From f829b23b0fa89223d507830d7dcb5c4490b3bb70 Mon Sep 17 00:00:00 2001 From: Michael Prokop Date: Tue, 24 Apr 2012 13:33:26 +0000 Subject: [PATCH] Provide ngcp-sip 1.0.3 package From: Michael Prokop --- debian/changelog | 9 +++ debian/compat | 1 + debian/control | 14 ++++ debian/copyright | 52 +++++++++++++ debian/ngrep-sip.install | 2 + debian/ngrep-sip.manpages | 1 + debian/rules | 3 + etc/ngrep-sip.conf | 16 ++++ usr/bin/ngrep-sip | 78 ++++++++++++++++++++ usr/share/man/man8/ngrep-sip.8 | 129 +++++++++++++++++++++++++++++++++ 10 files changed, 305 insertions(+) create mode 100644 debian/changelog create mode 100644 debian/compat create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/ngrep-sip.install create mode 100644 debian/ngrep-sip.manpages create mode 100755 debian/rules create mode 100644 etc/ngrep-sip.conf create mode 100755 usr/bin/ngrep-sip create mode 100644 usr/share/man/man8/ngrep-sip.8 diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..dc2c88d --- /dev/null +++ b/debian/changelog @@ -0,0 +1,9 @@ +ngrep-sip (1.0.3) unstable; urgency=low + + * Initial release with new Debian packaging work and maintained within + the sip:provider project, based on + http://dev.sipdoc.net/projects/sip-stuff/wiki/Ngrep-SIP / + http://deb.sipdoc.net/pool/main/n/ngrep-sip/ngrep-sip_1.0.2-3_all.deb + + -- Michael Prokop Tue, 03 Apr 2012 16:24:30 +0200 + diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..45a4fb7 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +8 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..561ca4f --- /dev/null +++ b/debian/control @@ -0,0 +1,14 @@ +Source: ngrep-sip +Section: net +Priority: extra +Maintainer: Sipwise Development Team +Build-Depends: debhelper (>= 8) +Standards-Version: 3.9.3 +Homepage: http://sipwise.com/ + +Package: ngrep-sip +Architecture: all +Depends: ${misc:Depends}, ngrep +Description: capture SIP flow based on ngrep command + Simple wrapper script for ngrep which allows matching rules + based on SIP methods or custom message fields and pcap filters. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..2339aa4 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,52 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: Ngrep-SIP +Upstream-Contact: Iñaki Baz Castillo +Source: http://dev.sipdoc.net/projects/sip-stuff/wiki/Ngrep-SIP + +Files: * +Copyright: 2008, Iñaki Baz Castillo +License: GPL-3+ + This program is free software; you can redistribute it + and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later + version. + . + This program is distributed in the hope that it will be + useful, but WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. See the GNU General Public License for more + details. + . + You should have received a copy of the GNU General Public + License along with this package; if not, write to the Free + Software Foundation, Inc., 51 Franklin St, Fifth Floor, + Boston, MA 02110-1301 USA + . + On Debian systems, the full text of the GNU General Public + License version 3 can be found in the file + `/usr/share/common-licenses/GPL-3'. + +Files: debian/ +Copyright: 2012, Michael Prokop +License: GPL-3+ + This program is free software; you can redistribute it + and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later + version. + . + This program is distributed in the hope that it will be + useful, but WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR + PURPOSE. See the GNU General Public License for more + details. + . + You should have received a copy of the GNU General Public + License along with this package; if not, write to the Free + Software Foundation, Inc., 51 Franklin St, Fifth Floor, + Boston, MA 02110-1301 USA + . + On Debian systems, the full text of the GNU General Public + License version 3 can be found in the file + `/usr/share/common-licenses/GPL-3'. diff --git a/debian/ngrep-sip.install b/debian/ngrep-sip.install new file mode 100644 index 0000000..95fb61f --- /dev/null +++ b/debian/ngrep-sip.install @@ -0,0 +1,2 @@ +etc/ngrep-sip.conf etc/ +usr/bin/ngrep-sip usr/bin/ diff --git a/debian/ngrep-sip.manpages b/debian/ngrep-sip.manpages new file mode 100644 index 0000000..b1cea01 --- /dev/null +++ b/debian/ngrep-sip.manpages @@ -0,0 +1 @@ +usr/share/man/man8/ngrep-sip.8 diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..cbe925d --- /dev/null +++ b/debian/rules @@ -0,0 +1,3 @@ +#!/usr/bin/make -f +%: + dh $@ diff --git a/etc/ngrep-sip.conf b/etc/ngrep-sip.conf new file mode 100644 index 0000000..bc5680c --- /dev/null +++ b/etc/ngrep-sip.conf @@ -0,0 +1,16 @@ +## ngrep-sip configuration file + +# interface +# +# Interface in which ngrep must capture data. Possible values are 'eth0', 'eth1', 'lo', 'any'. +#interface=eth0 +interface=any + +# filter +# +# Pcap filter with same syntax as Tcpdump command. +# filter="port 5060 or port 5062 or port 5070 or port 6060" +# filter="host 1.2.3.4 and proto \\udp and \( port 5060 or port 5070 \)" +filter="port 5060" + + diff --git a/usr/bin/ngrep-sip b/usr/bin/ngrep-sip new file mode 100755 index 0000000..5a06638 --- /dev/null +++ b/usr/bin/ngrep-sip @@ -0,0 +1,78 @@ +#!/bin/bash + + +conf_file="/etc/ngrep-sip.conf" + +# Default values. +interface=any +filter="port 5060" + + +### Read conf file. +if [ -f $conf_file ] ; then + . $conf_file +else + echo "Warning: Conf file $conf_file not found!" +fi + + +### Functions. +function show_help { + echo -e "Read the manual:\n man ngrep-sip" +} + + +### Set parameter 1 as match rule (or show help). +case $1 in + +-h|--help ) + show_help + exit 0 + ;; + +basic|b ) + match="(^|CSeq:\s?\d* )(INVITE|ACK|CANCEL|BYE|MESSAGE|REFER|PRACK|INFO|UPDATE)" + ;; + +br|rb ) + match="(^|CSeq:\s?\d* )(INVITE|ACK|CANCEL|BYE|MESSAGE|REFER|PRACK|INFO|UPDATE|REGISTER)" + ;; + +r ) + match="(^|CSeq:\s?\d* )(REGISTER)" + ;; + +p ) + match="(^|CSeq:\s?\d* )(SUBSCRIBE|PUBLISH|NOTIFY)" + ;; + +pr|rp ) + match="(^|CSeq:\s?\d* )(SUBSCRIBE|PUBLISH|NOTIFY|REGISTER)" + ;; + +-o ) + match="(^|CSeq:\s?\d* )(INVITE|ACK|CANCEL|BYE|MESSAGE|REFER|PRACK|INFO|UPDATE|SUBSCRIBE|PUBLISH|NOTIFY|REGISTER)" + ;; + +-or|-ro ) + match="(^|CSeq:\s?\d* )(INVITE|ACK|CANCEL|BYE|MESSAGE|REFER|PRACK|INFO|UPDATE|SUBSCRIBE|PUBLISH|NOTIFY)" + ;; + +* ) + match=$1 + ;; + +esac + + +### Set the rest of parameters as filter. +shift +if [ $# -ge 1 ] ; then + filter="$*" +fi + + +### Run ngrep command. +ngrep -d $interface -P "'" -W byline -T -i -t "$match" $filter + + diff --git a/usr/share/man/man8/ngrep-sip.8 b/usr/share/man/man8/ngrep-sip.8 new file mode 100644 index 0000000..bc722b9 --- /dev/null +++ b/usr/share/man/man8/ngrep-sip.8 @@ -0,0 +1,129 @@ +.TH NGREP-SIP 8 2008-12-24 "Linux" "User Manuals" +.SH NAME +ngrep-sip \- capture SIP flow based on ngrep command +.PP +.SH SYNOPSIS +.B ngrep-sip +[ \fIMATCH\fR ] [ \fIFILTER\fR ] +.PP +.SH DESCRIPTION +Based on +.BR ngrep (7), +\fIngrep-sip\fR allows matching based on SIP methods or custom message fields and also defining \fIpcap\fR filters. +.PP +.SS MATCH +Optional \fBMATCH\fR parameter can contain a special keyword or some text which must be present in the data. +.PP +The special keywords are: +.TP +\fBb\fR, \fBbasic\fR +Capture transactions with SIP method INVITE, ACK, CANCEL, BYE, REFER, PRACK, INFO and MESSAGE. +.TP +\fBbr\fR, \fBrb\fR +Some as \fBb\fR, \fBbasic\fR plus REGISTER method. +.TP +\fBr\fR +Capture REGISTER transactions. +.TP +\fBp\fR +Capture SUBSCRIBE, PUBLISH and NOTIFY transactions. +.TP +\fBpr\fR, \fBrp\fR +Some as \fBp\fR plus REGISTER method. +.TP +\fB-o\fR +Capture transactions with any method but OPTIONS. +.TP +\fB-or\fR, \fB-ro\fR +Capture transactions with any method but OPTIONS or REGISTER. +.PP +Any other text can be used to set \fBMATCH\fR parameter. In this case that text will be required in the data being captured. It allows regular expressions. Examples: +.TP +666555444 +Capture all messages containing "666555444" text in headers or body. +.TP +"(123|124)@" +Capture all messages containing "123@" or "124@" text in headers or body. +.TP +"^SIP/2.0 5" +Capture all 5XX responses. +.TP +"^INVITE sip:111@" +Capture all INVITE requests with RURI starting with "sip:111@". +.PP +.SS FILTER +\fIpcap\fR filter. See below in "CONFIGURATION" - "filter" section. +.PP +.SH CONFIGURATION +The script gets some parameters from \fI/etc/ngrep-sip.conf\fR file: +.PP +.SS interface +Interface in which \fIngrep\fR must capture data. Possible values are \fIeth0\fR, \fIeth1\fR, \fIlo\fR, \fIany\fR. Use \fIany\fR to capture data in all the interfaces. Examples: +.RS +.nf +interface=any +interface=eth0 +.PP +.SS filter +\fIpcap\fR default filter. This parameter is overwritten when using \fBFILTER\fR parameter in command line. Examples: +.RS +.nf +filter="port 5060 or port 5062 or port 5070 or port 6060" +filter="host 1.2.3.4 and proto \\\\udp and \\( port 5060 or port 5070 \\)" +filter="port 5060" +.PP +.SH EXAMPLES +Capture all INVITE and MESSAGE related messages using default filter set in configuration file: +.RS +.nf +\fBngrep-sip b\fP +.fi +.RE +Capture all traffic using port 5060: +.RS +.nf +\fBngrep-sip port 5060\fP +.fi +.RE +Capture all REGISTER transactions via TCP using port 5060 or 5070 and address 1.2.3.4: +.RS +.nf +\fBngrep-sip r proto \\\\tcp and \\( port 5060 or port 5070 \\) and host 1.2.3.4\fP +.fi +.RE +Capture all UDP datagrams using port 5060 containing "sip:alice@domain" in the headers or body: +.RS +.nf +\fBngrep-sip "sip:alice@domain" port 5060 and proto \\\\udp\fP +.fi +.RE +Capture all 6XX responses from IP 1.2.3.4: +.RS +.nf +\fBngrep-sip "^SIP/2.0 6" src host 1.2.3.4\fP +.fi +.RE +.PP +.SH NOTES +\fIngrep-sip\fR can be also used to capture other kind of flow as SMTP or HTTP: +.RS +.nf +\fBngrep-sip proto \\\\tcp and port 25\fP +.fi +.RE +.PP +.SH ISSUES +When capturing TCP data a single TCP packet can contain various SIP messages. This occurs, for example, when a proxy routes all requests from different clients to same TCP destination. In those cases, the \fBmatch\fR is performed against the whole TCP packet instead of matching each SIP message separately. +.PP +.SH "SEE ALSO" +.BR ngrep (8) +.PP +.SH AUTHOR +Written by Iñaki Baz Castillo +.PP +.SH COPYRIGHT +Copyright \(co 2008 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later +.br +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law.