Troubleshooting Kamailio encrypted SIP traffic

Sometimes we need to have a quick way to troubleshoot encrypted SIP traffic. Using Homer is great, but if not setup yet, here’s how we can do it with sngrep.

Setting up sngrep

We will configure sngrep to accept and decode HEP/EEP version 2 packets (HEP/EEP version 3 packets work only with sngrep 1.4.7 and above). For this, we will create a configuration file for sngrep:

cat <<EOF >> ~/.sngrephep2rc
set capture.device eth0
set eep.listen on
set eep.listen.version 2
set eep.listen.address 10.10.10.10
set eep.listen.port 5065
EOF

Note1: replace eth0, 10.10.10.10 and 5065 with the network interface, IP and port that matches your local setup.

Note2: sngrep can run on the same machine as kamailio (use lo and 127.0.0.1 as the capture device and the listening address) or on a different machine.

Setting up kamailio (easy way)

Next step is to configure kamailio as a HEP/EEP capture agent. For this we will load the siptrace module:


loadmodule "siptrace.so"
  modparam("siptrace", "trace_mode", 0)
  modparam("siptrace", "trace_to_database", 0)
  modparam("siptrace", "trace_on", 1)
  modparam("siptrace", "duplicate_uri", "sip:10.10.10.10:5065")
  modparam("siptrace", "hep_mode_on", 1)
  modparam("siptrace", "hep_version", 2)
  modparam("siptrace", "hep_capture_id", 1)

Note: The IP and port in the “duplicate_uri” siptrace module parameter must match the IP and port in the sngrep config file. The version number in the “hep_version” siptrace module parameter must match the version in the sngrep config file.

At the beginning of the main request_route we trace all transactions:

request_route {
  sip_trace_mode("t");
  ...
}

We want to trace also relayed ACKs and we do that in the onsend_route:

onsend_route {
  if (is_method("ACK")) {
    sip_trace();
  }
}

If we want to trace locally generated requests, we setup tracing in the tm:local-request route:

onreply_route[local_request] {
  sip_trace();
}
event_route[tm:local-request] {
  t_on_reply("local_request");
  sip_trace();
}

With the above code snippet, we can trace OPTIONS pings generated by the dispatcher module.

Setting up kamailio (easiest way)

Next step is to configure kamailio as a HEP/EEP capture agent. For this we will load the siptrace module:

loadmodule "siptrace.so"
  modparam("siptrace", "trace_mode", 1)
  modparam("siptrace", "trace_to_database", 0)
  modparam("siptrace", "trace_on", 1)
  modparam("siptrace", "duplicate_uri", "sip:10.10.10.10:5065")
  modparam("siptrace", "hep_mode_on", 1)
  modparam("siptrace", "hep_version", 2)
  modparam("siptrace", "hep_capture_id", 1)

Note: The IP and port in the “duplicate_uri” siptrace module parameter must match the IP and port in the sngrep config file. The version number in the “hep_version” siptrace module parameter must match the version in the sngrep config file.

Capturing

Start sngrep:

sudo sngrep -f ~/.sngrephep2rc

Start kamailio:

kamctl start

Enjoy visualising SIP message flows in realtime! Based on one of this initial setups, more complex tracing scenarios can be implemented.

Note: sngrep is not able to export in pcap format packets captured in HEP/EEP format.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s