Ngrep – a tool for VoIP analysis

Ngrep is an interesting tool which may be used for SIP real time analysis. It is usable to capture SIP Messages which are flowing on/from of our SIP server.

Installation is straightforward, directly debian repository:

apt-get install ngrep

Usage example:

ngrep -d eth0 -p -q -W byline port 5060 > test.txt

where:

-d – which interface will be used to capture data, usable if server has more than one interface

-p – does not put an interface to promiscuity mode (capture only our frames/packets)

-q – quiet mode, does not print other information, only application headers

-W byline – display output by lines

– port – listen on port (either source or destination)

More info on manual pages.

Example of captured SIP traffic:

interface: eth0 (158.193.152.0/255.255.255.0)
filter: (ip or ip6) and ( port 5060 )

U 62.168.119.189:9190 -> 158.193.152.29:5060
.
................

U 62.168.119.189:9190 -> 158.193.152.29:5060
REGISTER sip:ps.sip.uniza.sk SIP/2.0.
To: palo<sip:palo@ps.sip.uniza.sk>.
From: palo<sip:palo@ps.sip.uniza.sk>;tag=94146277.
Via: SIP/2.0/UDP 192.168.1.100:9190;branch=z9hG4bK-d87543-958860331-1--d87543-;rport.
Call-ID: 4f1b38568018f36c.
CSeq: 2 REGISTER.
Contact: <sip:palo@192.168.1.100:9190>;expires=0.
Max-Forwards: 70.
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO.
User-Agent: eyeBeam release 3004w stamp 16863.
Content-Length: 0.
.


U 158.193.152.29:5060 -> 62.168.119.189:9190
SIP/2.0 200 OK.
To: palo<sip:palo@ps.sip.uniza.sk>;tag=329cfeaa6ded039da25ff8cbb8668bd2.ff32.
From: palo<sip:palo@ps.sip.uniza.sk>;tag=94146277.
Via: SIP/2.0/UDP 192.168.1.100:9190;branch=z9hG4bK-d87543-958860331-1--d87543-;rport=9190;received=62.168.119.189.
Call-ID: 4f1b38568018f36c.
CSeq: 2 REGISTER.
Server: OpenSER (1.3.2-notls (x86_64/linux)).
Content-Length: 0.
.

Options and other usage examples:

USAGE:usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
             <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
             <-P char> <-F file> <match expression> <bpf filter>
   -h  is help/usage
   -V  is version information
   -q  is be quiet (don't print packet reception hash marks)
   -e  is show empty packets
   -i  is ignore case
   -v  is invert match
   -R  is don't do privilege revocation logic
   -x  is print in alternate hexdump format
   -X  is interpret match expression as hexadecimal
   -w  is word-regex (expression must match as a word)
   -p  is don't go into promiscuous mode
   -l  is make stdout line buffered
   -D  is replay pcap_dumps with their recorded time intervals
   -t  is print timestamp every time a packet is matched
   -T  is print delta timestamp every time a packet is matched
   -M  is don't do multi-line match (do single-line match instead)
   -I  is read packet stream from pcap format file pcap_dump
   -O  is dump matched packets in pcap format to pcap_dump
   -n  is look at only num packets
   -A  is dump num packets after a match
   -s  is set the bpf caplen
   -S  is set the limitlen on matched packets
   -W  is set the dump format (normal, byline, single, none)
   -c  is force the column width to the specified size
   -P  is set the non-printable display char to what is specified
   -F  is read the bpf filter from the specified file
   -N  is show sub protocol number
   -d  is use specified device instead of the pcap default

EXAMPLES:
 ngrep -qt -W byline port 5060
 ngrep -d any port 5060 -W byline > outfile.txt
 ngrep -q '8005551212' port 5060 #<swk>:  only shows packets on 5060 with 8005551212 inside the payload

Other tools

Leave a Reply

Your email address will not be published. Required fields are marked *