Ngrep – a tool for VoIP analysis
Ngrep is an interesting tool which may be used for SIP real time analysis. It is usable to capture SIP Messages which are flowing on/from of our SIP server.
Installation is straightforward, directly debian repository:
apt-get install ngrep
ngrep -d eth0 -p -q -W byline port 5060 > test.txt
-d – which interface will be used to capture data, usable if server has more than one interface
-p – does not put an interface to promiscuity mode (capture only our frames/packets)
-q – quiet mode, does not print other information, only application headers
-W byline – display output by lines
– port – listen on port (either source or destination)
Example of captured SIP traffic:
interface: eth0 (184.108.40.206/255.255.255.0) filter: (ip or ip6) and ( port 5060 ) U 220.127.116.11:9190 -> 18.104.22.168:5060 . ................ U 22.214.171.124:9190 -> 126.96.36.199:5060 REGISTER sip:ps.sip.uniza.sk SIP/2.0. To: palo<sip:email@example.com>. From: palo<sip:firstname.lastname@example.org>;tag=94146277. Via: SIP/2.0/UDP 192.168.1.100:9190;branch=z9hG4bK-d87543-958860331-1--d87543-;rport. Call-ID: 4f1b38568018f36c. CSeq: 2 REGISTER. Contact: <sip:email@example.com:9190>;expires=0. Max-Forwards: 70. Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO. User-Agent: eyeBeam release 3004w stamp 16863. Content-Length: 0. . U 188.8.131.52:5060 -> 184.108.40.206:9190 SIP/2.0 200 OK. To: palo<sip:firstname.lastname@example.org>;tag=329cfeaa6ded039da25ff8cbb8668bd2.ff32. From: palo<sip:email@example.com>;tag=94146277. Via: SIP/2.0/UDP 192.168.1.100:9190;branch=z9hG4bK-d87543-958860331-1--d87543-;rport=9190;received=220.127.116.11. Call-ID: 4f1b38568018f36c. CSeq: 2 REGISTER. Server: OpenSER (1.3.2-notls (x86_64/linux)). Content-Length: 0. .
Options and other usage examples:
USAGE:usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num> <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols> <-P char> <-F file> <match expression> <bpf filter> -h is help/usage -V is version information -q is be quiet (don't print packet reception hash marks) -e is show empty packets -i is ignore case -v is invert match -R is don't do privilege revocation logic -x is print in alternate hexdump format -X is interpret match expression as hexadecimal -w is word-regex (expression must match as a word) -p is don't go into promiscuous mode -l is make stdout line buffered -D is replay pcap_dumps with their recorded time intervals -t is print timestamp every time a packet is matched -T is print delta timestamp every time a packet is matched -M is don't do multi-line match (do single-line match instead) -I is read packet stream from pcap format file pcap_dump -O is dump matched packets in pcap format to pcap_dump -n is look at only num packets -A is dump num packets after a match -s is set the bpf caplen -S is set the limitlen on matched packets -W is set the dump format (normal, byline, single, none) -c is force the column width to the specified size -P is set the non-printable display char to what is specified -F is read the bpf filter from the specified file -N is show sub protocol number -d is use specified device instead of the pcap default EXAMPLES: ngrep -qt -W byline port 5060 ngrep -d any port 5060 -W byline > outfile.txt ngrep -q '8005551212' port 5060 #<swk>: only shows packets on 5060 with 8005551212 inside the payload