Ngrep-SIP :: man page

ngrep-sip - capture SIP flow based on ngrep command

INSTALLATION

For Debian based systems there are deb packages available in our repository.
For non Debian based systems get it at the bottom of this page.

SYNOPSIS

ngrep-sip [ MATCH ] [ FILTER ]

DESCRIPTION

Based on ngrep, ngrep-sip allows matching based on SIP methods or custom message fields and also defining pcap filters.

MATCH

Optional MATCH parameter can contain a special keyword or some text which must be present in the data.
The special keywords are:

  • b, basic
    Capture transactions with SIP method INVITE, ACK, CANCEL, BYE, REFER, PRACK, INFO and MESSAGE.
  • br, rb
    Some as b, basic plus REGISTER method.
  • r
    Capture REGISTER transactions.
  • p
    Capture SUBSCRIBE, PUBLISH and NOTIFY transactions.
  • pr, rp
    Some as p plus REGISTER method.
  • -o
    Capture transactions with any method but OPTIONS.
  • -or, -ro
    Capture transactions with any method but OPTIONS or REGISTER.

Any other text can be used to set MATCH parameter. In this case that text will be required in the data being captured. It allows regular expressions. Examples:

  • 666555444
    Capture all messages containing "666555444" text in headers or body.
  • "(123|124)"
    Capture all messages containing "123@" or "124@" text in headers or body.
  • "^SIP/2.0 5"
    Capture all 5XX responses.
  • "^INVITE sip:111@domain"
    Capture all INVITE requests with RURI starting with "sip:111@domain".

FILTER

pcap filter. See below in "CONFIGURATION" - "filter" section.

CONFIGURATION

The script gets some parameters from /etc/ngrep-sip.conf file:

interface

Interface in which ngrep must capture data. Possible values are eth0, eth1, lo, any. Use any to capture data in all the interfaces. Examples:

interface=any
interface=eth0

NOTE: Using interface=any is not allowed in some versions of ngrep package and produces an error.

filter

pcap default filter. This parameter is overwritten when using FILTER parameter in command line. Examples:

filter="port 5060 or port 5062 or port 5070 or port 6060" 
filter="host 1.2.3.4 and proto \\udp and \( port 5060 or port 5070 \)" 
filter="port 5060"

EXAMPLES

  • Capture all INVITE and MESSAGE related messages using default filter set in configuration file:
    ngrep-sip b
  • Capture all traffic using port 5060:
    ngrep-sip port 5060
  • Capture all REGISTER transactions via TCP using port 5060 or 5070 and address 1.2.3.4:
    ngrep-sip r proto \\tcp and \( port 5060 or port 5070 \) and host 1.2.3.4
  • Capture all UDP datagrams using port 5060 containing "sip:alice@domain" in the headers or body:
    ngrep-sip "sip:alice@domain" port 5060 and proto \\udp
  • Capture all 6XX responses from IP 1.2.3.4:
    ngrep-sip "^SIP/2.0 6" src host 1.2.3.4

NOTES

ngrep-sip can be also used to capture other kind of flow as SMTP or HTTP:
ngrep-sip proto \\tcp and port 25

ISSUES

When capturing TCP data a single TCP packet can contain various SIP messages. This occurs, for example, when a proxy routes all requests from different clients to same TCP destination. In those cases, the match is performed against the whole TCP packet instead of matching each SIP message separately.

AUTHOR

Written by Iñaki Baz Castillo <>

Copyright © 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

ngrep-sip-1.0.2.tar.gz (850 Bytes) Iñaki Baz Castillo, 06/15/2009 13:25

Also available in: HTML TXT