Žilinská univerzita > Fakulta riadenia a informatiky > Katedra informačných sietí

Ngrep - a tool for VoIP analysis

Ngrep is an intersting tool which may be used for SIP real time analysis. It is usable to capture SIP Messages which are flowing on/from of our SIP server.

Installation is straightforward, directly debian repository:

apt-get install ngrep


Usage example:

ngrep -d eth0 -p -q -W byline port 5060 > test.txt


-d - which interface will be used to capture data, usable if server has more as one interface

-p - does not put an interface to promiscuite mode (capture only our frames/packets)

-q - quite mode, does not print other informations, only application headers

-W byline - display output by lines

- port - listen on port (either source or destination)

More info on manual pages.


Example of captured SIP traffic:

interface: eth0 (
filter: (ip or ip6) and ( port 5060 )

U ->

U ->
REGISTER sip:ps.sip.uniza.sk SIP/2.0.
To: palo<sip:palo@ps.sip.uniza.sk>.
From: palo<sip:palo@ps.sip.uniza.sk>;tag=94146277.
Via: SIP/2.0/UDP;branch=z9hG4bK-d87543-958860331-1--d87543-;rport.
Call-ID: 4f1b38568018f36c.
Contact: <sip:palo@>;expires=0.
Max-Forwards: 70.
User-Agent: eyeBeam release 3004w stamp 16863.
Content-Length: 0.

U ->
SIP/2.0 200 OK.
To: palo<sip:palo@ps.sip.uniza.sk>;tag=329cfeaa6ded039da25ff8cbb8668bd2.ff32.
From: palo<sip:palo@ps.sip.uniza.sk>;tag=94146277.
Via: SIP/2.0/UDP;branch=z9hG4bK-d87543-958860331-1--d87543-;rport=9190;received=
Call-ID: 4f1b38568018f36c.
Server: OpenSER (1.3.2-notls (x86_64/linux)).
Content-Length: 0.

Options and other usage examples:

USAGE:usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
             <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
             <-P char> <-F file> <match expression> <bpf filter>
   -h  is help/usage
   -V  is version information
   -q  is be quiet (don't print packet reception hash marks)
   -e  is show empty packets
   -i  is ignore case
   -v  is invert match
   -R  is don't do privilege revocation logic
   -x  is print in alternate hexdump format
   -X  is interpret match expression as hexadecimal
   -w  is word-regex (expression must match as a word)
   -p  is don't go into promiscuous mode
   -l  is make stdout line buffered
   -D  is replay pcap_dumps with their recorded time intervals
   -t  is print timestamp every time a packet is matched
   -T  is print delta timestamp every time a packet is matched
   -M  is don't do multi-line match (do single-line match instead)
   -I  is read packet stream from pcap format file pcap_dump
   -O  is dump matched packets in pcap format to pcap_dump
   -n  is look at only num packets
   -A  is dump num packets after a match
   -s  is set the bpf caplen
   -S  is set the limitlen on matched packets
   -W  is set the dump format (normal, byline, single, none)
   -c  is force the column width to the specified size
   -P  is set the non-printable display char to what is specified
   -F  is read the bpf filter from the specified file
   -N  is show sub protocol number
   -d  is use specified device instead of the pcap default

 ngrep -qt -W byline port 5060
 ngrep -d any port 5060 -W byline > outfile.txt
 ngrep -q '8005551212' port 5060 #<swk>:  only shows packets on 5060 with 8005551212 inside the payload