{"id":467,"date":"2011-10-10T09:41:37","date_gmt":"2011-10-10T07:41:37","guid":{"rendered":""},"modified":"2020-01-08T09:00:32","modified_gmt":"2020-01-08T08:00:32","slug":"ngrep-tool-voip-analysis","status":"publish","type":"post","link":"https:\/\/nil.uniza.sk\/en\/ngrep-tool-voip-analysis\/","title":{"rendered":"Using ngrep tool for SIP diagnostics"},"content":{"rendered":"

Ngrep – a tool for VoIP analysis <\/h3>\n\n\n

Ngrep is an interesting tool which may be used for SIP real time analysis. It is usable to capture SIP Messages which are flowing on\/from of our SIP server.<\/p>\n

Installation is straightforward, directly debian repository:<\/p>\n

apt-get install ngrep\n<\/pre>\n
<\/p>\n
Usage example:<\/p>\n
ngrep -d eth0 -p -q -W byline port 5060 > test.txt<\/pre>\n
where:<\/p>\n
-d – which interface will be used to capture data, usable if server has more than one interface<\/p>\n
-p – does not put an interface to promiscuity mode (capture only our frames\/packets)<\/p>\n
-q – quiet mode, does not print other information, only application headers<\/p>\n
-W byline – display output by lines<\/p>\n
– port – listen on port (either source or destination)<\/p>\n
More info on manual pages.<\/a><\/p>\n
<\/p>\n
Example of captured SIP traffic:<\/p>\n
interface: eth0 (158.193.152.0\/255.255.255.0)\nfilter: (ip or ip6) and ( port 5060 )\n\nU 62.168.119.189:9190 -> 158.193.152.29:5060\n.\n................\n\nU 62.168.119.189:9190 -> 158.193.152.29:5060\nREGISTER sip:ps.sip.uniza.sk SIP\/2.0.\nTo: palo<sip:palo@ps.sip.uniza.sk>.\nFrom: palo<sip:palo@ps.sip.uniza.sk>;tag=94146277.\nVia: SIP\/2.0\/UDP 192.168.1.100:9190;branch=z9hG4bK-d87543-958860331-1--d87543-;rport.\nCall-ID: 4f1b38568018f36c.\nCSeq: 2 REGISTER.\nContact: <sip:palo@192.168.1.100:9190>;expires=0.\nMax-Forwards: 70.\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO.\nUser-Agent: eyeBeam release 3004w stamp 16863.\nContent-Length: 0.\n.\n\n\nU 158.193.152.29:5060 -> 62.168.119.189:9190\nSIP\/2.0 200 OK.\nTo: palo<sip:palo@ps.sip.uniza.sk>;tag=329cfeaa6ded039da25ff8cbb8668bd2.ff32.\nFrom: palo<sip:palo@ps.sip.uniza.sk>;tag=94146277.\nVia: SIP\/2.0\/UDP 192.168.1.100:9190;branch=z9hG4bK-d87543-958860331-1--d87543-;rport=9190;received=62.168.119.189.\nCall-ID: 4f1b38568018f36c.\nCSeq: 2 REGISTER.\nServer: OpenSER (1.3.2-notls (x86_64\/linux)).\nContent-Length: 0.\n.<\/pre>\n
Options and other usage examples:<\/p>\n
USAGE:usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>\n             <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>\n             <-P char> <-F file> <match expression> <bpf filter>\n   -h  is help\/usage\n   -V  is version information\n   -q  is be quiet (don't print packet reception hash marks)\n   -e  is show empty packets\n   -i  is ignore case\n   -v  is invert match\n   -R  is don't do privilege revocation logic\n   -x  is print in alternate hexdump format\n   -X  is interpret match expression as hexadecimal\n   -w  is word-regex (expression must match as a word)\n   -p  is don't go into promiscuous mode\n   -l  is make stdout line buffered\n   -D  is replay pcap_dumps with their recorded time intervals\n   -t  is print timestamp every time a packet is matched\n   -T  is print delta timestamp every time a packet is matched\n   -M  is don't do multi-line match (do single-line match instead)\n   -I  is read packet stream from pcap format file pcap_dump\n   -O  is dump matched packets in pcap format to pcap_dump\n   -n  is look at only num packets\n   -A  is dump num packets after a match\n   -s  is set the bpf caplen\n   -S  is set the limitlen on matched packets\n   -W  is set the dump format (normal, byline, single, none)\n   -c  is force the column width to the specified size\n   -P  is set the non-printable display char to what is specified\n   -F  is read the bpf filter from the specified file\n   -N  is show sub protocol number\n   -d  is use specified device instead of the pcap default\n\nEXAMPLES:\n ngrep -qt -W byline port 5060\n ngrep -d any port 5060 -W byline > outfile.txt\n ngrep -q '8005551212' port 5060 #<swk>:  only shows packets on 5060 with 8005551212 inside the payload<\/pre>\n
<\/p>\n\n\n
Other tools<\/h3>\n\n\n\n