[asterisk-users] Capture Media IP in CDR (CDR)

[Gareth Blades]

On 13/10/13 20:06, CDR wrote:
> I am quite surprised about the degree of surprise in the group. A few
> days ago, somebody called a school and issued a threat, through my
> network. The call came from China, but of course it was US caller. The
> DA wants to know where call came from. The caller ID is "Restricted"
> and the chinese carrier is playing games.
How do you think it works with regular telecomms?
The police need to follow the trail. All you need to provide is that the 
call came in via carrier X and they will then go onto that carrier to 
see where the call originated.

My advice would be to :-

1) Add ${SIPCALLID} to your cdr records. This is the unique ID for the 
sip call which can be used later.

2) Run "tcpdump -p -s 0 port 5060 -w $siptrace.pcap -C 10 -W 500"
-C is how big the dump will be and -W is how many capture files to get 
before overwriting the old one. make the -C value (10 in this case) big 
enough so each file lasts 15 minutes or so and the '-W' value big enough 
so you keep however many days records you need.

3) Now when you get a request look in the cdr records for the callid. 
Assuming for example its qwertyuiop then look at the time and pick the 
pcap file covering that time range. Make sure you have the 'wireshark' 
and 'ngrep' linux packages installed. Then :-
tshark -t ad -r TRACEFILE -R 'sip.Call-ID contains qwertyuiop' -w - | 
ngrep -I - -W byline -t
The standard output now contains a complete sip  trace and you will be 
able to see all the media endpoints and exact timings.

Thats basically what we do for getting call diagnostics.