-
Notifications
You must be signed in to change notification settings - Fork 188
Home
sngrep is a terminal tool that groups SIP (Session Initiation Protocol) Messages by Call-Id, and displays them in arrow flows similar to the used in SIP RFCs.
The aim of this tool is to make easier the process of learnig or debugging SIP.
Features:
- Capture SIP packets from devices or read from PCAP file
- Supports UDP, TCP and TLS (partially) transports
- Allows filtering using BPF (Berkeley Packet Filter)
- Save captured packets to PCAP file
Download the latest release (or clone the GIT repository)
On most systems the commands to build will be the standard atotools procedure:
./configure
make
make install (as root)
The configure process will check for needed dependencies:
- libncurses5 - for UI , windows, panels.
- libpcap - for capturing packets from devices and reading them from PCAP files.
- libssl - (optional) for TLS transport
If you don't want TLS support, you can disable it passing --disable-openssl flag to configure.
There are some arguments that can be used from the command line to change the default sngrep behaviour
sngrep [-IO pcap_dump] [-d dev] [-k keyfile] [<bpf filter>|<pcap_dump>]
- -I filename.pcap: Read packets from pcap file instead of network devices. This option can be used with bpf filters
- -O filename.pcap: Save all captured packets to a pcap file
- -d device: Live capture from network device (by default, sngrep captures from all devices)
- -k keyfile.pem: Use private keyfile to decrypt TLS captured packets
- bpf filter: Filter captured/readed packets using a BPF filter
- pcap_dump: Read packets from PCAP file. This is the same as using -I option, but does not allow BPF at the same time.
For example, capturing all SIP packets from all devices that has source or destiny port 5060
sngrep port 5060
Or displaying SIP packets from eth0 device that has as source or destiny 192.168.0.50 through the 5061 port, saving them to /tmp/sip_capture.pcap
sngrep -d eth0 -O /tmp/sip_capture.pcap host 192.168.0.50 port 5061
Or displaying all SIP packets for a given host in sip_capture.pcap PCAP file
sngrep -I /tmp/sip_capture.pcap host 10.10.1.50
There are multiple windows to provide different information:
- Call List Window: Allows to select the calls to be displayed
- Call Flow Window: Shows a diagram of source and destiny of messages
- Call Raw Window: Display SIP messages texts (useful for copy messages to clipboard)
- Message Diff Window: Displays diferences between two SIP messages
Here are see some screens of sngrep windows.
Most of the program windows have a help dialog with a brief description and useful keybindings. There are some keybindings that can be use anywhere in the program:
- F1 or h: Show current window help and keybindings.
- ESC or q: Go back to the previous window
- F8 or c: Turns on/off colors