msg(): ERROR: parse_msg: message=<HEP3#003<BA>>
Apr 27 14:00:32 homer-isup homer[1600]: ERROR: <script>: HEP Request!
Apr 27 14:00:32 homer-isup homer[1600]: ERROR: <script>: received sipcapture request from 10.42.101.244:56211
Apr 27 14:00:32 homer-isup homer[1600]: ERROR: <script>: HEP VERSION 3 request from 10.42.101.244:56211
Apr 27 14:00:32 homer-isup homer[1600]: ERROR: <script>: HEP CHUNK Source IP 10.42.101.244 request from 10.42.101.244:56211
Apr 27 14:00:32 homer-isup homer[1600]: ERROR: <script>: HEP Mark=0 10.42.101.244:56211
Apr 27 14:00:32 homer-isup homer[1598]: ERROR: <script>: HEP Mark=1 10.42.101.244:56211
Apr 27 14:00:32 homer-isup homer[1598]: ERROR: <script>: HEP ISUP store to DB 10.42.101.244:56211
Apr 27 14:00:32 homer-isup homer[1598]: ERROR: <script>: HEP ISUP: src_ip: '10.42.116.13' dst_ip: '10.42.116.11' src_port: 2905 dst_port: 2905
Apr 27 14:00:32 homer-isup homer[1598]: ERROR: db_mysql [km_dbase.c:128]: db_mysql_submit_query(): driver error on query: Table 'homer_statistic.isup_capture_all_20170427' doesn't exist (1146)
Apr 27 14:00:32 homer-isup homer[1598]: ERROR: <core> [db_query.c:181]: db_do_raw_query(): error while submitting query
Apr 27 14:00:32 homer-isup homer[1598]: ERROR: sqlops [sql_api.c:265]: sql_do_query(): cannot do the query [INSERT INTO isup_capture_all_201]
Apr 27 14:00:32 homer-isup homer[1598]: ERROR: <core> [core/parser/parse_fline.c:257]: parse_first_line(): parse_first_line: bad message (offset: 0)
Apr 27 14:00:32 homer-isup homer[1598]: ERROR: <core> [core/parser/msg_parser.c:671]: parse_msg(): ERROR: parse_msg: message=<HEP3#002t>
Apr 27 14:00:32 homer-isup homer[1598]: ERROR: <script>: HEP Request!
Apr 27 14:00:32 homer-isup homer[1598]: ERROR: <script>: received sipcapture request from 10.42.101.244:56211
Apr 27 14:00:32 homer-isup homer[1598]: ERROR: <script>: HEP VERSION 3 request from 10.42.101.244:56211
Apr 27 14:00:32 homer-isup homer[1598]: ERROR: <script>: HEP CHUNK Source IP 10.42.101.244 request from 10.42.101.244:56211
Apr 27 14:00:32 homer-isup homer[1598]: ERROR: <script>: HEP Mark=0 10.42.101.244:56211

It seems kamailio tries to put data in wrong database.

[Markus]

Hi,

yes. Please create table or share your config.

Best Regards

 Markus

--

You received this message because you are subscribed to the Google Groups "Homer Capture Server. sipcapture.org" group.

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.

[Jarek Jarzebowski]

Hi,

table is present in MySQL but in homer_data DB not homer_statistics.
You can check all in atached files.

Regards
--
Jarek

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discus...@googlegroups.com.

[Markus]

Hi,

you need something like this for sqlops:

modparam("sqlops","sqlcon","is=>mysql://HOMER_DB_USER:HOMER_DB_PASSWORD@HOMER_LISTEN_IF/homer_data")

and then

 sql_query("is", "INSERT INTO $var(table) ....
                  ^^^

sqlops needs a handler for the query.

Best Regards

 Markus

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.

[Jarek Jarzebowski]

Thanks Markus - now isup_* table is filled with data.
However in Homer GUI I can not find ISUP dialogs,
"Search isup" button seems to be disabled..

Regards
--
Jarek

[Jarek Jarzebowski]

I started to search in GUI source files if there is some place to enable isup search and found  api/RestApi/Search.php and switch false to true:

    206                 /* default transaction */
    207                 if(!$trans['call'] && !$trans['registration'] && !$trans['rest'] && !$trans['isup'] && !$trans['webrtc']) {
    208                         $trans['rest'] = true;
    209                         $trans['registration'] = true;
    210                         $trans['call'] = true;
    211                         $trans['isup'] = true;
    212                         $trans['webrtc'] = false;

but still can't see isup in GUI.

[Markus]

Hi,

you have to activate the "STP" Option in Homer/Settings/Alias for the host,

where the captagent is running.

This discription is a bit confusing. The best is, to delete the Alias-Host

and create it new.

After that, you should see a "search isup" button which is enabled.

Best Regards

 Markus

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.

[Jarek Jarzebowski]

Hi,

I reverted modification of Search.php, remove Alias and add new Alias with STP option activated but still "search isup" button is not active.
Shouldn't ISUP be visible in Transaction frame on Search form?

Regards
--
Jarek

[Markus]

Hi,

do you also capture sip messages on this node?

Best Regards

 Markus

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.

[Jarek Jarzebowski]

Yes, sure - and SIP messages and dialogs are visible in GUI.

Regards
--
Jarek

[Markus]

Could you check the time settings?

Please compare isup and sip messages in DB and check timestamp.

Check the following setting:

modparam("db_mysql", "server_timezone", 1)

http://git.kamailio.org/gitlist/index.php/kamailio/commit/5612f7d6e500718e930754ee3055960b808db8c2

Best Regards

 Markus

To unsubscribe from this group and stop receiving emails from it, send an email to homer-discuss+unsubscribe@googlegroups.com.