In a recent engagement we had the oppurtunity to capture VOIP traffic using tcpdump to save the output to a libpcap formatted file. After letting it run for a short time we saved the file and wanted to extract the contents and save them to a .WAV file available for playback. The following will show you how to install the latest release of voipong into Back|track Final, use tcpreplay to playback the libpcap formatted file as network traffic and subsequently listen to the resulting .WAV file.
First we must extract the voipong tarball:
bt ~ # tar -zxpvf voipong-2.0.tar.gz
Enter the voipong directory:
bt ~ # cd voipong-2.0
Prepare the proper Makefile for our platform:
bt voipong-2.0 # cp Makefile.linux Makefile
Issue the pair of commands to build and install voipong from source
bt voipong-2.0 # make
bt voipong-2.0 # make install
According to the INSTALL file we must also have sox installed to have voipong save files out to .WAV file from network traffic. Let's verify that sox is indeed present on our system:
bt voipong-2.0 # which sox
/usr/bin/sox
bt voipong-2.0 # which soxmix
/usr/bin/soxmix
Now we must edit the voipong.conf file to instruct it where to find sox and soxmix. In addition we must also change the entry as to what network adapter we will be using. The default is em0, in our case we will be changing this to ath0.
bt voipong-2.0 # nano /usr/local/etc/voipong/voipong.conf
Now we can execute voipong, I have used the -f switch to force it to the foreground without daemonizing so we can see the output in real time.
bt ~ # voipong -f
EnderUNIX VOIPONG Voice Over IP Sniffer starting...
Release 2.0, running on bt [Linux 2.6.20-BT-PwnSauce-NOSMP #3 Sat Feb 24 15:52:59 GMT 2007 i686]
(c) Murat Balaban http://www.enderunix.org/
15/06/07 04:32:33: EnderUNIX VOIPONG Voice Over IP Sniffer starting...
15/06/07 04:32:33: Release 2.0 running on bt [Linux 2.6.20-BT-PwnSauce-NOSMP #3 Sat Feb 24 15:52:59 GMT 2007 i686]. (c) Murat Balaban http://www.enderunix.org/ 8493]
15/06/07 04:32:33: Default matching algorithm: lfp
15/06/07 04:32:33: loadmodule: /usr/local/etc/voipong/modules/modvocoder_pcma.so (@0xb7f162a1)
15/06/07 04:32:33: loadmodule: /usr/local/etc/voipong/modules/modvocoder_pcmu.so (@0xb7f1427f)
15/06/07 04:32:33: loaded 2 module(s)
15/06/07 04:32:33: loadnetfile: fopen(/usr/local/etc/voipong/voipongnets): No such file or directory
15/06/07 04:32:33: ath0 has been opened in promisc mode. (10.1.1.0/255.255.255.0)
All looks well. Now its time to invoke tcpreplay so we can push our captured traffic back onto the network and view it with voipong. NOTE: voipong will capture this traffic in real time all on its own, I had to use the method because I had a capture file with VOIP traffic.
bt ~ # tcpreplay -i ath0 IGScallcapture.lpc
sending out ath0
processing file: IGScallcapture.lpc
15/06/07 04:36:11: [11222] VoIP call has been detected.
15/06/07 04:36:11: [11222] 10.0.0.145:49604 <--> 10.0.0.200:49606
15/06/07 04:36:11: [11222] Encoding 0-PCMU-8KHz, recording.......
15/06/07 04:38:33: [11222] maximum idle time [10 secs] has been elapsed for this call, the call might have been ended.
15/06/07 04:38:33: [11222] .WAV file output/20070615/session-enc0-PCMU-8KHz-10.0.0.145,49604-10.0.0.200,49606.wav has been created successfully
15/06/07 04:38:33: [11222] .WAV file output/20070615/session-enc0-PCMU-8KHz-10.0.0.200,49606-10.0.0.145,49604.wav has been created successfully
15/06/07 04:38:33: [11222] Mixed output files: output/20070615/session-enc0-PCMU-8KHz-10.0.0.145,49604-10.0.0.200,49606-mixed.wav
15/06/07 04:38:33: child [pid: 11222] terminated normally [exit code: 0]
15/06/07 04:43:39: SHUTDOWN signal caught, starting shutdown procedures...
15/06/07 04:43:39: PID 11039 [parent: 3047]: exited with code: 0. uptime: 7 minutes 42 seconds.
Everything looks great so far. Let's verify log output
bt log # cat /var/log/voipcdr.log
Start;End;Duration(seconds);Session Id;Party1 RTP Pair; Party 2 RTP Pair;Encoding;Rate
Fri Jun 15 04:36:11 2007;Fri Jun 15 04:38:23 2007;132;11222;10.0.0.145:49604;10.0.0.145:49606;0;8000
Once again, looks great. Lets check and see if our output files are in place.
bt output/20070615 # ls
session-enc0-PCMU-8KHz-10.0.0.145,49604-10.0.0.200,49606-mixed.wav session-enc0-PCMU-8KHz-10.0.0.200,49606-10.0.0.145,49604.wav
session-enc0-PCMU-8KHz-10.0.0.145,49604-10.0.0.200,49606.wav
Everything appears to be in order. Time for playback:
bt output/20070615 # play session-enc0-PCMU-8KHz-10.0.0.200,49606-10.0.0.145,49604.wav
Input Filename : session-enc0-PCMU-8KHz-10.0.0.200,49606-10.0.0.145,49604.wav
Sample Size : 16-bits
Sample Encoding: signed (2's complement)
Channels : 1
Sample Rate : 8000
Time: 00:48.89 [00:00.00] of 00:48.89 ( 100.0%) Output Buffer: 2.35M
Done.
Well...that's it in a nutshell. If you have any questions or feedback please feel free to drop me a comment.
May Your Skill Prevail.
No comments:
Post a Comment