Hello
My point is to log INVITEs in my Network. My SIP Network work on port 6060. Im am using HEP to do that, and hep clients that are listening on port range 5060-6066 to detect some SIP attack to port 5060 and others. But when I have attack to port 5060 I don't want to insert that INVITE to my "good traffic" table, but place it to "fraud" table.
Some devices like Panasonic PBX send INVITE to port 6060 so it is "good traffic" but there is no port 6060 in URI, so I can't detect it in right way, because $dp or $rp are 5060 by default.
This kamailio work as capture server as "promiscuous_on", so I can't use any "force_rport" etc. because I am only listening. Tcpdump for that SIP session show me that client send traffic to 6060, but I can't get that information from INVITE header.
Greetings