New protocol support: SIP

packetbeat/_meta/fields.yml

@@ -2072,3 +2072,93 @@
                   type: keyword
                   description: >
                     The JA3 string used to calculate the hash.
+
+- key: sip
+  title: "SIP"
+  description: SIP-specific event fields.
+  fields:
+    # general
+    - name: type
+      type: keyword
+      description: >
+        Must be 'sip'
+
+    - name: "@timestamp"
+      type: date
+
+    # general
+    - name: sip.src
+      type: keyword
+      description: >
+        Source IP address and port
+      example: 192.168.0.1:5060
+
+    - name: sip.dst
+      type: keyword
+      description: >
+        Destination IP address and port
+      example: 192.168.0.1:5060
+
+    - name: sip.unixtimenano
+      type: long
+      description: >
+        unixtime as nanosec
+      example: 1516199666016756000
+
+    - name: sip.transport
+      type: keyword
+      description: >
+        transport protocol(udp,tcp)
+      example: tcp
+
+     #in case Request
+    - name: sip.method
+      type: keyword
+      description: >
+        SIP Request Method
+      example: INVITE
+
+    - name: sip.request-uri
+      type: keyword
+      description: >
+        SIP Request URI
+      example: sip:[email protected]:5060;transport=udp
+
+    # in case Response
+    - name: sip.status-code
+      type: long
+      description: >
+        SIP Response code, status code
+      example: 200
+
+    - name: sip.status-phrase
+      type: keyword
+      description: >
+        SIP Response , status phrase
+      example: OK
+
+    # mandatory headers
+    - name: sip.from
+      type: keyword
+      description: >
+        SIP From header value
+      example: "\"sipp\" <sip:[email protected]>;tag=2363SIPpTag001"
+
+    - name: sip.to
+      type: keyword
+      description: >
+        SIP To header value
+      example: "\"sut\" <sip:[email protected]>;tag=16489SIPpTag012"
+
+    - name: sip.call-id
+      type: keyword
+      description: >
+        SIP Call-ID header value
+      example: ""
+
+    - name: sip.cseq
+      type: keyword
+      description: >
+        SIP CSeq header value
+      example: 1 INVITE
+

packetbeat/_meta/sample_outputs/sip.json

@@ -0,0 +1,76 @@
+{
+    "@timestamp": "2018-01-17T05:36:15.635Z",
+    "beat": {
+        "hostname": "server",
+        "name": "server",
+        "version": "7.0.0-alpha1"
+    },
+    "body": {
+        "application/sdp": {
+            "a": [
+                "rtpmap:0 PCMU/8000"
+            ],
+            "c": [
+                "IN IP4 192.168.0.20"
+            ],
+            "m": [
+                "audio 6000 RTP/AVP 0"
+            ],
+            "o": [
+                "user1 53655765 2353687637 IN IP4 192.168.0.20"
+            ],
+            "s": [
+                "-"
+            ],
+            "t": [
+                "0 0"
+            ],
+            "v": [
+                "0"
+            ]
+        }
+    },
+    "call_id": "[email protected]",
+    "cseq": "1 INVITE",
+    "dst": "192.168.0.10:5060",
+    "from": "sipp <sip:[email protected]:5060>;tag=13253SIPpTag00723",
+    "headers": {
+        "call-id": [
+            "[email protected]"
+        ],
+        "contact": [
+            "sip:[email protected]:5060"
+        ],
+        "content-length": [
+            "135"
+        ],
+        "content-type": [
+            "application/sdp"
+        ],
+        "cseq": [
+            "1 INVITE"
+        ],
+        "from": [
+            "sipp <sip:[email protected]:5060>;tag=13253SIPpTag00723"
+        ],
+        "max-forwards": [
+            "70"
+        ],
+        "subject": [
+            "Performance Test"
+        ],
+        "to": [
+            "service <sip:[email protected]:5060>"
+        ],
+        "via": [
+            "SIP/2.0/UDP 192.168.0.20:5060;branch=z9hG4bK-13253-723-0"
+        ]
+    },
+    "method": "INVITE",
+    "raw": "INVITE sip:[email protected]:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.0.20:5060;branch=z9hG4bK-13253-723-0\r\nFrom: sipp <sip:[email protected]:5060>;tag=13253SIPpTag00723\r\nTo: service <sip:[email protected]:5060>\r\nCall-ID: [email protected]\r\nCSeq: 1 INVITE\r\nContact: sip:[email protected]:5060\r\nMax-Forwards: 70\r\nSubject: Performance Test\r\nContent-Type: application/sdp\r\nContent-Length:   135\r\n\r\nv=0\r\no=user1 53655765 2353687637 IN IP4 192.168.0.20\r\ns=-\r\nc=IN IP4 192.168.0.20\r\nt=0 0\r\nm=audio 6000 RTP/AVP 0\r\na=rtpmap:0 PCMU/8000\r\n",
+    "request_uri": "sip:[email protected]:5060",
+    "src": "192.168.0.20:5060",
+    "to": "service <sip:[email protected]:5060>",
+    "transport": "udp",
+    "type": "sip"
+}

packetbeat/include/list.go

@@ -19,6 +19,7 @@ import (
 	_ "github.com/elastic/beats/packetbeat/protos/nfs"
 	_ "github.com/elastic/beats/packetbeat/protos/pgsql"
 	_ "github.com/elastic/beats/packetbeat/protos/redis"
+	_ "github.com/elastic/beats/packetbeat/protos/sip"
 	_ "github.com/elastic/beats/packetbeat/protos/tcp"
 	_ "github.com/elastic/beats/packetbeat/protos/thrift"
 	_ "github.com/elastic/beats/packetbeat/protos/tls"

packetbeat/packetbeat.yml

@@ -98,6 +98,11 @@ packetbeat.protocols:
   # the TLS protocol by commenting out the list of ports.
   ports: [443]
 
+- type: sip
+  # Configure the ports where to listen for SIP traffic. You can disable
+  # the SIP protocol by commenting out the list of ports.
+  ports: [5060]
+
 #==================== Elasticsearch template setting ==========================
 
 setup.template.settings: