TCP, TLS, WSS - heplify will it work?

[CrazyTux]

I am running into an issue where it seems heplify is not processing TCP traffic? I've tried with -tcpassembly and -sipassembly enabled. Also is it possible to process TLS and WSS traffic with heplify at this time? Looking for more information as to what I may be doing wrong.

heplify -hs HOMER-SERVER -nt udp -bpf 'tcp and (portrange 5060-5090 or port 7443)' -e -l debug -tcpassembly -assembly_debug_log
heplify -hs HOMER-SERVER -nt udp -bpf 'tcp and (portrange 5060-5090 or port 7443)' -e -l debug -sipassembly -assembly_debug_log
heplify -hs HOMER-SERVER -nt udp -bpf 'tcp and (portrange 5060-5090 or port 7443)' -e -l debug -sipassembly -tcpassembly -assembly_debug_log

None of these flags seem to get TCP proto data into homer any and all help is appreciated.

[lmangani]

Hello @CrazyTux heplify should work just fine with TCP so make sure your packets don't have extra encapsulation headers, etc.
If you're not sure, capture a few and look at them in wireshark to reveal the probable cause. You cannot passively sniff proper TLS passively without stealing tokens from the library, so you should use native HEP integrations to do that securely (Kamailio, OpenSIPS, Freeswitch, Asterisk, Drachtio, etc)

[CrazyTux]

Thank you for this information. I will investigate with wireshark -- although there should not be anything special going on encapsulation wise. For example an INVITE from a Yealink over TCP.

I see decoder.go:

2024/11/05 21:13:56.610358 decoder.go:943: DBG [payload] TCP%!(EXTRA *decoder.Packet=&{2 6 10.X.X.XXX 209.160.XXX.XXX 7443 50640 1730841236 590298 0 [] [] 0})

Seems to recognize there is a TCP packet but it never ends up showing at the other side within homer.

[lmangani]

We can't tell without seeing the packet other than confirm TCP/UDP sniffing works for tens of thousands of other setups.