extract and parsing megaco message from pcap file

Hello

Anyone has ever done something similar to this?

I'd like to process pcap files containing megaco messages (among
others). I'd like to filter and extract and parse megaco messages from
this file and produce some human readable format.


Best,

Zsolt
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

Hello,

# Zsolt Czinkos 2011-04-07:
> Anyone has ever done something similar to this?
>
> I'd like to process pcap files containing megaco messages (among
> others). I'd like to filter and extract and parse megaco messages from
> this file and produce some human readable format.

Wireshark is an excellent tool for general packet dissection and seems
to support megaco:

  http://wiki.wireshark.org/H248/MEGACO

Don't know if it can dump text representation on you, never had the need
to do so...

HTH,
        -- Jachym
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

On Thu, Apr 7, 2011 at 1:47 PM, Zsolt Czinkos <[hidden email]> wrote:
> Hello
>
> Anyone has ever done something similar to this?
>
> I'd like to process pcap files containing megaco messages (among
> others). I'd like to filter and extract and parse megaco messages from
> this file and produce some human readable format.

The 'megaco' app in Erlang/OTP provides both parsing and pretty printing
of Megaco messages. It can even convert messages in ASN.1 format to text
format and vice versa. Together with the 'et' app and its
'megaco_filter' plugin,
it can also filter Megaco messages and display different views of them. On
the first Megaco/H.248 interop event, people found it so useful that they
wanted to buy our open source debug tool. :-)

One piece that is missing though is reading of messages from a file, so that
functionality needs to be added. This should however be easy to do as you
have all building blocks (scanner, parser, pretty printer, filtering
mechanism etc.)

/Håkan
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

Hi
There are two erlang projects on github that works with pcap.

Michael Santos' epcap https://github.com/msantos/epcap
and my pran https://github.com/nygge/pran
neither currently support megaco but at least pran is
made to make it easy to add new protocols.

Pran reads pcap files and decodes the records. Currently
it handles ethernet, IP, TCP, UDP, SIP, SDP, MTP2, MTP3,
SCCP, TCAP, MAP

It has a VERY simple filter function that allows for quick search
in pcap files.
Wireshark is normally an excellent tool but searching is very slow.
One reason I started pran was that we had a lot of pcap files,
10 MB only covered 10 minutes, we needed to search.
With wireshark it took > 30 s to open a file and >30s to filter. (I
don't remember the exact times but it was somewhere 30-60 s
for each step)
With pran if takes much less than 1 s.

So take a look and let me know if You need any help.

/Anders


On Thu, Apr 7, 2011 at 6:47 AM, Zsolt Czinkos <[hidden email]> wrote: _______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

On Thu, Apr 07, 2011 at 01:47:42PM +0200, Zsolt Czinkos wrote:
> Hello
>
> Anyone has ever done something similar to this?
>
> I'd like to process pcap files containing megaco messages (among
> others). I'd like to filter and extract and parse megaco messages from
> this file and produce some human readable format.

For reading the pcap files, you could use epcap (which uses libpcap)
or Anders Nygren's pran (which reads the pcap file using Erlang):

https://github.com/msantos/epcap
https://github.com/nygge/pran

For fun, I've used epcap to dump HTTP responses, doing the parsing with
httpc (httpc is awesome!):

https://github.com/msantos/perv

You might be able to do something similar and pass off the data to the
Erlang megaco module but I don't know anything about megaco.
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

Thank you guys, they look promising.

czinkos

On Thu, Apr 7, 2011 at 2:58 PM, Michael Santos <[hidden email]> wrote: _______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions