Hi,

I have been trying to analyze Zeek SIP headers and so far I can perform the following code succesfully on the .pcap file :

event sip_header(c: connection, is_orig: bool, name: string, value: string){ print “sip”; print c; print value; } event sip_all_headers(c: connection, is_orig: bool, hlist: mime_header_list){ print “sip”; }
The issue comes up when I generate the SIP traffic in Python using Scapy, in the following way:

from telnetlib import IP
from scapy.all import *
from scapy.layers.inet import UDP

sourcePort = 3001
destinationIp = “192.168.1.26”
sourceIp = “192.168.1.107”
ip=IP(src=sourceIp, dst=destinationIp)

TCP PSH+ACK with Payload

myPayload=(
‘INVITE sip:{0}:5060;transport=tcp SIP/2.0\r\n’
‘Via: SIP/2.0/TCP 192.168.44.32:5060;branch=1234\r\n’
‘From: “somedevice”<sip:somedevice@1.1.1.1:5060>;tag=5678\r\n’
‘To: sip:{0}:5060\r\n’
‘Call-ID: 9abcd\r\n’
‘CSeq: 1 INVITE\r\n’
‘Max-Forwards: 70\r\n’
‘Content-Length: 0\r\n\r\n’).format(destinationIp)
layer4 = UDP(dport = 5060,sport = sourcePort)
send(ip/layer4/myPayload)

After running the code, there is no output result in Zeek. Even though in Wireshark everything seems to be working - I can observe the SIP traffic. What do you think may cause this problem?

Tomasz

Tomek,

It works for me. I modified your script as follows:

21c21
< send(ip/layer4/myPayload)

wrpcap(‘sip.pcap’, Ether()/ip/layer4/myPayload)

This causes scapy to just write the PCAP instead of sending it. Then, I uploaded that PCAP here: https://try.zeek.org/#/tryzeek/saved/421825

You can see your output, and if you scroll down, you can see a sip.log file with the relevant info.

How are you capturing the PCAP? I’m betting that you have an incorrect checksum, which causes Zeek to discard those packets. You’d get a warning for TCP traffic, but not for UDP.

–Vlad

Yes the problem is connected with the incorrect checksum. When I have ran the Zeek with -C flag it worked well.