PJSIP: correct way to log to pcap file without writing to console?

Doing:

pjsip set logger on
pjsip set logger pcap myCaptureFile.pcap

Will create the file myCaptureFile.pcap and write the captured data to the file and console. The content is added to the file immediately, but the console gets the messages immediately too, making it nearly unusable. The data also goes to full and syslog, making three huge files instead of one.

Trying:

pjsip set logger on
pjsip set logger verbose off
pjsip set logger pcap myCaptureFile.pcap

Will create the file myCaptureFile.pcap without writing to the console. The problem is that the writes to the file are not instant. For example, in an inbound active call, the 200 OK (SDP) Asterisk sent will only be written to the pcap file if another interaction happens (some SIP OPTIONS or hang up, for example). It’s as if the capture file is being buffered. This makes it harder to diagnostic an active call, as the pcap file is missing packets.

What is the proper way to enable PJSIP logger only to pcap file without writing to the console?

The tests were made with Asterisk 18.XX, 20.0X and 22.3.

TIL pjsip can create PCAPs!

I’ve always used tcpdump to create ‘raw’ PCAPs and pcapsipdump to create ‘by call’ PCAPs.

(And sngrep and/or wireshark for analysis.)

In general, I prefer not to use Asterisk to do things that external tools (pcapsipdump, sox, tcpdump) can do.

In specific, tcpdump has features that may address your ‘buffered writes’ problem.

I’m guessing/assuming that pjsip sees packets after iptables filters, so that may figure into your use case.

Are you trying to log a pseudo TCP stream, after TLS decryption? If not, running tcpdump is the best option, and I believe you can set options to control buffering.

Yes, there is a lot of TLS traffic and requests blocked by firewall on this scenario, which is why I’m using the built-in Asterisk functionality. I’m not aware of an alternative that will work for TLS traffic too.

When TLS wasn’t involved, I normally used sngrep to capture, but I used tcpdump in a few instances too.

The pcap logging was not meant for real time examination of the resulting file. It doesn’t flush any caching explicitly.

Where is the firewall?

If the packets are blocked, are you expecting pjsip to still receive them?

Is the firewall iptables on the Asterisk host?

If so, pjsip is never going to show the blocked packets because pjsip is ‘after’ iptables while tcpdump is ‘before.’

The firewall is installed on the server with Asterisk, the server is a VPS with a public IP. The blocked packets will appear on tcpdump or sngrep output, but not on Asterisk. On this scenario this is intended, as I want to be able to capture with only what Asterisk has received or sent. Being able to discern if some packet was received by Asterisk or not is a positive to me.

About the usage of the PJSIP logging, the main reason I use it is for the TLS capture. Because of it, I would find it useful to have a way to have the pcap file write be (maybe packet?) unbuffered. Maybe making this configurable on pjsip.conf with the default behaviour being the current? Not sure how big this use case is, to know whether this is worth development time.

The other option is another way to capture the TLS traffic in a way it can be inspected (that would have to include websocket), if someone knows a way I can try it to check if it would work for me. I tried the method on the Zoiper site and it didn’t work, because the key isn’t RSA.