Hack86.Log and Record VoIP Streams

Hack 86. Log and Record VoIP Streams

Biblically speaking, there's not a whole lot that Cain and Abel had to do with Voice over IP. But the program that bears their names is a really cool VoIP tool.

If you're not a Unix fan or you just don't have the time to compile vomit and its dependencies to record a call, I've got the solution for you. There's a program for Windows called Cain & Abel. It uses the WinPCap library (just like Ethereal) for packet sniffing, network device identification, password recovery, reconnaissance, and literally dozens of other intriguing tasks. Cain & Abel is literally a Swiss army knife of handy networking goodies.

Not least among these goodies is a VoIP call sniffer/recorder that's slicker than a wet rock. It provides a sortable, date-and timestamped list view that logs any VoIP calls it picks up during a sniff. It assumes that any RTP traffic is VoIP and attempts to decode it and record it into a WAV file. According to the Cain & Abel web site (http://www.oxid.it/cain.html), the program can decode calls in uLaw, aLaw, ADPCM, LPC, GSM, iLBC, and a host of other codecs. Of course, it can't interpret any streams that are encrypted, so it's still nearly impossible to record a Skype call from another host.

Cain & Abel has a ton of password-cracking and networking-snooping stuff built in, so be sure to abide by the local policy of the network you're working on, or you could end up in a heap of trouble.

6.16.1. The Easy Way to Intercept Calls

To record a call from the local computer where Cain & Abel is runningthat's the easiest wayinstall the program on a machine with X-Lite or a comparable softphone that can place calls in one of Cain & Abel's supported codecs. Of course, this technique will only allow calls placed to and from this machine. It will not sniff out calls between other computers or IP phones.

Fire up Cain & Abel. Then, select the Configuration menu option in Cain & Abel to launch the Cain & Abel configuration dialog. It's shown in Figure 6-14. Click the Filters and Ports tab and check the SIP/RTP entry to ensure that you'll be capturing VoIP traffic. Then click OK.

Figure 6-14. The Cain & Abel Filters and Ports list

When the Configuration dialog disappears, click the Start/Stop Sniffer icon on the toolbar. Now, place a phone call on the locally running softphone. This could be X-Lite, Firefly, NetMeeting, or whatever, as long as it uses SIP or H.323 for signaling and RTP for voice transmission (just about all VoIP applications do). Click the Sniffer tab, then the VoIP tab (on the bottom of the GUI) to reveal the call list.

Notice that as you place and receive VoIP calls on the machine where Cain & Abel is sniffing, your call log will begin to fill with entries on the VoIP tab, as shown in Figure 6-15. The call log will tell you the source and destination IP addresses of the media stream used in the VoIP call, the codec that is employed (if Cain & Abel recognizes it), and the port numbers involved in the RTP media path.

Figure 6-15. The Cain & Abel VoIP call log

After you stop the sniffer by clicking the Start/Stop Sniffer button on the toolbar again (it toggles sniffing on and off), you'll see the filenames where Cain & Abel has saved the recorded calls. The WAV files produced by Cain & Abel end up in \Program Files\Cain\VoIP, and you can play them by opening them in your favorite sound player, or by right-clicking them here in the Cain & Abel GUI.

6.16.2. The Tricky Way to Intercept Calls

If you want to record a call between two devices that can't run Cain & Abel, like a call between two IP phones or a call from a Mac softphone to a Linux softphone, the method described in the previous section won't work. Instead, you need to enable your Ethernet switch to "share" packets destined for the devices involved in the VoIP call with your PC running Cain & Abel. With your PC connected to a particular port, a typical managed Ethernet switch allows you to "listen in" on traffic on the other portslike the ports where a VoIP call participant is connected.

On a nonswitched network, like a hub, you can use the "easy way" to monitor any device that's connected to the hub.

Cisco switches use a technique called Port SPAN to mirror the packets sent or received on one port to another port. In this manner, the switch administrator can inconspicuously capture all traffic on any port he chooses. To record a VoIP call, you'll need to set up port spanning between your PC's port and the target VoIP device's port. For the moment, I'm going to assume you're eloquent enough with Cisco configuration that you can at least get into your switch's command prompt and Enable mode. If you've no idea what this means, you might want to invest in James Boney's insightful Cisco IOS in a Nutshell (O'Reilly).

Let's say the VoIP device we want to record packets from is connected to port 5 on the switch. Use this command to mirror packets into what Cisco calls a "SPAN Session," a place we can retrieve them from on another port:

 Switch(config)# monitor session 1 source interface fastethernet 5/1 

Now, traffic to and from port 5 is mirrored to SPAN Session 1. Next, we need to reflect that traffic to the port where the sniffing PC is connectedsay, port 4:

 Switch(config)# monitor session 1 destination interface fastethernet 4/1 

So now, traffic from port 5 will also occur on port 4, where the Cain & Abel PC can sniff it. (Don't forget a "write mem" if you want to keep the switch configured this way permanently.) Now you can use Cain & Abel (and vomit, for that matter) to record calls that traverse your switched network, even if you can't install a recorder on one of the participating VoIP devices.