-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VoIP decoder #93
VoIP decoder #93
Conversation
Very nice! Handling VoIP traffic in Dshell would be very useful, and this seems like a good starting point. The decoders seem to be working with the traffic samples I threw at them. Some of my thoughts: rtp.py
sip.py
General
In short, the idea is great! It just needs some cleaning up before we can outright accept the pull request. |
Thank you for the tips! very useful. I think this can be a first approach to start to create more decoders, I will try h323 also. rtp.py
[+] Done
[-] I tried but I have some samples using Linux Cooked Capture instead ethernet and was the only way to handle. For packets using Linux Cooked Capture I received the next error when was trying to set any filter like ip or udp: Traceback (most recent call last):
[-] Do you mean different type of output defined in parameters
[+] Done
[+] Done sip.py
[+] Done
[-] I tried but I have some samples using Linux Cooked Capture instead ethernet and was the only way to handle. For packets using Linux Cooked Capture I received the next error when was trying to set any filter like ip or udp: Traceback (most recent call last):
[+] Done
[+] Done
[+] Great idea, I will try!
[+] Done
[+] Done |
Thanks! Appreciate the quick response. The changes look good.
We have a flag to help with that. By default, decode.py adds a VLAN wrapper around the Berkeley packet filter (BPF) in use. For cooked capture, that causes issues. If you call decode.py with the --no-vlan flag, it skips over that logic and should run properly (line). Also, you can explicitly tell Dshell which dpkt module to use with --layer2. Point it to the module to use, like 'ethernet.Ethernet' or 'sll.SLL', and it will automatically attach it to 'dpkt.' and import the module (line). Here's an example with an old sample capture I have that is also a cooked capture:
There are several different types of decoders you can write, but I unofficially keep them straight in my head by referring to them as packet-based decoders and connection-based decoders. The packet-based decoders (e.g. Decoder, IPDecoder) look at packets individually. Connection-based decoders (e.g. TCPDecoder, HTTPDecoder) attempt to reassemble the connections into unified streams; it does not necessarily look at the packets individually, but the stream as a whole. I'm not sure which would work best for these protocols (I don't know much about them, personally). My main worry is that, when alerting on individual packets, the decoder can get very noisy. For small traffic samples, it may not seem like much, but it can be overwhelming at professional scales. On the other hand, if the decoders are just looking for the initial requests and responses, it might not be too bad. It might just be a situation where we see how it goes, and make updates as needed. Judgment call? p.s. socket.inet_ntoa only works for IPv4. For IPv6, you will need socket.inet_ntop. Dshell handles that internally, but you have to keep that in mind when handling IPs manually. That tripped me up several times, too. |
Thank you for the tips, I have re-write the decoders using the UDPDecoder, for sip decoder I tried to write using a connection-based decoder but SIP is a text-based protocol with syntax similar to that of HTTP, so you can use the followstream decoder: decode -d followstream --ebpf 'port 5060' --bpf 'udp' Any help will be appreciated |
rtp.py Looking good! The first time I read through it, I wondered why you needed to handle LookupError exceptions. It made me realize that Dshell does not parse out the MAC address from cooked capture (as far as I can tell, SLL only captures one address per packet). I will try and get that updated in the core library sometime this week. I don't think you need to use as many self. variables in the handler function. The smac and dmac will probably change with each packet, so storing it as a class attribute is probably overkill. Also, I don't think sip.py This one is very nice. I like the use of colorout. It makes it much easier to separate the requests and responses at a glance. Aside from the same comments about LookupError exceptions and self. variables, this decoder should be okay, too. I will try to push an update to Dshell soon to handle SLL MAC addresses. I think I will store the one I get in the 'smac' key. |
Great, yes I was checking that the MACs for my SLL packet were not correct 👍 Thank you for the help, I will wait an update and I will update the decoders. My TODO: make another decoder for H323, it will be more complicated because h323 has not a packet handle and use h245 and h225. |
Thanks for the update, it works but I have seen some packets without smac also, check Linux cooked capture section in the next example, it could be possible to send smac as None if doesn exist? Frame 32: 1363 bytes on wire (10904 bits), 1363 bytes captured (10904 bits) |
Updated decoders |
Okay, everything seems to work as expected and looks good! Once I get the proper approvals from the rest of the team, I'll accept the pull request. |
Cool, thank you for all the help, and I will try to contribute with more decoders. I would like to try h323 (h245, h225, Q.931) and codecs (melpe, g711, etc) or secure protocols. |
Thanks for your patience. This pull request is approved. Thanks for your contribution! |
SIP and RTP decoders