Centralized TCPDUMP orchestrator for SIP monitoring

[bribob]

For years I've been using plink.exe to stream TCPDUMP from an MBG/MCD/MAS directly into Wireshark in order to analyze what's really happening at the NIC level.

This is the Windows command that I run, derived from thread1329-1622565 / slapin:

plink.exe -ssh -pw <<PASSWORD>> root@<<IP ADDRESS OF TARGET>> "tcpdump -ni <<NIC>> -s 0 -w - <<TCPDUMP FILTER>>" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

This is great for SIP Trunk troubleshooting, I can analyze any combination of packets coming into or out of a MBG/MCD/MAS/etc, in real time and export if needed. Downside is that this process is manual, and although I have a text file of commands for the various targets that I usually connect to, the root password isn't stored in plain text so I copy/paste/type every time.

I currently have 23 MBG/MCD/MAS that I could potentially want to monitor.

I'd like to find a solution or product that can automate all of this. One time initial configuration of a capture (varying intervals based on capture size or duration), specify the target and credentials (certificate based perhaps), set it and watch the data stream happen. I've had Mitel Performance Analytics in the past, but didn't experience any value out of it. I also don't believe that MPA was capable of such granular troubleshooting either, although I could be wrong..

voipmonitor dot org caught my eye, and it sounds like a useful tool, but their approach requires additional appliances mirroring network traffic beside the target to be monitored. That translates to more infrastructure to support.

Does any existing solution jump to mind? Should I just get to work on scheduled tasks and manually configure some level of automation?


-b

 

[techymitel]

I don't know about any applications or websites, but you should be able to make this easier.

Current versions of Windows 10 have ssh built in - you can see if you have ssh installed:

C:\>ssh
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command]

So now you don't need to use plink.

You can then use ssh-keygen to generate private ssh key. You can do this without specifying a passphrase so you won't have to enter that everytime you use it. But you should read up on k

Then you can copy your ssh key to the MSL machines:

ssh root@<<ip address>> "mkdir ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
type c:\users\username\.ssh\id_rsa.pub | ssh root@<<ip address>> "cat >> .ssh/authorized_keys"

Now you can run ssh commands on the remote machines using ssh without needing to enter passwords.

Then you can create a batch file with something like:

@echo off
ssh root@%1 "tcpdump -ni <<NIC>> -s 0 -w - <<TCPDUMP FILTER>>" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

And then use:

batchfile <<ip address>>

Or you could have a batch file with menu to select which site to connect to.
Or you could create a static html webpage with buttons to activate the batchfile with the correct ip address.

 

[Valamagules]

Hi @techymitel, your solution here sounds interesting. Are you able to put a doco on this together and share it here?

Clever men learns what Wise men shares!

 

[bribob]

@techymitel - solid info, thank you for the input. I'm going to digest it and chip at it when I have some free cycles.

I'll post back here with whatever comes to fruition, but I like your idea of an HTML interface and batch files.


-b