Skip to content

How To: Sip Capture using Ngrep, Debug Sip Packets

by Jon on November 17th, 2009

It is very common to have to debug sip packets when working with voice over ip technologies such as asterisk, opensips, or freeswitch. There are a lot of tools out there to do this but there are ones that shine in particular instances. One I find myself using a lot is ngrep. This software is great because it allows for easy reading since it combines the power of grep with a network debugging tool.

Here are a few quick examples on how to use ngrep. I use -W byline so that the output retains the natural line breaks, this is in all the examples.

ngrep -W byline -d eth0 port 5060

In this example I specified port 5060 to see all SIP traffic since port 5060 is the default SIP port. This example will show all the output to the console session if you want to capture to output to a file see below. Use Control + C to stop the command.

ngrep -W byline -d eth0 port 5060 -O capture_file

The above example will debug all the SIP packets displaying them in the console but also capturing the data into a file named capture_file by using the -O option.

ngrep -W byline -d eth0 INVITE

This is where ngrep really shines, this command will allow you to see the only the sip invites. You can change “INVITE” to whatever you want, an ip address, maybe “REGISTRATION” or any phrase that will allow you to quickly and easily debug your problem.

From → VOIP

2 Comments
  1. Alexey Kazantsev permalink

    Hello.

    I’m not sure if such a command will show only INVITE messages:

    ngrep -W byline -d eth0 INVITE

    It will show any message, containing the word ‘INVITE’ in it, e.g.:

    U 10.13.2.124:5060 -> 10.1.5.11:5060
    SIP/2.0 200 OK.
    t: ;tag=acb47273be20d1c1i0.
    f: “asterisk” ;tag=as7b9981c9.
    i: 2198b8951e6ff21c0d25a41907f5d357@pbx-office.taximaxim.ru.
    CSeq: 102 OPTIONS.
    v: SIP/2.0/UDP 10.1.5.11:5060;branch=z9hG4bK2e2c164a.
    Server: Cisco/SPA303-7.4.8a.
    l: 0.
    Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER, UPDATE.
    k: replaces.

    As we see, this is a reply ‘200 OK’ to a request SIP message of type OPTIONS. It has a SIP header ‘Allow’ which has an ‘INVITE’ word in it, and that’s why it is matched.

  2. Alexey Kazantsev permalink

    And even better, without any garbage on the consle:

    ngrep -W byline -q -d eth0 INVITE\ sip

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS

%d bloggers like this: