Ngrep je zajímavý a jednoduchý nástroj, pomocou ktorého môžeme na serveri s OpenSER špecifikovať odchytávanie SIP správ (v ngrep všeobecne nejakých aplikačných protokolov) a následný výpis použiť na kontrolu funkčnosti správania SIP servera.
Inštalácia z repozitory v debiane (ubuntu)
apt-get install ngrep
Príklad použitia:
ngrep -d eth0 -p -q -W byline port 5060 > test.txt
kde:
-d – na akom interface ngrep začne počúvať, vyberá si sám, túto voľbu použiť ak máme na serveri viac sieťových rozhraní
-p – nedávaj rozhranie do promiskuitného módu (uvidíme pakety len tie čo sú naše)
-q – tichý režim, nevypisuj iné veci okrem hlavičiek a ich obsahu
-W byline – spôsob zobrazovania
– port – počúvaj na porte, jedno či zdrojovom alebo cieľovom
Odchytená komunikácia:
interface: eth0 (158.193.152.0/255.255.255.0) filter: (ip or ip6) and ( port 5060 ) U 62.168.119.189:9190 -> 158.193.152.29:5060 . ................ U 62.168.119.189:9190 -> 158.193.152.29:5060 REGISTER sip:ps.sip.uniza.sk SIP/2.0. To: palo<sip:palo@ps.sip.uniza.sk>. From: palo<sip:palo@ps.sip.uniza.sk>;tag=94146277. Via: SIP/2.0/UDP 192.168.1.100:9190;branch=z9hG4bK-d87543-958860331-1--d87543-;rport. Call-ID: 4f1b38568018f36c. CSeq: 2 REGISTER. Contact: <sip:palo@192.168.1.100:9190>;expires=0. Max-Forwards: 70. Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO. User-Agent: eyeBeam release 3004w stamp 16863. Content-Length: 0. . U 158.193.152.29:5060 -> 62.168.119.189:9190 SIP/2.0 200 OK. To: palo<sip:palo@ps.sip.uniza.sk>;tag=329cfeaa6ded039da25ff8cbb8668bd2.ff32. From: palo<sip:palo@ps.sip.uniza.sk>;tag=94146277. Via: SIP/2.0/UDP 192.168.1.100:9190;branch=z9hG4bK-d87543-958860331-1--d87543-;rport=9190;received=62.168.119.189. Call-ID: 4f1b38568018f36c. CSeq: 2 REGISTER. Server: OpenSER (1.3.2-notls (x86_64/linux)). Content-Length: 0. .
Všetky nastavenia a pár príkladov použitia:
USAGE:usage: ngrep <-hNXViwqpevxlDtTRM> <-IO pcap_dump> <-n num> <-d dev> <-A num> <-s snaplen> <-S limitlen> <-W normal|byline|single|none> <-c cols> <-P char> <-F file> <match expression> <bpf filter> -h is help/usage -V is version information -q is be quiet (don't print packet reception hash marks) -e is show empty packets -i is ignore case -v is invert match -R is don't do privilege revocation logic -x is print in alternate hexdump format -X is interpret match expression as hexadecimal -w is word-regex (expression must match as a word) -p is don't go into promiscuous mode -l is make stdout line buffered -D is replay pcap_dumps with their recorded time intervals -t is print timestamp every time a packet is matched -T is print delta timestamp every time a packet is matched -M is don't do multi-line match (do single-line match instead) -I is read packet stream from pcap format file pcap_dump -O is dump matched packets in pcap format to pcap_dump -n is look at only num packets -A is dump num packets after a match -s is set the bpf caplen -S is set the limitlen on matched packets -W is set the dump format (normal, byline, single, none) -c is force the column width to the specified size -P is set the non-printable display char to what is specified -F is read the bpf filter from the specified file -N is show sub protocol number -d is use specified device instead of the pcap default EXAMPLES: ngrep -qt -W byline port 5060 ngrep -d any port 5060 -W byline > outfile.txt ngrep -q '8005551212' port 5060 #<swk>: only shows packets on 5060 with 8005551212 inside the payload