SNGREP
sngrep is a useful tool for displaying SIP call message flows. It supports live capture to display realtime SIP packets and can also be used as PCAP viewer. sngrep supports UDP, TCP and TLS.
Debian / Ubuntu
SRC: https://github.com/irontec/sngrep/wiki/Installing-Binaries#debian--ubuntu
Dependencies: libc6, libncursesw5, libpcap0.8, libpcre3, libssl1.0.0, libtinfo5
If you're using a recent version of Debian/Ubuntu, you can find sngrep in the official Debian/Ubuntu repositories.
Otheriwse, you can use Irontec repositories for some of Debian and Ubuntu releases.
Binaries are built only for amd64 and i386 architectures right now with all supported features enabled.
Debian
Add Irontec repositories entry in your /etc/apt/sources.list
Use your distrubution source line (only one of these)
deb http://packages.irontec.com/debian squeeze main deb http://packages.irontec.com/debian wheezy main deb http://packages.irontec.com/debian jessie main
Ubuntu
Add Irontec repositories entry in your /etc/apt/sources.list
Use your distrubution source line (only one of these)
deb http://packages.irontec.com/ubuntu trusty main deb http://packages.irontec.com/ubuntu precise main deb http://packages.irontec.com/ubuntu vivid main
Install Repository key:
wget http://packages.irontec.com/public.key -q -O - | apt-key add -
Install the package:
apt-get update && apt-get install sngrep
Using sngrep
SRC: https://github.com/irontec/sngrep/wiki
Command line arguments
There are some arguments that can be used from the command line to change the default sngrep behaviour
sngrep [-hVciv] [-HL udp:address:port] [-IO pcap_dump] [-d dev] [-l limit] [-k keyfile] [<match expression>] [<bpf filter>]
- -h or --help: Display help and usage information
- -V or --version: Display version information
- -I or --input <filename.pcap>: Read packets from pcap file instead of network devices. This option can be used with bpf filters
- -O or --output <filename.pcap>: Save all captured packets to a pcap file
- -d or --device <device>: Live capture from network device (by default, sngrep captures from all devices)
- -k or --keyfile <keyfile.pem>: Use private keyfile to decrypt TLS captured packets
- -c or --calls: Only display dialogs starting with an INVITE request
- -l or --limit: Change default capture limit
- -i or --icase: Make match expression case insensitive
- -v or --invert: Invert match expression
- -N or --no-interface: Don't display sngrep interface, just capture
- -q or --quiet: Don't print captured dialogs in no interface mode
- -D or --dump-config: Print configured keybindings and settings after reading system and user resource files.
- -H or --eep-send: Send captured data to other Homer/sngrep (udp:10.10.10.10:9060)
- -L or --eep-listen: Received captured data from other captagent/sngrep (udp:10.10.10.10:9060)
- <match expression>: Match given expression in Messages' payload. If one request message matches the given expression, the following messages within the same dialog will be also captured.
- <bpf filter>: Filter captured/readed packets using a BPF filter
Capture all SIP packets on port 5060
sngrep port 5060
SIP packets on eth0 device specifying the host and port and saving the trace to file.
sngrep -d eth0 -O /tmp/sip_capture.pcap host 192.168.0.50 port 5061
Display all SIP packets for a given host in sip_capture.pcap PCAP file
sngrep -I /tmp/sip_capture.pcap host 10.10.1.50
Use a private key to decode TLS encrypted signalling
sngrep -k /path/to/private-key
Sngrep usage examples:
To capture against a specific number simply use:
sudo sngrep {number}
In this test I ran the trace via one of our SIP proxies against my mobile number for a call TO the Simwood team line, capturing the expected call legs as per the following screenshot:
Step 1:
The INVITEs should appear on the filter, press Enter to inspect. The second call leg listed here contains my PBX IP address for this inbound call (INVITE from Simwood).
Step 2:
This will give a realtime view of the call in progress, at this point, the team line is currently ringing as per the 183 session progress (SDP) response. You can inspect the appropriate INVITE request by using the arrow keys; the right hand display will show the message header and SDP content, as seen below:
Step 3:
The moment the call is answered I received the 200OK from the proxies and the returned ACK, the call is now audible between end devices.
Step 4:
The callee ended the call in this instance as seen below:
Step 5:
Sngrep can save selected call legs to a PCAP file for further analysis using Wireshark. To do this (from Step 4) press Esc, and then select the require call legs by hitting the spacebar (both selected in this case).
As per the sngrep manual, press fn+f2 (MAC) or f2 (Windows) to save the file to the desired directory.
Comments
0 comments
Article is closed for comments.