Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Сaptagent does not capture traffic destined for the ipsec tunnel #256

Closed
Nikolaytk87 opened this issue Feb 9, 2023 · 1 comment
Closed

Сaptagent does not capture traffic destined for the ipsec tunnel #256

Nikolaytk87 opened this issue Feb 9, 2023 · 1 comment
Assignees
@kYroL01
Labels
enhancement

Comments

@Nikolaytk87
Copy link

Hi,
We brought up an ipsec tunnel to the ISP, and a strange problem occurred.
The traffic which goes from the provider to the server where the captagent is installed through the ipsec tunnel is successfully captured, but on the contrary, the traffic which goes from the server to the provider is not seen by the captagent

What can be the problem?

Here is the config captagent.xml, socket_pcap.xml

cat captagent.xml

<?xml version="1.0"?>
<document type="captagent/xml">
        <configuration name="core.conf" description="CORE Settings" serial="2014024212">
            <settings>
                <param name="debug" value="3"/>
                <param name="version" value="2"/>
                <param name="serial" value="2014056501"/>
                <param name="uuid" value="00781a4a-5b69-11e4-9522-bb79a8fcf0f3"/>
                <param name="daemon" value="false"/>
                <param name="syslog" value="false"/>
                <param name="pid_file" value="/var/run/captagent.pid"/>
                <!-- Configure using installation path if different from default -->
                <param name="module_path" value="/usr/local/captagent/lib/captagent/modules"/>
                <param name="config_path" value="/usr/local/captagent/etc/captagent/"/>
                <param name="capture_plans_path" value="/usr/local/captagent/etc/captagent/captureplans"/>
                <param name="backup" value="/usr/local/captagent/etc/captagent/backup"/>
                <param name="chroot" value="/usr/local/captagent/etc/captagent"/>
            </settings>
        </configuration>
        <configuration name="modules.conf" description="Modules">
            <modules>

                <load module="transport_hep" register="local"/>
                <load module="protocol_sip" register="local"/>
                <load module="database_hash" register="local"/>
                <load module="protocol_rtcp" register="local"/>
                <load module="socket_pcap" register="local"/>

                <!-- NOTE: Block required for RTCPXR socket + RTCPXR protocol -->
                <!--
                        <load module="protocol_rtcpxr" register="local"/>
                        <load module="socket_collector" register="local"/>
                -->

                <!--
                <load module="socket_tzsp" register="local"/>
                <load module="protocol_ss7" register="local"/>
                <load module="protocol_diameter" register="local"/>
                <load module="protocol_tls" register="local"/>
                <load module="output_json" register="local"/>
                <load module="protocol_rtcp" register="local"/>
                <load module="interface_http" register="local"/>
                <load module="database_redis" register="local"/>
                <load module="socket_pfring" register="local"/>
                -->
        </modules>
        </configuration>
</document>

cat socket_pcap


<?xml version="1.0"?>
<document type="captagent_module/xml">
    <module name="socket_pcap" description="HEP Socket" serial="2014010402">
        <profile name="socketspcap_sip" description="HEP Socket" enable="true" serial="2014010402">
            <settings>
                <param name="dev" value="any"/>
                <param name="promisc" value="true"/>
                <param name="reasm" value="false"/>
                <param name="websocket-detection" value="false"/>
                <param name="tcpdefrag" value="false"/>
                <param name="capture-plan" value="sip_capture_plan.cfg"/>
                <param name="filter">
                    <value>port 5060</value>
                </param>
            </settings>
        </profile>
        <profile name="socketspcap_tls" description="TLS Socket" enable="false" serial="2014010402">
            <settings>
                <param name="dev" value="any"/>
                <param name="promisc" value="true"/>
                <param name="reasm" value="false"/>
                <param name="tcpdefrag" value="true"/>
                <param name="capture-plan" value="tls_capture_plan.cfg"/>
                <param name="filter">
                    <value>tcp port 5061</value>
                </param>
            </settings>
        </profile>
        <profile name="socketspcap_sctp" description="SCTP Socket" enable="false" serial="2014010402">
            <settings>
                <param name="dev" value="any"/>
                <param name="promisc" value="true"/>
                <param name="reasm" value="true"/>
                <param name="ipv4fragments" value="true"/>
                <param name="ipv6fragments" value="true"/>
                <param name="proto-type" value="sip"/>
                <param name="capture-plan" value="isup_capture_plan.cfg"/>
                <param name="filter">
                    <value>proto 132</value>
                </param>
            </settings>
        </profile>
        <profile name="socketspcap_rtcp" description="RTCP Socket" enable="true" serial="2014010402">
            <settings>
                <param name="dev" value="any"/>
                <param name="promisc" value="true"/>
                <param name="reasm" value="false"/>
                <!-- size in MB -->
                <param name="ring-buffer" value="20"/>
                <!-- for rtp && rtcp < 250 -->
                <param name="snap-len" value="256"/>
                <param name="capture-filter" value="rtcp"/>
                <param name="capture-plan" value="rtcp_capture_plan.cfg"/>
                <param name="filter">
                    <value>portrange 10000-30000 and len >=50 </value>
                </param>
            </settings>
        </profile>
        <profile name="socketspcap_diameter" description="DIAMETER Socket" enable="false" serial="2014010402">
            <settings>
                <param name="dev" value="any"/>
                <param name="promisc" value="true"/>
                <param name="reasm" value="false"/>
                <param name="tcpdefrag" value="true"/>
                <param name="capture-plan" value="diameter_capture_plan.cfg"/>
                <param name="filter">
                    <value>tcp port 3868</value>
                </param>
            </settings>
        </profile>
    </module>
</document>
@kYroL01 kYroL01 self-assigned this Feb 9, 2023
@sipcapture sipcapture deleted a comment from kYroL01 Feb 9, 2023
@lmangani
Copy link
Member

lmangani commented Feb 9, 2023

@Nikolaytk87 sorry but we cannot guess network configurations used on your system. Make sure you can see the traffic manually (wireshark, tshark, sngrep) before attemtpting to capture it blindly.

@kYroL01 kYroL01 closed this as completed Feb 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kYroL01 kYroL01

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lmangani @kYroL01 @Nikolaytk87