Sipspy man page
spyAgent - SipSpy Agent
spyAgent <-h> < -d dev > < -S > < -w passwords_file > < -p port > < -g debug_level > < -l listening_ip > < -f file > < bpf filter >
SpyAgent is the daemon monitor which works with VozTelecom's SipSpy.
SpyAgent is a daemon server which monitors all incoming/outgoing traffic in a computer, and searches packets which look like SIP messages. Furthermore, it opens a ServerSocket to accept incoming clients. These clients register with a username and password, and then provide a Regular Expression. ADMIN clients can instruct spyAgent to change the interface on which it is capturing, and also to change the BPF filter. NORMAL clients can only provide a Regular Expression. For every packet SipAgent considers is a SIP Message, it will apply the Regex provided by each of the clients, and if it matches, the client will receive a XML structure containing info about the message and the message itself.
Device on which spyAgent will start capturing/monitoring traffic.
Enable Secure Mode. in this mode, spyAgent opens the interface for monitoring, applies the BPF filter, and then drops root privileges and switches the UserID to 'nobody', so it can do no harm if it's hacked.
Passwords file. The passwords file is composed of one line per user, with 4 records per line, separated with a colon ':'. The first record is the username. The second record is the password. The third record is the role. (can be 'admin' or 'user'). The fourth record is a Regular Expression that will be applied on the regular expression provided by the user. If it doesn't match, the user won't be allowed to monitor packets and must change his regexp to another one which is permitted. This avoids unprivileged users to try to monitor all the traffic (ie. allow the ADMIN to have users that can only monitor packets for some SIP domains). Example of a passwords file:
boss:mypass:admin:.* userA:hispass:user:.*domainA.com.* userB:theirpass:user:.*domainB.com.*
here, boss would be an admin (thus he could change the Interface and BPF filter on which spyAgent is listening and capturing packets). He can provide any regex he wants, because hish "meta-regex" is .*, which matches against everything. userA would be a normal user, (identified by 'hipass' password). He is noly allowed to use regular expressions that include domainA.com, for excample, he couldn't be capturing all the SIP messages, because the regexp ".*" doesn't match against ".*domainA.com.*" so he has to provide regexps that contain domainA.com, for example "sip:.*@domainA.com" which would notify him of all the messages which comtain a sip-URI of the form sip:xxx@domainA.com. UserB is similar to userA.
port The port on which SpyAgent will be listening for incoming clients to connect.
SpyAgent's verbosity on debug messages.
Ip on which SpyAgent will be listening for incoming clients to connect.
File in case you have a libpcap/ethereal/tcpdump capture file, and you want to replay it for the SipSpies connected, you can provide a file. bpf filter
SpyAgent will only monitor packets that match this filter. (it can be changed dinamically by ADMIN users).
take a look at tcpdump or ngrep manual for an explanation of BPF filters.
VozTelecom Sistemas SL Ronda Can Fatjo, 9, 1p Parc Tecnologic del Valles Cerdanyola
Written by Elias Baixas <elias.baixas _-at-_ voztele.com>.
REPORTING BUGS elias.baixas at voztele.com