sngrep: Capture and Analyse SIP Packets on the Command Line
  • 14 Jan 2022
  • 3 Minutes to read
  • Dark

sngrep: Capture and Analyse SIP Packets on the Command Line

  • Dark

What is sngrep?

sngrep is a terminal tool that groups SIP (Session Initiation Protocol) Messages by Call-Id and displays them in arrow flows similar to the ones used in SIP RFCs. The aim of this tool is to make facilitate the process of learning or debugging SIP.


  • Captures SIP packets from devices or read from PCAP file
  • Supports UDP, TCP and TLS (partially) transports
  • Allows filtering using BPF (Berkeley Packet Filter)
  • Saves captured packets to PCAP file

How to Install sngrep?

To install sngrep you will need connect to the system via SSH as a root. 

Then enter the commands below in your terminal.

yum install libpcap
yum install libpcap-devel
git clone
cd sngrep
make install

At this point you are ready to start using sngrep.

Call List Window in sngrep

The first window that sngrep shows is Call List window and it displays the different SIP Call-Ids found in messages. The displayed columns depend on your terminal width and your custom configuration. Columns and their descriptions are given in the table below.

IdxLine number column.
MethodType of SIP message column.
SIP FromSIP message From column.
SIP ToSIP message To column.
MsgsNumerical amount of messages column.
SourceSource IP and port number column.
DestinationDestination IP and port number column.
Call StateCall identifier column.

The Call List window is shown below.

Call List Window in sngrep

  Key Bindings:

ESC QuitEscape and quit sngrep.
EnterShowShow more information about the highlighted line item.
SpaceSelectAfter pressing the spacebar, the line is selected. With this you can select multiple lines and can be used with the F2 save option.
F1 HelpGives a help menu.
F2SaveOption to save the current capture session dialogs to a .pcap or .txt to a specific path and file name.
F3SearchGives the option to search in a more specific and granular way.
F4ExtendedGives an extended view.
F5ClearClear the screen.
F7FilterLike search but with more options to filter the end result.
F8SettingsAdjust sngrep settings interface, capture options, call flow options, and EEP/HEP Homer options.
F9Clear with FilterClear the screen with filter.
F10ColumnsAdjust what columns are displayed on the open sngrep window.

Filter Option in Call List Window

In Call List window, you can filter the calls by pressing the F7 key.

The filtering options window is given below.

Filter Option in Call List Window

Call Flow Window in sngrep

The selected message payload will be displayed in the right side of the window.

Call Flow Window in sngrep

You can move between messages using arrow keys and select them using Spacebar. Selecting multiple messages will display the Message Diff Window.

  Key Bindings:

Arrows Move through messages.
EnterDisplay current message raw (so you can copy payload).
F2 / dToggle SDP info instead of Method/ResponseCode in arrows.
F3 tToggle message preview side panel.
F4 xShow current dialog and its extended one.
F5 sShow one column per address.
F6 RShow raw messages of dialogs.
F7 cChange flow color mode.
F9 lTurn on/off address resolution if enabled.
9 / 0Increase/Decrease preview side panel.
TRestore preview side panel size.
DOnly show messages that has SDP content.

➤  There are several color modes to display the arrows:

By Method/ResponseRed for Method, Green for Responses.
By Call-IdDisplay current message raw. Each Call-ID one color, useful when displaying multiple calls flows.
By CSeqEach CSeq one color.

  There are a few common messages you will see in most calls, some with simple text names:

INVITE is used to set up a new media session between endpoints. INVITE will also typically contain session information in the form of SDP, which elaborates how to send media to/from your endpoint.

Your platform should acknowledge the 200 OK. This is important, if the 200 OK is not ACK'd the call will be torn down automatically after a short time.

On receipt of this BYE the call is hung up. BYE is a new request (like an INVITE) and therefore the other party will respond with a 200 OK just as they would to an INVITE.

  And some numeric codes, followed by a human-readable description:

100 Trying
This is simply an acknowledgement that indicates the request was received.

200 OK
Once your call has been answered, this is the final stage of negotiating the call setup. This looks similar to INVITE but the SDP provides information about the remote party. At this point the call is already established, and two-way audio should take place.

  Some of the most common (and some uncommon) codes are given below:

400 Bad Request
401 Unauthorised
402 Payment Required
403 Forbidden
404 Not Found
406 Not Acceptable
407 Proxy Auth Required
408 Timeout
410 Gone
480 Temporarily Unavailable
481 Call/Transaction Does Not Exist
484 Address Incomplete
486 Busy Here
488 Not Acceptable Here
500 Server Internal Error
502 Bad Gateway
503 Service Unavailable
600 Busy Everywhere
603 Decline

Tegsoft makes no representations or warranties, either express or implied, by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect, special or consequential damages.

Copyright © 2021, Tegsoft. All rights reserved.

"Tegsoft" and Tegsoft’s products are trademarks of Tegsoft. References to other companies and their products use trademarks owned by the respective companies and are for reference purpose only.

Was this article helpful?

First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.