This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

voip tshark capture

0

Hello guys,

I need to capture voip calls from asterisk with tshark command and send to a file to later listen the calls, like Telephony -> VoIP Calls, do.

It is possible do this task with tshark, without GUI interface of wireshark installed?

Thanks in advance

asked 13 Aug '15, 20:04

luis_filipe's gravatar image

luis_filipe
6112
accept rate: 0%

2 Answers:

0

you can use tcpdump for example :)

try this init.d script.But first make changes

  • eth1 (network interface)
  • tcp portrange 1720-1725 or udp portrange 5060-5065 (signaling portrange of your server)
  • tcp portrange 1720-1725 or udp portrange (5060-5065 or 10000-29999) (signaling and media-rtp portrange of your server)

What this script do:

  1. Check if scrip already run - if yes - stop.
  2. Create subfolder if not exist in DUMPDIR folder name will be like YearMonthDay - 20150814.
  3. Making continius logging in pcap during all time script working. Logs divided by 1 hour period file with name like dump_Year-Month-Day_HourMinuteSecond - dump_2015-08-14_102201.
  4. Compress each file by gzip after end of work with them.
  5. Create different logs for signaling OR signaling+media data.
#!/bin/bash



#Use this comand
#tcpdump -n -vvv SOME_FILTER -r ./SOME.pcap -w RESULT_FILE.pcap
#for cutting




test -x /usr/sbin/tcpdump || exit 0
start(){
RETVAL=0
PIDDUMP=/var/run/tcpdump_dump.pid
PIDSIG=/var/run/tcpdump_sig.pid


TODAY=`date +%Y%m%d`
DUMPDIR="/home/myuser/DUMP/${TODAY}"

if [ -f $PIDDUMP ]; then
    echo "PID DUMP is exist stop it first"
    RETVAL=1
fi

if [ -f $PIDSIG ]; then
echo "PID SIG is exist stop it first"
RETVAL=1
fi

if [ $RETVAL -eq 0 ];then

if [ ! -d $DUMPDIR ]; then
    mkdir $DUMPDIR
    fi

    echo "Starting tcpdump"

/usr/sbin/tcpdump -s0 -w - -i eth1 tcp portrange 1720-1725 or udp portrange 5060-5065 -G 3600 -w "${DUMPDIR}/sign_%Y-%m-%d_%H%M%S.pcap" -z gzip &
echo $! > $PIDSIG

/usr/sbin/tcpdump -s0 -w - -i eth1 tcp portrange 1720-1725 or udp portrange \(5060-5065 or 10000-29999\) -G 3600 -w "${DUMPDIR}/dump_%Y-%m-%d_%H%M%S.pcap" -z gzip &
echo $! > $PIDDUMP
fi

exit $RETVAL



}


stop () {
# stop daemon
echo "Stopping tcpdump"
PIDDUMP=/var/run/tcpdump_dump.pid
PIDSIG=/var/run/tcpdump_sig.pid
if [ -f $PIDDUMP ]; then
kill $(cat $PIDDUMP)
rm $PIDDUMP
else
echo "PID DUMP does not exist"
fi


    if [ -f $PIDSIG ]; then
      kill $(cat $PIDSIG)
      rm $PIDSIG
    else
      echo "PID SIG does not exist"
    fi
return $RETVAL



}


restart () {
stop
start
RETVAL=$?
return $RETVAL
}


case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
*)
echo "Usage: $0 {start|stop|restart}"
RETVAL=1
esac


exit $RETVAL

answered 14 Aug ‘15, 00:31

Sindar's gravatar image

Sindar
6113
accept rate: 0%

Thanks for the script, but my question was about tshark not tcpdump, ok

I can not install anything on the server and only have available the tshark , understand?

(14 Aug ‘15, 05:12) luis_filipe

0

Capture yes, extracting the VoIP calls no. For capture you should probably use the dumpcap utility i.s.o. tshark (if you have tshark and you can capture then you have that already installed). You could even convert the script given in another answer to use dumpcap.

answered 14 Aug '15, 06:19

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%