Irontec/sngrep tool

Open

What is sngrep?

sngrep  is a terminal tool that groups SIP (Session Initiation Protocol) Messages by Call-Id, and displays them in arrow flows similar to the used in SIP RFCs.

The aim of this tool is to make easier the process of learning or debugging SIP.

Features:

• Capture SIP packets from devices or read from PCAP file

• Supports UDP, TCP and TLS (partially) transports

• Allows filtering using BPF (Berkeley Packet Filter)

• Save captured packets to PCAP file

Installing

To install sngrep you will need:

• Connect to the SBC via SSH as a root

• At CLI level createtherepofile:

vi/etc/yum.repos.d/irontec.repo

 [irontec]
 name=Irontec RPMs repository
 baseurl=http://packages.irontec.com/centos/6/$basearch/

• Install Repository Public Key:

rpm--import http://packages.irontec.com/public.key

• Install Package

yum-y install sngrep

At this point you are ready to start using sngrep

Command line arguments

There are some arguments that can be used from the command line to change thedefaultsngrepbehaviour

• -h or --help: Display help and usage information

• -V or --version: Display version information

• -I or --input <filename.pcap>: Read packetsfrompcap file instead of network devices. This option can be usedwithbpf filters

• -O or --output <filename.pcap>: Save all captured packets to a pcap file

• -d or --device <device>: Live capture from network device (by default,sngrep captures from all devices)

• -k or --keyfile <keyfile.pem>: Useprivatekeyfile to decrypt TLS captured packets

• -c or --calls: Only display dialogs starting with an INVITE request

• -l or --limit: Change default capture limit

• -i or --icase: Make match expression case insensitive

• -v or --invert: Invert match expression

• -N or --no-interface: Don'tdisplaysngrep interface, just capture

• -q or --quiet: Don't print captured dialogs in no interface mode

• -D or --dump-config: Printconfiguredkeybindings and settings after reading system and user resource files.

• -H or --eep-send: Send captured data to other Homer/sngrep (udp:10.10.10.10:9060)

• -L or --eep-listen: Received captured data fromothercaptagent/sngrep (udp:10.10.10.10:9060)

• <match expression>: Matchgiven expression in Messages' payload. If one request message matches the given expression, the following messages within the same dialogwillbe also captured.

• <bpf filter>: Filter captured/readed packets using a BPF filter

For example, capturing all SIP packets from all devices thathassourceordestination port 5060

Or displaying SIP packets from eth0 device thathasassourceor destiny 192.168.0.50 through the 5061port, saving them to /tmp/sip_capture.pcap

Or displaying all SIP packets for a given host in sip_capture.pcapPCAPfile

Using 

The most typical use willbeto dolivemonitoring of calls.

Intiscaseit is enough to justexecutesngrep-c

There are multiple windows to provide different information:

• Call List Window: Allows to selectthecalls to be displayed

• Call Flow Window: Shows a diagramofsource and destiny of messages

• Call Raw Window: DisplaySIPmessages texts (useful for copy messages to clipboard)

• Message Diff Window: Displaysdiferences between two SIP messages

Here are see some screens of sngrep windows.