Find the answer to your Linux question:
Results 1 to 4 of 4
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Odd UDP Traffic - VoIP Server

    Not sure what's going on here, but I can't seem to figure out which process is generating this traffic.

    Couple of questions:

    1. How do I trace the process generating the traffic
    2. What IS the traffic?

    Pay special attention to the ALTER.NET traffic. Not sure what all of this is.

    12:47:00.421867 IP 200.4-0.PVG5.LAX9.ALTER.NET.53094 > UDP, length 32
    12:47:00.421982 IP > 200.4-0.PVG5.LAX9.ALTER.NET.53094: UDP, length 32
    12:47:00.422560 IP 100.4-1.PVG0.LAX9.ALTER.NET.56396 > UDP, length 32
    12:47:00.422650 IP 100.4-1.PVG0.LAX9.ALTER.NET.56394 > UDP, length 32
    12:47:00.422766 IP > 100.4-1.PVG0.LAX9.ALTER.NET.56394: UDP, length 32
    12:47:00.424266 IP > 100.4-1.PVG0.LAX9.ALTER.NET.55556: UDP, length 32
    12:47:00.425478 IP > 200.4-0.PVG4.LAX9.ALTER.NET.55324: UDP, length 32
    12:47:00.425596 IP > UDP, length 172
    12:47:00.425721 IP > 200.4-1.PVG0.LAX9.ALTER.NET.55052: UDP, length 32
    12:47:00.427315 IP 200.4-1.PVG0.LAX9.ALTER.NET.55052 > UDP, length 32
    12:47:00.427419 IP > UDP, length 32
    12:47:00.428473 IP > UDP, length 32
    12:47:00.429648 IP 100.4-1.PVG0.LAX9.ALTER.NET.56112 > UDP, length 32
    12:47:00.429763 IP > 100.4-1.PVG0.LAX9.ALTER.NET.56112: UDP, length 32
    12:47:00.435524 IP 100.4-1.PVG0.LAX9.ALTER.NET.56418 > UDP, length 32
    12:47:00.435643 IP > 100.4-1.PVG0.LAX9.ALTER.NET.56418: UDP, length 32
    12:47:00.437909 IP > 100.4-1.PVG0.LAX9.ALTER.NET.56396: UDP, length 32
    12:47:00.438547 IP 100.4-1.PVG0.LAX9.ALTER.NET.55556 > UDP, length 32

    Any suggestions/ideas appreciated. I can provide a tcpdump of the traffic itself if necessary.

    Rob Vella
    Total Technology

  2. #2
    Just Joined!
    Join Date
    Aug 2009
    Quote Originally Posted by deftx View Post
    How do I trace the process generating the traffic
    Either iptables -j LOG rules using the "owner" module or 'netstat -anupe' or 'lsof -Pwlni udp'. Or use your packet capture and correlate timestamps with your VoIP logs. Since logging in Linux isn't a single application thing and some tools only provide PID and process nfo log correlation is important to get the big picture. The more you log the more you can trace back.

    Quote Originally Posted by deftx View Post
    What IS the traffic?
    (It would be good to know if you've read up on general VoIP attacks and security measures. If you didn't then please do.) Wireshark has a usable GUI with easy filtering and dissectors for a lot of protocols. Snort has VoIP rules (might search the 'net for more). *Probably superfluous to say but working with saved packet captures is best done on a separate workstation as not to hog CPU and disturb server processes and such.


  3. #3
    I have analyzed it with WireShark. It just says "UDP datagram" -- nothing informative. Asterisk seems to be the source of the UDP traffic. I blocked the ports and calls seem to be silent. What I can't figure out is why ALTER.NET is responsible for critical functions of my VoIP system? I suspect it might have something to do with NAT traversal because it is in a private network.

    RTP debug on Asterisk shows it's sending and receiving the traffic to those IPs. Again why is this ALTER.NET server responsible for critical functions? No SIP provider I use is in this IP range.


  4. $spacer_open
  5. #4
    Nevermind. I figured out that my SIP provider's RTP host is one of those IPs. It sends that IP in the SIP packet as a reply address for RTP info.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts