Ngrep - a tool for VoIP analysis | NIL - Network Information Library

interface: eth0 (158.193.152.0/255.255.255.0) filter: (ip or ip6) and ( port 5060 ) U 62.168.119.189:9190 -> 158.193.152.29:5060 . ................ U 62.168.119.189:9190 -> 158.193.152.29:5060 REGISTER sip:ps.sip.uniza.sk SIP/2.0. To: palo<sip:palo@ps.sip.uniza.sk>. From: palo<sip:palo@ps.sip.uniza.sk>;tag=94146277. Via: SIP/2.0/UDP 192.168.1.100:9190;branch=z9hG4bK-d87543-958860331-1--d87543-;rport. Call-ID: 4f1b38568018f36c. CSeq: 2 REGISTER. Contact: <sip:palo@192.168.1.100:9190>;expires=0. Max-Forwards: 70. Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO. User-Agent: eyeBeam release 3004w stamp 16863. Content-Length: 0. . U 158.193.152.29:5060 -> 62.168.119.189:9190 SIP/2.0 200 OK. To: palo<sip:palo@ps.sip.uniza.sk>;tag=329cfeaa6ded039da25ff8cbb8668bd2.ff32. From: palo<sip:palo@ps.sip.uniza.sk>;tag=94146277. Via: SIP/2.0/UDP 192.168.1.100:9190;branch=z9hG4bK-d87543-958860331-1--d87543-;rport=9190;received=62.168.119.189. Call-ID: 4f1b38568018f36c. CSeq: 2 REGISTER. Server: OpenSER (1.3.2-notls (x86_64/linux)). Content-Length: 0. .

USAGE:usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num> <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols> <-P char> <-F file> <match expression> <bpf filter> -h is help/usage -V is version information -q is be quiet (don't print packet reception hash marks) -e is show empty packets -i is ignore case -v is invert match -R is don't do privilege revocation logic -x is print in alternate hexdump format -X is interpret match expression as hexadecimal -w is word-regex (expression must match as a word) -p is don't go into promiscuous mode -l is make stdout line buffered -D is replay pcap_dumps with their recorded time intervals -t is print timestamp every time a packet is matched -T is print delta timestamp every time a packet is matched -M is don't do multi-line match (do single-line match instead) -I is read packet stream from pcap format file pcap_dump -O is dump matched packets in pcap format to pcap_dump -n is look at only num packets -A is dump num packets after a match -s is set the bpf caplen -S is set the limitlen on matched packets -W is set the dump format (normal, byline, single, none) -c is force the column width to the specified size -P is set the non-printable display char to what is specified -F is read the bpf filter from the specified file -N is show sub protocol number -d is use specified device instead of the pcap default EXAMPLES: ngrep -qt -W byline port 5060 ngrep -d any port 5060 -W byline > outfile.txt ngrep -q '8005551212' port 5060 #<swk>: only shows packets on 5060 with 8005551212 inside the payload

Ngrep je zajímavý a jednoduchý nástroj, pomocou ktorého môžeme na serveri s OpenSER špecifikovať odchytávanie SIP správ (v ngrep všeobecne nejakých aplikačných protokolov) a následný výpis použiť na kontrolu funkčnosti správania SIP servera.

Inštalácia z repozitory v debiane (ubuntu)

apt-get install ngrep

Príklad použitia:

ngrep -d eth0 -p -q -W byline port 5060 > test.txt

kde:

-d – na akom interface ngrep začne počúvať, vyberá si sám, túto voľbu použiť ak máme na serveri viac sieťových rozhraní

-p – nedávaj rozhranie do promiskuitného módu (uvidíme pakety len tie čo sú naše)

-q – tichý režim, nevypisuj iné veci okrem hlavičiek a ich obsahu

-W byline – spôsob zobrazovania

– port – počúvaj na porte, jedno či zdrojovom alebo cieľovom

Viac na man stránkach.

Odchytená komunikácia:

interface: eth0 (158.193.152.0/255.255.255.0)
filter: (ip or ip6) and ( port 5060 )

U 62.168.119.189:9190 -> 158.193.152.29:5060
.
................

U 62.168.119.189:9190 -> 158.193.152.29:5060
REGISTER sip:ps.sip.uniza.sk SIP/2.0.
To: palo<sip:palo@ps.sip.uniza.sk>.
From: palo<sip:palo@ps.sip.uniza.sk>;tag=94146277.
Via: SIP/2.0/UDP 192.168.1.100:9190;branch=z9hG4bK-d87543-958860331-1--d87543-;rport.
Call-ID: 4f1b38568018f36c.
CSeq: 2 REGISTER.
Contact: <sip:palo@192.168.1.100:9190>;expires=0.
Max-Forwards: 70.
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO.
User-Agent: eyeBeam release 3004w stamp 16863.
Content-Length: 0.
.


U 158.193.152.29:5060 -> 62.168.119.189:9190
SIP/2.0 200 OK.
To: palo<sip:palo@ps.sip.uniza.sk>;tag=329cfeaa6ded039da25ff8cbb8668bd2.ff32.
From: palo<sip:palo@ps.sip.uniza.sk>;tag=94146277.
Via: SIP/2.0/UDP 192.168.1.100:9190;branch=z9hG4bK-d87543-958860331-1--d87543-;rport=9190;received=62.168.119.189.
Call-ID: 4f1b38568018f36c.
CSeq: 2 REGISTER.
Server: OpenSER (1.3.2-notls (x86_64/linux)).
Content-Length: 0.
.

Všetky nastavenia a pár príkladov použitia:

USAGE:usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num>
             <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols>
             <-P char> <-F file> <match expression> <bpf filter>
   -h  is help/usage
   -V  is version information
   -q  is be quiet (don't print packet reception hash marks)
   -e  is show empty packets
   -i  is ignore case
   -v  is invert match
   -R  is don't do privilege revocation logic
   -x  is print in alternate hexdump format
   -X  is interpret match expression as hexadecimal
   -w  is word-regex (expression must match as a word)
   -p  is don't go into promiscuous mode
   -l  is make stdout line buffered
   -D  is replay pcap_dumps with their recorded time intervals
   -t  is print timestamp every time a packet is matched
   -T  is print delta timestamp every time a packet is matched
   -M  is don't do multi-line match (do single-line match instead)
   -I  is read packet stream from pcap format file pcap_dump
   -O  is dump matched packets in pcap format to pcap_dump
   -n  is look at only num packets
   -A  is dump num packets after a match
   -s  is set the bpf caplen
   -S  is set the limitlen on matched packets
   -W  is set the dump format (normal, byline, single, none)
   -c  is force the column width to the specified size
   -P  is set the non-printable display char to what is specified
   -F  is read the bpf filter from the specified file
   -N  is show sub protocol number
   -d  is use specified device instead of the pcap default

EXAMPLES:
 ngrep -qt -W byline port 5060
 ngrep -d any port 5060 -W byline > outfile.txt
 ngrep -q '8005551212' port 5060 #<swk>:  only shows packets on 5060 with 8005551212 inside the payload