What is sngrep?
sngrep is a terminal tool that groups SIP (Session Initiation Protocol) Messages by Call-Id, and displays them in arrow flows similar to the used in SIP RFCs.
The aim of this tool is to make easier the process of learning or debugging SIP.
Features:
Capture SIP packets from devices or read from PCAP file
Supports UDP, TCP and TLS (partially) transports
Allows filtering using BPF (Berkeley Packet Filter)
Save captured packets to PCAP file
Installing
To install sngrep you will need:
Connect to the SBC via SSH as a root
At CLI level createtherepofile:
vi/etc/yum.repos.d/irontec.repo
[irontec]
name=Irontec RPMs repository
baseurl=http://packages.irontec.com/centos/6/$basearch/
Install Repository Public Key:
rpm--import http://packages.irontec.com/public.key
Install Package
yum-y install sngrep
At this point you are ready to start using sngrep
Command line arguments
There are some arguments that can be used from the command line to change thedefaultsngrepbehaviour
sngrep [-hVciv] [-HL udp:address:port] [-IO pcap_dump] [-d dev] [-l limit] [-k keyfile] [<match expression>] [<bpf filter>]
-h or --help: Display help and usage information-V or --version: Display version information-I or --input <filename.pcap>: Read packetsfrompcap file instead of network devices. This option can be usedwithbpf filters-O or --output <filename.pcap>: Save all captured packets to a pcap file-d or --device <device>: Live capture from network device (by default,sngrep captures from all devices)-k or --keyfile <keyfile.pem>: Useprivatekeyfile to decrypt TLS captured packets-c or --calls: Only display dialogs starting with an INVITE request-l or --limit: Change default capture limit-i or --icase: Make match expression case insensitive-v or --invert: Invert match expression-N or --no-interface: Don'tdisplaysngrep interface, just capture-q or --quiet: Don't print captured dialogs in no interface mode-D or --dump-config: Printconfiguredkeybindings and settings after reading system and user resource files.-H or --eep-send: Send captured data to other Homer/sngrep (udp:10.10.10.10:9060)-L or --eep-listen: Received captured data fromothercaptagent/sngrep (udp:10.10.10.10:9060)<match expression>: Matchgiven expression in Messages' payload. If one request message matches the given expression, the following messages within the same dialogwillbe also captured.<bpf filter>: Filter captured/readed packets using a BPF filter
For example, capturing all SIP packets from all devices thathassourceordestination port 5060
sngrep port 5060
Or displaying SIP packets from eth0 device thathasassourceor destiny 192.168.0.50 through the 5061port, saving them to /tmp/sip_capture.pcap
sngrep -d eth0 -O /tmp/sip_capture.pcap host 192.168.0.50 port 5061
Or displaying all SIP packets for a given host in sip_capture.pcapPCAPfile
sngrep -I /tmp/sip_capture.pcap host 10.10.1.50
Using
The most typical use willbeto dolivemonitoring of calls.
Intiscaseit is enough to justexecutesngrep-c
There are multiple windows to provide different information:
Call List Window: Allows to selectthecalls to be displayed
Call Flow Window: Shows a diagramofsource and destiny of messages
Call Raw Window: DisplaySIPmessages texts (useful for copy messages to clipboard)
Message Diff Window: Displaysdiferences between two SIP messages
Here are see some screens of sngrep windows.