show sip user agent and ip only tcpdump

时间:2016-11-22 03:23:57

标签: grep sip tcpdump

我一直在玩一些tcpdump命令和egrep 

tcpdump -i eth1 port sip -l -A | egrep -i 'User-Agent'

我把它留在asterisk pbx服务器上,我可以看到所有的用户都在屏幕上流动。

我希望看到的是用户代理和sip客户端的ip 然后忽略几种不同类型的用户代理,这样当我完成后,我只会看到未知流量屏幕下的IP地址和用户代理。 以下是没有egrep的命令的完整SIP数据包的示例。我没有一个例子,其中sipcli / v1.8的用户代理可能稍后我可以得到它。

07:54:24.358716 IP xxx.xx.xx.xxx.5060 > 10.1.44.10.5060: SIP, length: 543
EH.;.5..8.y..UF.&..
.....'!SSIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK49b7b7d0;received=10.1.44.10;rport=5060
From: <sip:12345_3@voipprovider3.domain.com>;tag=as5afba40a
To: <sip:12345_3@voipprovider3.domain.com>;tag=as14777e11
Call-ID: 0e860af7278712754385ce784282c772@127.0.1.1
CSeq: 604 REGISTER
Server: voip.ms
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="voipprovider3.domain.com", nonce="7810c539"
Content-Length: 0


07:54:24.384512 IP 10.1.44.10.5060 > xxx.xx.xx.xxx.5060: SIP, length: 558
E`.Jrn..@..S&..
.UF......6..REGISTER sip:voipprovider3.domain.com SIP/2.0
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK6ef2d7d2;rport
Max-Forwards: 70
From: <sip:12345_3@voipprovider3.domain.com>;tag=as5afba40a
To: <sip:12345_3@voipprovider3.domain.com>
Call-ID: 0e860af7278712754385ce784282c772@127.0.1.1
CSeq: 605 REGISTER
User-Agent: unknown
Authorization: Digest username="12345_3", realm="voipprovider3.domain.com", algorithm=MD5, uri="sip:voipprovider3.domain.com", nonce="7810c539", response="5d6ac715deff942d1a3b22b39f83c0b1"
Expires: 120
Contact: <sip:s@10.1.44.10:5060>
Content-Length: 0


07:54:24.387070 IP xxx.xx.xx.xxx.5060 > 10.1.44.10.5060: SIP, length: 549
EH.A.6..8.y..UF.&..
.....-.GSIP/2.0 200 OK
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK6ef2d7d2;received=10.1.44.10;rport=5060
From: <sip:12345_3@voipprovider3.domain.com>;tag=as5afba40a
To: <sip:12345_3@voipprovider3.domain.com>;tag=as14777e11
Call-ID: 0e860af7278712754385ce784282c772@127.0.1.1
CSeq: 605 REGISTER
Server: voip.ms
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Expires: 120
Contact: <sip:s@10.1.44.10:5060>;expires=120
Date: Tue, 22 Nov 2016 12:54:24 GMT
Content-Length: 0


07:54:24.813579 IP 10.1.44.10.5060 > xxx.xx.xx.xxx.5060: SIP, length: 551
E`.C_...@.0.&..
.UF....../..REGISTER sip:voipprovider.domain.com SIP/2.0
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK3b0c2176;rport
Max-Forwards: 70
From: <sip:12345@voipprovider.domain.com>;tag=as5b82aabf
To: <sip:12345@voipprovider.domain.com>
Call-ID: 6face5f36fdd29c31d3a10182e207048@127.0.1.1
CSeq: 604 REGISTER
User-Agent: unknown
Authorization: Digest username="12345", realm="voipprovider1.domain.com", algorithm=MD5, uri="sip:voipprovider.domain.com", nonce="236a06e2", response="13d3528c45792fb242a47f1c18b43879"
Expires: 120
Contact: <sip:s@10.1.44.10:5060>
Content-Length: 0


07:54:24.816319 IP xxx.xx.xx.xxx.5060 > 10.1.44.10.5060: SIP, length: 539
EH.7Jy..7.Ou.UF.&..
.....# .SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK3b0c2176;received=10.1.44.10;rport=5060
From: <sip:12345@voipprovider.domain.com>;tag=as5b82aabf
To: <sip:12345@voipprovider.domain.com>;tag=as15b40d21
Call-ID: 6face5f36fdd29c31d3a10182e207048@127.0.1.1
CSeq: 604 REGISTER
Server: voip.ms
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="voipprovider1.domain.com", nonce="168d0f22"
Content-Length: 0


07:54:24.842388 IP 10.1.44.10.5060 > xxx.xx.xx.xxx.5060: SIP, length: 551
E`.C_...@.0.&..
.UF....../..REGISTER sip:voipprovider.domain.com SIP/2.0
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK69d58133;rport
Max-Forwards: 70
From: <sip:12345@voipprovider.domain.com>;tag=as5b82aabf
To: <sip:12345@voipprovider.domain.com>
Call-ID: 6face5f36fdd29c31d3a10182e207048@127.0.1.1
CSeq: 605 REGISTER
User-Agent: unknown
Authorization: Digest username="12345", realm="voipprovider1.domain.com", algorithm=MD5, uri="sip:voipprovider.domain.com", nonce="168d0f22", response="724e79293e8d587a2b8106df991486d7"
Expires: 120
Contact: <sip:s@10.1.44.10:5060>
Content-Length: 0


07:54:24.899968 IP xxx.xx.xx.xxx.5060 > 10.1.44.10.5060: SIP, length: 545
EH.=Jz..7.On.UF.&..
.....)..SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK69d58133;received=10.1.44.10;rport=5060
From: <sip:12345@voipprovider.domain.com>;tag=as5b82aabf
To: <sip:12345@voipprovider.domain.com>;tag=as15b40d21
Call-ID: 6face5f36fdd29c31d3a10182e207048@127.0.1.1
CSeq: 605 REGISTER
Server: voip.ms
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Expires: 120
Contact: <sip:s@10.1.44.10:5060>;expires=120
Date: Tue, 22 Nov 2016 12:54:24 GMT
Content-Length: 0

这是egrep和带有ip地址的行。我真的只想显示显示用户代理的行。这显示没有使用者也。 

tcpdump -i eth1 port sip -l -A | egrep -i 'User-Agent|SIP/2.0/UDP'

Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK6fd0af5a;received=10.1.44.10;rport=5060
Via: SIP/2.0/UDP 158.85.70.151:5060;branch=z9hG4bK64939182;rport
User-Agent: VoipProvider
Via: SIP/2.0/UDP 158.85.70.151:5060;branch=z9hG4bK64939182;received=158.85.70.151;rport=42872
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK600d27fe;rport
User-Agent: Asterisk PBX
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK600d27fe;received=10.1.44.10;rport=5060
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK374f1905;rport
User-Agent: Asterisk PBX
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK374f1905;received=10.1.44.10;rport=5060
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK4ac13138;rport
User-Agent: Asterisk PBX
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK4ac13138;received=10.1.44.10;rport=5060
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK370927b1;rport
User-Agent: Asterisk PBX
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK370927b1;received=10.1.44.10;rport=5060
Via: SIP/2.0/UDP 185.40.4.96:5070;branch=z9hG4bK-ac834e0a1d92fc96bb7b4da395a5ead5;rport
User-Agent: sipcli/v1.8
Via: SIP/2.0/UDP 185.40.4.96:5070;branch=z9hG4bK-ac834e0a1d92fc96bb7b4da395a5ead5;received=185.40.4.96;rport=5070
Via: SIP/2.0/UDP 185.40.4.96:5070;branch=z9hG4bK-ac834e0a1d92fc96bb7b4da395a5ead5;received=185.40.4.96;rport=5070
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK7a1517ef
User-Agent: Asterisk PBX
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK7a1517ef;received=10.1.44.10;rport=5060
Via: SIP/2.0/UDP 185.40.4.96:5070;branch=z9hG4bK-ac834e0a1d92fc96bb7b4da395a5ead5;received=185.40.4.96;rport=5070
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK425ae339
User-Agent: Asterisk PBX
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK425ae339;received=10.1.44.10;rport=5060
Via: SIP/2.0/UDP 185.40.4.96:5070;branch=z9hG4bK-ac834e0a1d92fc96bb7b4da395a5ead5;received=185.40.4.96;rport=5070
Via: SIP/2.0/UDP 185.40.4.96:5070;branch=z9hG4bK-ac834e0a1d92fc96bb7b4da395a5ead5;received=185.40.4.96;rport=5070
Via: SIP/2.0/UDP 185.40.4.96:5070;branch=z9hG4bK-ac834e0a1d92fc96bb7b4da395a5ead5;received=185.40.4.96;rport=5070
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK7ac74b27
User-Agent: Asterisk PBX
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK7ac74b27;received=10.1.44.10;rport=5060
Via: SIP/2.0/UDP 185.40.4.96:5070;branch=z9hG4bK-ac834e0a1d92fc96bb7b4da395a5ead5;received=185.40.4.96;rport=5070
Via: SIP/2.0/UDP 185.40.4.96:5070;branch=z9hG4bK-ac834e0a1d92fc96bb7b4da395a5ead5;received=185.40.4.96;rport=5070
Via: SIP/2.0/UDP 185.40.4.96:5070;branch=z9hG4bK-ac834e0a1d92fc96bb7b4da395a5ead5;received=185.40.4.96;rport=5070
Via: SIP/2.0/UDP 185.40.4.96:5070;branch=z9hG4bK-ac834e0a1d92fc96bb7b4da395a5ead5;received=185.40.4.96;rport=5070
Via: SIP/2.0/UDP 185.40.4.96:5070;branch=z9hG4bK-ac834e0a1d92fc96bb7b4da395a5ead5;received=185.40.4.96;rport=5070
Via: SIP/2.0/UDP 10.1.44.10:5060;branch=z9hG4bK7723c051
User-Agent: Asterisk PBX

我希望看到像这样的东西

sipcli/v1.8 185.40.4.96

1 个答案:

答案 0 :(得分:1)

你可以试试这样的事情:

tshark -Y 'sip.User-Agent == "foo bar"' -T fields -e sip.User-Agent -e sip.Contact

请记住,用户代理在SIP数据包中是可选的。

相关问题
最新问题