Troubleshooting OpenSIPS encrypted SIP traffic

Sometimes we need to have a quick way to troubleshoot encrypted SIP traffic. Using Homer is great, but if not setup yet, here’s how we can do it with sngrep.

Setting up sngrep

We will configure sngrep to accept and decode HEP/EEP version 3 packets. For this, we will create a configuration file for sngrep:

cat <<EOF >> ~/.sngreprc
set eep.listen on
set eep.listen.version 3
set eep.listen.address 127.0.0.1
set eep.listen.port 5065
EOF

Note1: replace lo, 127.0.0.1 and 5065 with the network interface, IP and port that matches your local setup.

Note2: sngrep can run on a different machine then opensips (example: use the local interface eth0 and local IP 10.10.10.10 as the capture device and the listening address).

Setting up opensips

Next step is to configure opensips as a HEP/EEP capture agent. For this we will load the following modules:

socket=hep_udp:127.0.0.1:6060 use_workers 1
...
loadmodule "proto_hep.so"
  modparam("proto_hep", "hep_id", "[sngrep_hep_id] 127.0.0.1:5065; transport=udp; version=3" )
loadmodule "tracer.so"
  modparam("tracer", "trace_on", 0)
  modparam("tracer", "trace_id", "[sngrep_trace_id]uri=hep:sngrep_hep_id")

Note: The IP and port in the “hep_id” proto_hep module parameter must match the IP and port in the sngrep config file. Same for version.

At the beginning of the main route we trace all transactions:

route {
  if (!has_totag()) {
    if(is_method("INVITE") ) {
      # We need to use the dialog module to have the outgoing ACK traced
      trace("sngrep_trace_id", "d", "sip");
    }
  }
  else {
    match_dialog();
  }
  if (!is_method("INVITE,ACK,BYE,PRACK")) {
    # Requests that are not part of an established dialog will be transaction base traced
    trace("hep_lo", "t", "sip");
  }
  trace("sngrep_trace_id", "t", "sip");
  ...
}

If we want to trace locally generated requests, we setup tracing in the local_route route:

onreply_route[local_route_reply_handle] {
  trace("sngrep_trace_id", "m", "sip");
}
local_route {
  trace("sngrep_trace_id", "m", "sip");
  t_on_reply("local_route_reply_handle");
  ...
}

With the above code snippet, we can trace OPTIONS pings generated by the drouting module.

Capturing

Start opensips:

sudo systemctl start opensips

Start sngrep with dialog rotation:

opensips-cli -x mi trace mode=on
opensips-cli -x mi trace mode=on id=sngrep_hep_id
sudo sngrep -l 4000 -R -Ludp:127.0.0.1:5065 port 5065
opensips-cli -x mi trace mode=off id=sngrep_hep_id
opensips-cli -x mi trace mode=off

Start sngrep with dialog rotation and OPTIONS and REGISTER requests filtered out:

opensips-cli -x mi trace mode=on
opensips-cli -x mi trace mode=on id=sngrep_hep_id
sudo sngrep -l 4000 -R -Ludp:127.0.0.1:5065 -v "OPTIONS\ sip|REGISTER\ sip" port 5065
opensips-cli -x mi trace mode=off id=sngrep_hep_id
opensips-cli -x mi trace mode=off

Enjoy visualising SIP message flows in realtime! Based on this initial setup, more complex tracing scenarios can be implemented.

Note1: ACKs related to a transaction that are leaving OpenSIPS are not traced if dialog tracing is not enabled.

Note2: Locally generated requests don’t have the proper destination IP and port.

Note3: sngrep is not able to export in pcap format packets captured in HEP/EEP format.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s