sngrep: Capture and Analyse SIP Packets on the Command Line
- 14 Jan 2022
- 3 Minutes to read
- Print
- DarkLight
sngrep: Capture and Analyse SIP Packets on the Command Line
- Updated on 14 Jan 2022
- 3 Minutes to read
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
What is sngrep?
sngrep is a terminal tool that groups SIP (Session Initiation Protocol) Messages by Call-Id and displays them in arrow flows similar to the ones used in SIP RFCs. The aim of this tool is to make facilitate the process of learning or debugging SIP.
Features:
- Captures SIP packets from devices or read from PCAP file
- Supports UDP, TCP and TLS (partially) transports
- Allows filtering using BPF (Berkeley Packet Filter)
- Saves captured packets to PCAP file
How to Install sngrep?
To install sngrep you will need connect to the system via SSH as a root.
Then enter the commands below in your terminal.
yum install libpcap
yum install libpcap-devel
git clone https://github.com/irontec/sngrep
cd sngrep
./bootstrap.sh
./configure
make
make install
sngrepAt this point you are ready to start using sngrep.
Call List Window insngrep
The first window that sngrep shows is Call List window and it displays the different SIP Call-Ids found in messages. The displayed columns depend on your terminal width and your custom configuration. Columns and their descriptions are given in the table below.
| Column | Description |
|---|---|
| Idx | Line number column. |
| Method | Type of SIP message column. |
| SIP From | SIP message From column. |
| SIP To | SIP message To column. |
| Msgs | Numerical amount of messages column. |
| Source | Source IP and port number column. |
| Destination | Destination IP and port number column. |
| Call State | Call identifier column. |
The Call List window is shown below.
Call List Window in sngrep➤ Key Bindings:
| Key | Function | Description |
|---|---|---|
| ESC | Quit | Escape and quit sngrep. |
| Enter | Show | Show more information about the highlighted line item. |
| Space | Select | After pressing the spacebar, the line is selected. With this you can select multiple lines and can be used with the F2 save option. |
| F1 | Help | Gives a help menu. |
| F2 | Save | Option to save the current capture session dialogs to a .pcap or .txt to a specific path and file name. |
| F3 | Search | Gives the option to search in a more specific and granular way. |
| F4 | Extended | Gives an extended view. |
| F5 | Clear | Clear the screen. |
| F7 | Filter | Like search but with more options to filter the end result. |
| F8 | Settings | Adjustsngrep settings interface, capture options, call flow options, and EEP/HEP Homer options. |
| F9 | Clear with Filter | Clear the screen with filter. |
| F10 | Columns | Adjust what columns are displayed on the open sngrep window. |
Filter Option in Call List Window
In Call List window, you can filter the calls by pressing the F7 key.
The filtering options window is given below.
Filter Option in Call List WindowCall Flow Window in sngrep
The selected message payload will be displayed in the right side of the window.
Call Flow Window in sngrepYou can move between messages using arrow keys and select them using Spacebar. Selecting multiple messages will display the Message Diff Window.
➤ Key Bindings:
| Key | Function |
|---|---|
| Arrows | Move through messages. |
| Enter | Display current message raw (so you can copy payload). |
| F2 / d | Toggle SDP info instead of Method/ResponseCode in arrows. |
| F3/ t | Toggle message preview side panel. |
| F4/ x | Show current dialog and its extended one. |
| F5/ s | Show one column per address. |
| F6/ R | Show raw messages of dialogs. |
| F7/ c | Change flow color mode. |
| F9/ l | Turn on/off address resolution if enabled. |
| 9/ 0 | Increase/Decrease preview side panel. |
| T | Restore preview side panel size. |
| D | Only show messages that has SDP content. |
➤ There are several color modes to display the arrows:
| Mode | Description |
|---|---|
| By Method/Response | Red for Method, Green for Responses. |
| By Call-Id | Display current message raw.Each Call-ID one color, useful when displaying multiple calls flows. |
| By CSeq | Each CSeq one color. |
➤ There are a few common messages you will see in most calls, some with simple text names:
INVITE
INVITE is used to set up a new media session between endpoints. INVITE will also typically contain session information in the form of SDP, which elaborates how to send media to/from your endpoint.
ACK
Your platform should acknowledge the 200 OK. This is important, if the 200 OK is not ACK'd the call will be torn down automatically after a short time.
BYE
On receipt of this BYE the call is hung up. BYE is a new request (like an INVITE) and therefore the other party will respond with a 200 OK just as they would to an INVITE.
➤ And some numeric codes, followed by a human-readable description:
100 Trying
This is simply an acknowledgement that indicates the request was received.
200 OK
Once your call has been answered, this is the final stage of negotiating the call setup. This looks similar to INVITE but the SDP provides information about the remote party. At this point the call is already established, and two-way audio should take place.
➤ Some of the most common (and some uncommon) codes are given below:
| 400 Bad Request |
| 401 Unauthorised |
| 402 Payment Required |
| 403 Forbidden |
| 404 Not Found |
| 406 Not Acceptable |
| 407 Proxy Auth Required |
| 408 Timeout |
| 410 Gone |
| 480 Temporarily Unavailable |
| 481 Call/Transaction Does Not Exist |
| 484 Address Incomplete |
| 486 Busy Here |
| 488 Not Acceptable Here |
| 500 Server Internal Error |
| 502 Bad Gateway |
| 503 Service Unavailable |
| 600 Busy Everywhere |
| 603 Decline |
Tegsoft makes no representations or warranties, either express or implied, by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect, special or consequential damages.
Copyright © 2021, Tegsoft. All rights reserved.
"Tegsoft" and Tegsoft’s products are trademarks of Tegsoft. References to other companies and their products use trademarks owned by the respective companies and are for reference purpose only.
Was this article helpful?