Building Web-base SIP Analyzer with Ajax Approach
From Dr. Mashiur Rahman :: ICT expert :: VoIP & Nanotechnology
Building Web-Base SIP Analyzer with Ajax Approach
SIP
SIP stands for Session Initiation Protocol. It is an application layer signaling protocol which is widely used in VoIP communications.It is very popular for its less complicated structure.[1]SIP is a text-based protocol that is based on HTTP and MIME, which makes it suitable and very flexible for integrated voice-data applications. SIP is designed for real-time transmission, uses fewer resources and is considerably less complex than H.323. Its addressing scheme uses URLs and is human readable; for example: sip:john.doe@company.com.
SIP analyzer and its uses
SIP analyzer can be defined as a packet analyzer which is used only for capturing and analyzing SIP packets.[2]The packet analyzer (also known as a network analyzer, protocol analyzer or sniffer, or for particular types of networks, an Ethernet sniffer or wireless sniffer) is computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network.As data streams flow across the network, the sniffer captures each packet and eventually decodes and analyzes its content according to the appropriate RFC or other specifications.
We observed that packet analyzer can be both software and hardware. But, in our case we will only consider the packet analyzer software tool that can capture SIP signaling messages from the connected network adapter or Ethernet device.
Application of SIP analyzer
In terms of VoIP communication signaling is very important.SIP is actually used for establishing the inter-connection or session between two points and terminating the session.A typical SIP call uses the following methods.
- REGISTER: Used by a UA to notify its current IP address and the URLs for which it would like to receive calls.
- INVITE: Used to establish a media session between user agents.
- ACK: Confirms reliable message exchanges.
- CANCEL: Terminates a pending request.
- BYE: Terminates a session between two users in a conference.
- OPTIONS: Requests information about the capabilities of a caller, without setting up a call.
SIP headers contain important information about the caller and calling party, like the phone number and IP of both-ends,ports etc. So, it is very important to analyze the full SIP message in-terms of identifying threats and possible causes of call failures and trouble-shootings.
Web Based SIP analyzer
Most of the SIP analyzer or packet analyzer available in the market are desktop applications. However, the main problems regarding desktop packet analyzer are their operating system dependency and complexity in remote access. Implementing an web-based packet analyzer can be the solution to both of the problem.
Implementation
To implement a web-based SIP analyzer we need to overcome the following tasks.
- Capture packets from the server's Ethernet card or network adapter.
- Filter the captured packet and put them into a database hosted into a web-server.
- Fetch those data from database and send HTML reporting to client through HTTP.
- Let the client view real-time reporting.
Task 1: Capture packets from the server's Ethernet card
To capture packets directly from our Ethernet card or LAN card we need some tool that can integrate the Ethernet hardware with some high level programming language.For, doing this task we have discovered a C/C++ library that provides a big domain of functions which can directly connect with the Ethernet device of a computer.The library is known as libpcap.
libpcap and pcap.h
[3]pcap (packet capture) consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library.[4]libpcap was originally developed by the tcpdump developers in the Network Research Group at Lawrence Berkeley Laboratory. The low-level packet capture, capture file reading, and capture file writing code of tcpdump was extracted and made into a library, with which tcpdump was linked. It is now developed by the same tcpdump.org group that develops tcpdump. The latest version is 1.0.0 as of March 1, 2009.
The windows version of libpcap is called WinPcap. Both libpcap and WinPcap can be freely downloaded from www.tcpdump.org and www.winpcap.org.To use libpcap or winpcap for developing purpose like ours it is suggested to use the developer package of the library.
Sample Code 1: Packet Dump
[4]This program reads packets from a file or a network adapter, depending on a command line switch. If a source is not provided, the program shows a list of available adapters, one of which can be selected. Once the capture is started, the program prints the timestamp, the length and the raw contents of the packets. Once compiled, it will run on all the Win32 platforms. It can be compiled to run on Unix as well (the makefile is provided).
#include <stdlib.h>
#include <stdio.h>
//
// NOTE: remember to include WPCAP and HAVE_REMOTE among your
// preprocessor definitions.
//
#include <pcap.h>
#define LINE_LEN 16
int main(int argc, char **argv)
{
pcap_if_t *alldevs, *d;
pcap_t *fp;
u_int inum, i=0;
char errbuf[PCAP_ERRBUF_SIZE];
int res;
struct pcap_pkthdr *header;
const u_char *pkt_data;
printf("pktdump_ex: prints the packets of the network using WinPcap.\n");
printf(" Usage: pktdump_ex [-s source]\n\n"
" Examples:\n"
" pktdump_ex -s file://c:/temp/file.acp\n"
" pktdump_ex -s rpcap://\\Device\\NPF_{C8736017-F3C3-4373-94AC-9A34B7DAD998}\n\n");
if(argc < 3)
{
printf("\nNo adapter selected: printing the device list:\n");
/* The user didn't provide a packet source: Retrieve the local device list */
if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1)
{
fprintf(stderr,"Error in pcap_findalldevs_ex: %s\n", errbuf);
return -1;
}
/* Print the list */
for(d=alldevs; d; d=d->next)
{
printf("%d. %s\n ", ++i, d->name);
if (d->description)
printf(" (%s)\n", d->description);
else
printf(" (No description available)\n");
}
if (i==0)
{
fprintf(stderr,"No interfaces found! Exiting.\n");
return -1;
}
printf("Enter the interface number (1-%d):",i);
scanf_s("%d", &inum);
if (inum < 1 || inum > i)
{
printf("\nInterface number out of range.\n");
/* Free the device list */
pcap_freealldevs(alldevs);
return -1;
}
/* Jump to the selected adapter */
for (d=alldevs, i=0; i< inum-1 ;d=d->next, i++);
/* Open the device */
if ( (fp= pcap_open(d->name,
100 /*snaplen*/,
PCAP_OPENFLAG_PROMISCUOUS /*flags*/,
20 /*read timeout*/,
NULL /* remote authentication */,
errbuf)
) == NULL)
{
fprintf(stderr,"\nError opening adapter\n");
return -1;
}
}
else
{
// Do not check for the switch type ('-s')
if ( (fp= pcap_open(argv[2],
100 /*snaplen*/,
PCAP_OPENFLAG_PROMISCUOUS /*flags*/,
20 /*read timeout*/,
NULL /* remote authentication */,
errbuf)
) == NULL)
{
fprintf(stderr,"\nError opening source: %s\n", errbuf);
return -1;
}
}
/* Read the packets */
while((res = pcap_next_ex( fp, &header, &pkt_data)) >= 0)
{
if(res == 0)
/* Timeout elapsed */
continue;
/* print pkt timestamp and pkt len */
printf("%ld:%ld (%ld)\n", header->ts.tv_sec, header->ts.tv_usec, header->len);
/* Print the packet */
for (i=1; (i < header->caplen + 1 ) ; i++)
{
printf("%.2x ", pkt_data[i-1]);
if ( (i % LINE_LEN) == 0) printf("\n");
}
printf("\n\n");
}
if(res == -1)
{
fprintf(stderr, "Error reading the packets: %s\n", pcap_geterr(fp));
return -1;
}
return 0;
}
Sample Code 2: Packet Filter
[4]This is a more complete example of libpcap usage. It shows, among other things, how to create and set filters and how to save a capture to disk. It can be compiled under Win32 or Unix (projects and makefiles are provided). Pcap_filter (pf.exe) is a general-purpose packet filtering application: its input parameters are a source of packets (it can be a physical interface or a file), a filter and an output file. It takes packets from the source until CTRL+C is pressed or the whole file is processed, applies the filter to the incoming packets and saves them to the output file if they satisfy the filter. Pcap_filter can be used to dump network data according to a particular filter, but also to extract a set of packets from a previously saved file. The format of both input and output files is the format used by libpcap, i.e. same of WinDump, tcpdump and many other network tools.
#include <stdlib.h>
#include <stdio.h>
#include <pcap.h>
#define MAX_PRINT 80
#define MAX_LINE 16
void usage();
void main(int argc, char **argv)
{
pcap_t *fp;
char errbuf[PCAP_ERRBUF_SIZE];
char *source=NULL;
char *ofilename=NULL;
char *filter=NULL;
int i;
pcap_dumper_t *dumpfile;
struct bpf_program fcode;
bpf_u_int32 NetMask;
int res;
struct pcap_pkthdr *header;
const u_char *pkt_data;
if (argc == 1)
{
usage();
return;
}
for(i=1;i < argc; i+= 2)
{
switch (argv[i] [1])
{
case 's':
{
source=argv[i+1];
};
break;
case 'o':
{
ofilename=argv[i+1];
};
break;
case 'f':
{
filter=argv[i+1];
};
break;
}
}
// open a capture from the network
if (source != NULL)
{
if ( (fp= pcap_open(source,
1514 /*snaplen*/,
PCAP_OPENFLAG_PROMISCUOUS /*flags*/,
20 /*read timeout*/,
NULL /* remote authentication */,
errbuf)
) == NULL)
{
fprintf(stderr,"\nUnable to open the adapter.\n");
return;
}
}
else usage();
if (filter != NULL)
{
// We should loop through the adapters returned by the pcap_findalldevs_ex()
// in order to locate the correct one.
//
// Let's do things simpler: we suppose to be in a C class network ;-)
NetMask=0xffffff;
//compile the filter
if(pcap_compile(fp, &fcode, filter, 1, NetMask) < 0)
{
fprintf(stderr,"\nError compiling filter: wrong syntax.\n");
return;
}
//set the filter
if(pcap_setfilter(fp, &fcode)<0)
{
fprintf(stderr,"\nError setting the filter\n");
return;
}
}
//open the dump file
if (ofilename != NULL)
{
dumpfile= pcap_dump_open(fp, ofilename);
if (dumpfile == NULL)
{
fprintf(stderr,"\nError opening output file\n");
return;
}
}
else usage();
//start the capture
while((res = pcap_next_ex( fp, &header, &pkt_data)) >= 0)
{
if(res == 0)
/* Timeout elapsed */
continue;
//save the packet on the dump file
pcap_dump((unsigned char *) dumpfile, header, pkt_data);
}
}
void usage()
{
printf("\npf - Generic Packet Filter.\n");
printf("\nUsage:\npf -s source -o output_file_name [-f filter_string]\n\n");
exit(0);
}
Task 2:Filter the captured packet and put them into a database hosted into a web-server
Using the libpcap or WinPcap library we can capture all the packets that flows through the Ethernet device connected with our PC. However, we need to filter the packets in-terms of fetch our desired packets (eg .SIP packets only) and to separate the different parts of the header and the message. Next, we need to insert them into a database do that our web-based front-end can fetch the data and report to the client side.
- we can do the filtering using C codes and export them into a text file, as we know C has many built-in string functions.Therefor, we can fetch the data using a PHP script to insert them into database.
- Or, we can save the packets directly to a text file with out any filtering by C. Then, we can do the filtering with the PHP script.
- Another way can be applied as we can directly connect MySQL with C and therefor, insert the filtered data into MySQL database directly from C front-end.
Task 3:Fetch those data from database and send HTML reporting to client through HTTP
Once we are done inserting data into the database our next job is to create the reporting.For which we will be using a PHP script that will fetch data from MySQL database,generate HTML codes and send it to client side.PHP has many biult-in function like mysql_fetch_array() or mysql_fetxh_object()that can be used to fetch data from the MySQL database.Using PHP we can also integrate the security checks (eg.User login system, privileges etc), alarming system, auto error-detection tool etc.However, the main problem with PHP based HTML reporting is it cannot show the real-time updates. It will show the latest updates each time you hit the refresh button from the browser.In our case this kind of approach is simply not effective.For, real time updates we can use java script that will make the client-side automatically refresh the page after a certain time interval.However,java script actually refreshes the whole page.If, the report is very large server may take long to response.To, solve this problem we choose AJAX for real time reporting.
Task 4:Let the client view real-time reporting
As earlier mentioned for real-time reporting we prefer to use AJAX. AJAX is the short form of Asynchronous JavaScript and XML.[5]It is a group of interrelated web development techniques used on the client-side to create interactive web applications. With Ajax, web applications can retrieve data from the server asynchronously in the background without interfering with the display and behavior of the existing page.
The diagram in the left decribes the AJAX process.AJAX uses the xmlHttpRequest object which can send request to server from the client-end.Server processes the request and returns a response in XML format.After, recieving the response the cliet side simply updates page content with out redirecting to another page or reloading the same page.[6]
Over all Model
Reference
- [1]http://www.pcmag.com/encyclopedia_term/0,2542,t=SIP&i=51413,00.asp
- [2]http://en.wikipedia.org/wiki/Packet_analyzer
- [3]http://en.wikipedia.org/wiki/Pcap#Some_programs_that_support_the_libpcap_file_format
- [4]http://en.wikipedia.org/wiki/Pcap#Some_programs_that_support_the_libpcap_file_format
- [5]http://en.wikipedia.org/wiki/Ajax_(programming)
- [6]http://www.infragistics.com/ajax/default.aspx#AJAXOverview
