{"id":682,"date":"2020-06-05T12:59:31","date_gmt":"2020-06-05T15:59:31","guid":{"rendered":"http:\/\/periciajudicial.zsistemas.com.br\/?p=682"},"modified":"2020-06-11T16:01:33","modified_gmt":"2020-06-11T19:01:33","slug":"monitorando-ligacoes-sip-voip-com-tcpdump-do-linux","status":"publish","type":"post","link":"https:\/\/periciajudicial.zsistemas.com.br\/index.php\/2020\/06\/05\/monitorando-ligacoes-sip-voip-com-tcpdump-do-linux\/","title":{"rendered":"Monitorando liga\u00e7\u00f5es SIP &#8211; VoIP com tcpdump do Linux"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"591\" height=\"394\" src=\"https:\/\/periciajudicial.zsistemas.com.br\/wp-content\/uploads\/2020\/06\/coding-on-laptop.jpg\" alt=\"\" class=\"wp-image-687\" srcset=\"https:\/\/periciajudicial.zsistemas.com.br\/wp-content\/uploads\/2020\/06\/coding-on-laptop.jpg 591w, https:\/\/periciajudicial.zsistemas.com.br\/wp-content\/uploads\/2020\/06\/coding-on-laptop-300x200.jpg 300w\" sizes=\"auto, (max-width: 591px) 100vw, 591px\" \/><figcaption>Foto da Matthew Henry do <a href=\"https:\/\/pt.shopify.com\/burst\/negocios?utm_campaign=photo_credit&amp;utm_content=Banco+de+imagens+gr%C3%A1tis+de+Programa%C3%A7%C3%A3o+no+laptop+%E2%80%94+Imagens+em+HD&amp;utm_medium=referral&amp;utm_source=credit\">Burst<\/a><\/figcaption><\/figure>\n\n\n\n<p>Todos os profissionais que trabalham com VoIP sabem muito bem como s\u00e3o importantes as ferramentas para monitoramento das liga\u00e7\u00f5es, para a identifica\u00e7\u00e3o e solu\u00e7\u00e3o de problemas em geral, principalmente aquelas que capturam e nos mostram tudo o que est\u00e1 ocorrendo de verdade. Uma dessas ferramentas \u00e9 o tcpdump.<\/p>\n\n\n\n<p>Uma das ferramentas mais antigas do Linux, criada nos prim\u00f3rdios, muito simples e primitiva, por\u00e9m uma das melhores para profissionais que entendem a fun\u00e7\u00e3o dos protocolos. O tcpdump tem a fun\u00e7\u00e3o de capturar todos os pacotes trafegados na rede, abrindo-os por completo se necess\u00e1rio, nos mostrando tudo que est\u00e1 passando por ali. Com ele \u00e9 poss\u00edvel identificar cada fase de uma comunica\u00e7\u00e3o SIP como INVITE, ACK, BYE e CANCEL, tendo todo o protocolo aberto e esmiu\u00e7ado em tempo real.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script>\n<!-- Horizontal -->\n<ins class=\"adsbygoogle\"\n     style=\"display:block\"\n     data-ad-client=\"ca-pub-4361646740662878\"\n     data-ad-slot=\"3298514395\"\n     data-ad-format=\"auto\"\n     data-full-width-responsive=\"true\"><\/ins>\n<script>\n     (adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><\/pre>\n\n\n\n<p>Com autoriza\u00e7\u00e3o judicial \u00e9 poss\u00edvel inclusive interceptar essa chamada, gravar o \u00e1udio e gerar uma prova pericial judicial, que anexada aos autos tornar-se-\u00e1 v\u00e1lida.<\/p>\n\n\n\n<p>Veja o exemplo de como monitorar chamadas VoIP SIP em um servidor asterisk por exemplo:<\/p>\n\n\n\n<p><strong>tcpdump -nqt -s 0 -A -i eth0 port 5060<\/strong><\/p>\n\n\n\n<p>Alguns poss\u00edveis resultados s\u00e3o esses abaixo:<\/p>\n\n\n\n<p>Esse \u00e9 o m\u00e9todo <strong>INVITE <\/strong>(convite) de uma chamada VoIP SIP, ocorre quando o originado disca para um destino e espera o tom de chamada (ring). Perceba que o originador \u00e9 o n\u00famero <strong>7799813xxxx<\/strong> e o destiono \u00e9 o n\u00famero <strong>08000xx3100<\/strong>. OBS: Alguns dados ser\u00e3o suprimidos para n\u00e3o comprometer os alvos da busca.<\/p>\n\n\n\n<p class=\"has-small-font-size\">IP 10.1.0.2.5060 &gt; 186.xxx.176.x.5060: UDP, length 693<br> E\u20264\u2026@\u2026<br> \u2026\u2026  \u2026\u2026..INVITE sip:08000xx3100@186.xxx.176.x SIP\/2.0<br> Via: SIP\/2.0\/UDP 10.1.0.2:5060;branch=z9hG4bK4232e5a4;rport<br> From: &#8220;7799813xxxx&#8221;  sip:7799813xxxx@10.1.0.2 ;tag=as2d0b9142<br> To:  sip:08000xx3100@186.xxx.176.x <br> Contact: sip:7799813xxxx@10.1.0.2<br> Call-ID: 5a2dc84e790a5ac72b131a8c51e8c2f3@10.1.0.2<br> CSeq: 102 INVITE<br> User-Agent: Asterisk PBX<br> Max-Forwards: 70<br> Date: Fri, 05 Jun 2020 15:00:28 GMT<br> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY<br> Content-Type: application\/sdp<br> Content-Length: 176<\/p>\n\n\n\n<p class=\"has-small-font-size\">v=0<br> o=root 18556 18556 IN IP4 10.1.0.2<br> s=session<br> c=IN IP4 10.1.0.2<br> t=0 0<br> m=audio 15506 RTP\/AVP 8 0<br> a=rtpmap:8 PCMA\/8000<br> a=rtpmap:0 PCMU\/8000<br> a=silenceSupp:off &#8211; &#8211; &#8211; &#8211;<\/p>\n\n\n\n<p>Esse \u00e9 m\u00e9todo <strong>TRING <\/strong>(tentando), significa que o servidor asterisk identificou o destino e est\u00e1 tentando fazer contato.<\/p>\n\n\n\n<p class=\"has-small-font-size\">IP 186.xxx.176.x.5060 &gt; 10.1.0.2.5060: UDP, length 492<br> E\u2026b\u2026?\u2026\u2026<br> \u2026\u2026\u2026..SIP\/2.0 100 Trying<br> Via: SIP\/2.0\/UDP 10.1.0.2:5060;branch=z9hG4bK4232e5a4;received=186.xxx.176.x;rport=12721<br> From: &#8220;7799813xxxx&#8221; sip:7799813xxxx@10.1.0.2;tag=as2d0b9142<br> To: sip:08000xx3100@186.xxx.176.x<br> Call-ID: 5a2dc84e790a5ac72b131a8c51e8c2f3@10.1.0.2<br> CSeq: 102 INVITE<br> Server: PBX &#8211; LISpbx 3<br> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE<br> Supported: replaces, timer<br> Contact: <br> Content-Length: 0<\/p>\n\n\n\n<p>Esse m\u00e9todo <strong>OK <\/strong>(pronto), significa que o destino recebeu o INVITE e respondeu que o ramal est\u00e1 pronto para tocar, isto \u00e9, n\u00e3o est\u00e1 em uso e come\u00e7ar\u00e1 a tocar (ring).<\/p>\n\n\n\n<p class=\"has-small-font-size\">IP 186.xxx.176.x.5060 &gt; 10.1.0.2.5060: UDP, length 720<br> E\u2026b\u2026?..)\u2026<br> \u2026\u2026\u20260.SIP\/2.0 200 OK<br> Via: SIP\/2.0\/UDP 10.1.0.2:5060;branch=z9hG4bK4232e5a4;received=186.227.176.7;rport=12721<br> From: &#8220;7799813xxxx&#8221; sip:7799813xxxx@10.1.0.2;tag=as2d0b9142 <br> To: sip:08000xx3100@186.xxx.176.x; ;tag=as6614a790<br> Call-ID: 5a2dc84e790a5ac72b131a8c51e8c2f3@10.1.0.2<br> CSeq: 102 INVITE<br> Server: PBX &#8211; LISpbx 3<br> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE<br> Supported: replaces, timer<br> Contact: <br> Content-Type: application\/sdp<br> Content-Length: 184<\/p>\n\n\n\n<p class=\"has-small-font-size\">v=0<br> o=root 501293801 501293801 IN IP4 186.xxx.176.x<br> s=Asterisk PBX 13.10.0<br> c=IN IP4 186.227.176.9<br> t=0 0<br> m=audio 13556 RTP\/AVP 8<br> a=rtpmap:8 PCMA\/8000<br> a=maxptime:150<br> a=sendrecv<\/p>\n\n\n\n<p>O m\u00e9todo <strong>ACK <\/strong>(aceite), significa que o destinat\u00e1rio atendeu a chamada e iniciou o transporte da m\u00eddia, isto \u00e9, iniciou a comunica\u00e7\u00e3o do audio (conversa).<\/p>\n\n\n\n<p class=\"has-small-font-size\">IP 10.1.0.2.5060 &gt; 186.xxx.176.x.5060: UDP, length 393<br> E\u20264\u2026@\u2026<br> \u2026\u2026  \u2026\u2026..ACK sip:08000xx3100@186.xxx.176.x:5060 SIP\/2.0<br> Via: SIP\/2.0\/UDP 10.1.0.2:5060;branch=z9hG4bK6666ffd9;rport<br> From: &#8220;7799813xxxx&#8221; sip:7799813xxxx@10.1.0.2;tag=as2d0b9142  <br> To: sip:08000xx3100@186.xxx.176.x; ;tag=as6614a790<br> Contact: sip:7799813xxxx@10.1.0.2<br> Call-ID: 5a2dc84e790a5ac72b131a8c51e8c2f3@10.1.0.2<br> CSeq: 102 ACK<br> User-Agent: Asterisk PBX<br> Max-Forwards: 70<br> Content-Length: 0<\/p>\n\n\n\n<p>O m\u00e9todo <strong>BYE <\/strong>(tchau), significa que algu\u00e9m desligou a chamada, isto \u00e9, a liga\u00e7\u00e3o acabou e o ramal VoIP avisou para o outro encerrar a transmiss\u00e3o. Nesse caso \u00e9 poss\u00edvel descobrir quem desligou, pois o BYE veio do <strong>08000xx3100<\/strong>, portanto foi o destino que desligou primeiro.<\/p>\n\n\n\n<p class=\"has-small-font-size\">IP 10.1.0.2.5060 &gt; 186.xxx.176.x.5060: UDP, length 358<br> E\u20265]..@\u2026<br> \u2026\u2026  \u2026..n..BYE  sip:08000xx3100@186.xxx.176.x:5060 SIP\/2.0 <br> Via: SIP\/2.0\/UDP 10.1.0.2:5060;branch=z9hG4bK3a2e0156;rport<br> From:  sip:08000xx3100@186.xxx.176.x; ;tag=as6614a790 <br> To:  sip:7799813xxxx@10.1.0.2;tag=as54cbfecc<br> Call-ID: 72b40f010fb1c39c7cf19ac540207656@186.xxx.176.x<br> CSeq: 103 BYE<br> User-Agent: Asterisk PBX<br> Max-Forwards: 70<br> Content-Length: 0<\/p>\n\n\n\n<p>O m\u00e9todo <strong>Not Found<\/strong> (n\u00e3o encontrado), significa que o destino n\u00e3o foi encontrado, talvez n\u00e3o autenticou ou perdeu conex\u00e3o temporariamente, etc.<\/p>\n\n\n\n<p class=\"has-small-font-size\">10.1.0.1.5060 &gt; 10.1.0.2.5060: [udp sum ok] SIP, length: 381<br>SIP\/2.0 404 Not Found<br>Via: SIP\/2.0\/UDP 10.1.0.2:5060;branch=z9hG4bK395b3143;rport=5060<br>From: &#8220;112313xxxx&#8221; sip:112313xxxx@10.1.0.2;tag=as7ef79cbd<br>To: sip:773639xxxx@10.1.0.1;tag=as2685bf88<br>Call-ID: 6b82a21e07b28a8049f8b0917463193d@10.1.0.2<br>CSeq: 102 INVITE<br>User-Agent: Asterisk PBX<br>Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY<br>Content-Length: 0<\/p>\n\n\n\n<p>O m\u00e9todo <strong>Request Timeout<\/strong> (requisi\u00e7\u00e3o expirada), significa que o servidor asterisk ficou tentando contato com o destino, mas ningu\u00e9m atendeu at\u00e9 o tempo estimado de expira\u00e7\u00e3o, que \u00e9 configur\u00e1vel.<\/p>\n\n\n\n<p class=\"has-small-font-size\">13:18:40.679886 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 415)<br>     10.1.0.1.5060 &gt; 10.1.0.2.5060: [udp sum ok] SIP, length: 387<br>         SIP\/2.0 408 Request Timeout<br>         Via: SIP\/2.0\/UDP 10.1.0.2:5060;branch=z9hG4bK1fb270ed;rport=5060<br>         From: &#8220;112313xxxx&#8221; sip:112313xxxx@10.1.0.2;tag=as7ef79cbd<br>        To: sip:773639xxxx@10.1.0.1;tag=as2685bf88 <br>         Call-ID: 618424403cbe22ee67c9c7f73b8e92e8@10.1.0.2<br>         CSeq: 102 INVITE<br>         User-Agent: Asterisk PBX<br>         Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY<br>         Content-Length: 0<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script>\n<!-- Horizontal -->\n<ins class=\"adsbygoogle\"\n     style=\"display:block\"\n     data-ad-client=\"ca-pub-4361646740662878\"\n     data-ad-slot=\"3298514395\"\n     data-ad-format=\"auto\"\n     data-full-width-responsive=\"true\"><\/ins>\n<script>\n     (adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><\/pre>\n\n\n\n<p>Agora se voc\u00ea quer abrir mais ainda o protocolo e ter as informa\u00e7\u00f5es completas, basta manipular a vari\u00e1vel verbose (verboso), representado pelo atribudo &#8220;-vvv&#8221; veja o exemplo do comando para liberar ao m\u00e1ximo as informa\u00e7\u00f5es.<\/p>\n\n\n\n<p><strong>tcpdump -nvvv -s 65535 -A -i eth0 port 5060<\/strong><\/p>\n\n\n\n<p>Abaixo \u00e9 poss\u00edvel ver um resultado de um verbose de um Tring, que \u00e9 o servidor asterisk tentando fazer contato com algum ramal SIP.<\/p>\n\n\n\n<p class=\"has-small-font-size\">13:10:45.211063 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 562)<br>     10.1.0.1.5060 &gt; 10.1.0.2.5060: [udp sum ok] SIP, length: 534<br>         SIP\/2.0 100 trying &#8212; your call is important to us<br>         Via: SIP\/2.0\/UDP 10.1.0.2:5060;branch=z9hG4bK7d84c8fb;rport=5060<br>         From: &#8220;183519xxxx&#8221; sip: 183519xxxx @10.1.0.2;tag=as016b315a<br>         To: sip:773639xxxx@10.1.0.1<br>         Call-ID: 009888fa29fcb5751f30549f46836023@10.1.0.2<br>         CSeq: 102 INVITE<br>         Server: Sip EXpress router (0.9.6 (i386\/linux))<br>         Content-Length: 0<br>         Warning: 392 10.1.0.1:5060 &#8220;Noisy feedback tells:  pid=6663 req_src_ip=10.1.0.2 req_src_port=5060 in_uri=sip:773639xxxx@10.1.0.1 out_uri=sip:773639xxxx@186.xxx.176.x:5060 via_cnt==1&#8221;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    0x0000:  5349 502f 322e 3020 3130 3020 7472 7969\n    0x0010:  6e67 202d 2d20 796f 7572 2063 616c 6c20\n    0x0020:  6973 2069 6d70 6f72 7461 6e74 2074 6f20\n    0x0030:  7573 0d0a 5669 613a 2053 4950 2f32 2e30\n    0x0040:  2f55 4450 2031 302e 312e 302e 323a 3530\n    0x0050:  3630 3b62 7261 6e63 683d 7a39 6847 3462\n    0x0060:  4b37 6438 3463 3866 623b 7270 6f72 743d\n    0x0070:  3530 3630 0d0a 4672 6f6d 3a20 2231 3833\n    0x0080:  3531 3939 3230 3022 203c 7369 703a 3138\n    0x0090:  3335 3139 3932 3030 4031 302e 312e 302e\n    0x00a0:  323e 3b74 6167 3d61 7330 3136 6233 3135\n    0x00b0:  610d 0a54 6f3a 203c 7369 703a 3737 3336\n    0x00c0:  3339 3331 3330 4031 302e 312e 302e 313e\n    0x00d0:  0d0a 4361 6c6c 2d49 443a 2030 3039 3838\n    0x00e0:  3866 6132 3966 6362 3537 3531 6633 3035\n    0x00f0:  3439 6634 3638 3336 3032 3340 3130 2e31\n    0x0100:  2e30 2e32 0d0a 4353 6571 3a20 3130 3220\n    0x0110:  494e 5649 5445 0d0a 5365 7276 6572 3a20\n    0x0120:  5369 7020 4558 7072 6573 7320 726f 7574\n    0x0130:  6572 2028 302e 392e 3620 2869 3338 362f\n    0x0140:  6c69 6e75 7829 290d 0a43 6f6e 7465 6e74\n    0x0150:  2d4c 656e 6774 683a 2030 0d0a 5761 726e\n    0x0160:  696e 673a 2033 3932 2031 302e 312e 302e\n    0x0170:  313a 3530 3630 2022 4e6f 6973 7920 6665\n    0x0180:  6564 6261 636b 2074 656c 6c73 3a20 2070\n    0x0190:  6964 3d36 3636 3320 7265 715f 7372 635f\n    0x01a0:  6970 3d31 302e 312e 302e 3220 7265 715f\n    0x01b0:  7372 635f 706f 7274 3d35 3036 3020 696e\n    0x01c0:  5f75 7269 3d73 6970 3a37 3733 3633 3933\n    0x01d0:  3133 3040 3130 2e31 2e30 2e31 206f 7574\n    0x01e0:  5f75 7269 3d73 6970 3a37 3733 3633 3933\n    0x01f0:  3133 3040 3138 362e 3232 372e 3137 362e\n    0x0200:  383a 3530 3630 2076 6961 5f63 6e74 3d3d\n    0x0210:  3122 0d0a 0d0a<\/code><\/pre>\n\n\n\n<p class=\"has-small-font-size\">E..2..@.@.$.<br> \u2026<br> \u2026\u2026\u2026A.SIP\/2.0 100 trying &#8212; your call is important to us<br> Via: SIP\/2.0\/UDP 10.1.0.2:5060;branch=z9hG4bK7d84c8fb;rport=5060<br> From: &#8220;183519xxxx&#8221; sip: 183519xxxx @10.1.0.2;tag=as016b315a<br> To: sip:773639xxxx@10.1.0.1 <br> Call-ID: 009888fa29fcb5751f30549f46836023@10.1.0.2<br> CSeq: 102 INVITE<br> Server: Sip EXpress router (0.9.6 (i386\/linux))<br> Content-Length: 0<br> Warning: 392 10.1.0.1:5060 &#8220;Noisy feedback tells:  pid=6663 req_src_ip=10.1.0.2 req_src_port=5060 in_uri=sip:773639xxxx@10.1.0.1 out_uri=sip:773639xxxx@186.xxx.176.x:5060 via_cnt==1&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Todos os profissionais que trabalham com VoIP sabem muito bem como s\u00e3o importantes as ferramentas para monitoramento das liga\u00e7\u00f5es, para a identifica\u00e7\u00e3o e solu\u00e7\u00e3o de<\/p>\n","protected":false},"author":1,"featured_media":687,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[4,5,1,9,7,10,12,8,11],"tags":[],"class_list":["post-682","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-artigos","category-busca-e-apreensao","category-cursodepericia","category-interceptacao","category-linux","category-monitoramento","category-sip","category-tcpdump","category-voip"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/periciajudicial.zsistemas.com.br\/index.php\/wp-json\/wp\/v2\/posts\/682","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/periciajudicial.zsistemas.com.br\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/periciajudicial.zsistemas.com.br\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/periciajudicial.zsistemas.com.br\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/periciajudicial.zsistemas.com.br\/index.php\/wp-json\/wp\/v2\/comments?post=682"}],"version-history":[{"count":8,"href":"https:\/\/periciajudicial.zsistemas.com.br\/index.php\/wp-json\/wp\/v2\/posts\/682\/revisions"}],"predecessor-version":[{"id":708,"href":"https:\/\/periciajudicial.zsistemas.com.br\/index.php\/wp-json\/wp\/v2\/posts\/682\/revisions\/708"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/periciajudicial.zsistemas.com.br\/index.php\/wp-json\/wp\/v2\/media\/687"}],"wp:attachment":[{"href":"https:\/\/periciajudicial.zsistemas.com.br\/index.php\/wp-json\/wp\/v2\/media?parent=682"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/periciajudicial.zsistemas.com.br\/index.php\/wp-json\/wp\/v2\/categories?post=682"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/periciajudicial.zsistemas.com.br\/index.php\/wp-json\/wp\/v2\/tags?post=682"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}