SIP-based VoIP Analysis Tool and Lawful Interception 陳懷恩博士助理教授兼資工所所長及計算機中心資訊網路組組長國立宜蘭大學 Email: wechen@niu.edu.tw TEL: 03-9357400 # 255
Outline SIP Message Analysis Installing Ethereal Getting start Setting Filter Analyzing SIP Call Flow Capturing RTP Packets Using Windows Messenger 5.0 for Example Lawful Interception SIPv6 Analyzer VoIP Monitoring System 2
SIP Message Analysis by Using Ethereal
Introduction to Ethereal Every network manager at some time or other needs a tool that can capture packets off the network and analyze them. In the past, such tools were either very expensive, proprietary, or both. With the advent of Ethereal, all that has changed. 4
Ethereal Features Available for UNIX and Windows. Capture and display packets from any interface on a UNIX system. Display packets captured under a number of other capture programs: tcpdump Network Associates Sniffer and Sniffer Pro NetXray Microsoft Network Monitor Filter packets on many criteria. Colorize packet display based on filters Allow people to add new protocols to Ethereal. 5
Download Ethereal Official site: http://www.ethereal.com/ 6
Install Ethereal under Windows Install WinPcap. WinPcap is an architecture for packet capture and network analysis for the Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll, based on libpcap version 0.6.2) This course utilizes Ethereal 0.9.16 as an example. You can use higher or the latest version. 7
Getting Start
Capture Packets by Using Ethereal 開始抓取封包 封包列表 封包解析 封包傾印 9
The Capture Preferences Dialog Box 設定抓取介面 ( 網卡 ) 儲存抓取封包至檔案 全收模式 設定停止條件 自動更新視窗自動捲動視窗 設定 MAC/IP/port 名稱解析 10
Stop after you have collected enough packets 手動結束抓取封包 11
File Save As 檔案目錄 檔案格式 僅儲存做記號的封包 檔案名稱 12
Show Packet in New Window 13
Setting Capture Filters
Filtering While Capturing 設定抓取規則 15
Syntax of the tcpdump [not] primitive [and or [not] primitive...] tcp port 23 and host 10.0.0.5 tcp port 23 and not host 10.0.0.5 tcpdump filter language is explained in the man page. 16
Capture SIP Messages (filter: udp port 5060) 17
SIP Call Establishment It is simple, which contains a number of interim responses. 18
Basic Call Flow 19
REGISTER Message 20
200 OK Message (REGISTER) 21
INVITE Message 22
SDP in INVITE Message 23
200 OK Message (INVITE) 24
SDP in 200 OK Message 25
ACK Message 26
Capturing the Media Packets
RTP Traffic (udp port 9000) What s wrong? Ethereal cannot recognize this port. 28
Tools Decode As RTP 29
Display Filter 設定顯示規則 30
Display Colorize Display 31
Emphasize the packets 32
Examples for Windows Messenger 5.0
SIP UA Windows Messenger Windows XP 內建 4.7 版 最新 5.1 版下載 http://www.microsoft.com/download s/details.aspx?displaylang=zh- tw&familyid=a8d9eb73-5f8c- 4b9a-940f-9157a3b3d774 34
Download Windows Messenger 5.0 35
Install Windows Messenger 5.0 36
Start up Windows Messenger 37
Configuration 38
Configuration 39
Registration 40
Packet Capture- REGISTER Message 41
Dialing 42
Packet Capture- INVITE Transaction(1) 43
Packet Capture- INVITE Transaction (2) 44
Ringing 45
Termination 46
Packet Capture- Termination 47
Lawful Interception SIPv6 Analyzer and VoIP Monitoring System
SIPv6 Analyzer 問題 : 一般網路分析器沒有針對 VoIP 通話分析之功能 貢獻 : 以圖形方式顯示 SIP 訊息流程, 協助使用者快速分析 SIP 網路中所有的節點 配合 Jitter Buffer 的設定, 播放已儲存之 RTP 封包 成果發表於 Wireless Communication and Mobile Computing 期刊 獲得國網盃軟體設計比賽冠軍與日本 IPv6 Appli-Contest 2004 冠軍 49
SIP Viewer Call-ID From To (a) SIP Dialog Collection SIP 訊息流程由以下資訊繪出 (a) 來源與目的 IP 位址 (b) SIP 標頭欄位 (e.g., Via and Route) (b) SIP Message Flow 50
RTP Spy Yueh-Hsin Sung RTP Session List Video Playback Video and Voice Control Panel Jitter Buffer and Number of Dropped Packets 51
VoIP Monitoring System According to the telecommunication requirements, the ITSP (Internet Telephony Service Provider) MUST provide a monitoring mechanism before they provide the VoIP (Voice over IP) Service. A VoIP monitoring system should include the following two functions: providing CDRs (Call Detail Records) providing Wiretap Function We would like to provide the above functions on the NTP (National Telecommunication Program) VoIP platform that is a test-bed for SIP-based VoIP applications. Considering the mobility (device and account roaming) of VoIP, we develop a VoIP Monitoring System in core network to intercept the VoIP calls of a suspect. This system is a plug-in solution that can cooperate with the existing SIP servers. 52
System Architecture 53
Message Flow 0944021376 140.113.131.76 SIP Proxy (Monitoring Module) RTP Proxy 0944021375 140.113.131.91 2.INVITE 0944000000@SIP_proxy c=in IP 140.113.131.76 m=audio 9000 RTP/AVP 0 3.CreateConnection Call-ID m=reveive c=ip4 $ p=$ 4.200 OK c=rtpproxy p=9002 5.INVITE 0944000000@SIP_proxy c=in IP4 rtpproxy m=audio 9002 RTP/AVP 0 8.200 OK c=in IP4 140.113.131.91 m=audio 8002 RTP/AVP 0 9.Modify Call-ID m: send c=ip4 140.113.131.91 p=8002 10.200 OK 11.CreateConnection Call-ID m=sendreceive c=rtpproxy p=9000 c=ip4 $ p=$ 13.200 OK c=in IP rtpproxy m=audio 8000 RTP/AVP 0 12.200 OK c=in IP4 rtpproxy p=8000 16. ACK 0944000000@SIP_proxy 17.ACK 0944000000@SIP_proxy RTP Stream-1 RTP Stream-2 54
Demonstration 55
Thank you for your attention! Q&A 56