- It is a simple application to convert SIP log files (as those generated by softphones) to Wireshark PCAP files.
- No special requirement! Just Java Runtime Environment installed in your PC.
- Non-network events (any log line not containing a SIP message) are not ignored, but transformed into Syslog messages into the PCAP file
- Currently supported log files:
- pjsua softphone
- Oracle SBC (formerly AcmePacket)
First o all, got to this repository's releases section (https://github.com/fran-ovia/siplog2pcap/releases) and download siplog2pcap.jar and siplog2pcap.bat too.
Execute siplog2pcap.bat as described in the help:
#> siplog2pcap.bat -h
Usage for PJSUA log file. Note that date and local IP are provided as additional parameters (as not included in the logs):
siplog2pcap --pjsua <input_log_file> <output_pcap_file> <date(yyyy-mm-dd)> <local_ip>
Usage for Oracle SBC (fomerly AcmePacket) sipmsg log file. Note that year is pro vided as an additional parameter (as not included in the logs):
siplog2pcap --acme-packet <input_log_file> <output_pcap_file> <year>
Note that you might need to edit siplog2pcap.bat script to customize the location of your java.exe executable (if it's not already included in your PATH variable) and siplog2pcap.jar file (if you don't want to store it in the same directory as the siplog2pcap.bat script).
Also note that I'm not including an .sh script equivalent to the .bat script, since implementing it is so straightforward and would probably need customization anyway.
- Because of SIP over TLS: if we just capture the network traffic, in order to analyze the SIP messages we need to decrypt the TLS traffic, which is cumbersome when not impossible:
- Not always we have the server's certificate's secret key
- Sometimes the trace starts after the TLS handshake has been completed...
- Even if the previous points were not a problem for us, we might eventually need to pass the trace to other person (such as the one providing support to a CPE sending faulty SIP traffic over TLS), but then we will not want to share our server's certificate keys necessary to decrypt the TLS traffic... However, since all SIP messages (even those sent over TLS) are present in sipmsg.log, we can just get sipmsg.log and use siplog2pcap to convert it into a PCAP file (in such case the SIP messages will be included in TCP frames)
- So we can have non-network log events in a PCAP file and then easily analyse those events in the context of the network traffic
- Because it is a valid option for users without the admin rights to capture network traffic
- First of all, note that I have no specification of the SIP log files format. Since it is a textual format, it has been quite easy to implement a parser for the log files I've seen so far, but It might happen that log files generated by other softphone versions / locale are not parsed correctly by siplog2pcap. I will try to keep siplog2pcap updated to support all of them though.
- The SIP network messages stored in the SBC log do not contain the whole network packet, but just the SIP, IPs, and ports. Thus, when generating the PCAP file siplog2pcap assigns default values for the rest of the network fields not provided in the log file (such as Ethernet MAC addresses and flags from link, network and trasnsport layers).
- What are those Syslog messages from/to IP 0.0.0.0??? The log lines that do not contain SIP messages are not discarded, but transformed into Syslog packets in the target PCAP file. Keeping those log events in the PCAP file is quite useful for troubleshooting, so we can see the SIP signaling together with the events from the application. Note that you can easily get rid of those Syslog messages by filtering them out with filter "not syslog".