Traffic Analysis Using Sngrep

Sngrep is a command-line tool for capturing and analyzing SIP traffic. It allows you to visualize SIP sessions, filter them, and track issues in voice connections.

Use this application to analyze logs and send them to technical support.

To start working with the application, follow the SSH connection to the PBX .

To start the application, use the command:

sngrep -r

If multiple network interfaces are used, specify the interface ID when launching the application:

bashCopy codesngrep -d eth1 -r

The -r key allows capturing audio traffic.

You can view the list of interfaces using the following command:

# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:08:EF:FD  
          inet addr:172.16.156.223  Bcast:172.16.156.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:81838 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38019 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:66203565 (63.1 Mb)  TX bytes:7603334 (7.2 Mb)

eth1      Link encap:Ethernet  HWaddr 00:0C:29:08:EF:07  
          inet addr:172.16.32.162  Bcast:172.16.32.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:48506 errors:0 dropped:4432 overruns:0 frame:0
          TX packets:5386 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3698996 (3.5 Mb)  TX bytes:1886690 (1.7 Mb)

Example of Sngrep Interface:

The application window displays a list of all SIP dialogues:

Use the ⇑ and ⇓ arrows to navigate between dialogues.
Press Enter to view detailed information about a dialogue.

In the detailed view, you can examine specific SIP packets by selecting them with ⇑ and ⇓.
Press Enter to view the contents of a SIP packet.

Press ESC to return to the previous window.
Use the Space key to select multiple SIP dialogues and press Enter to view them in one window.
In the detailed view, use the Space key to select two SIP packets for comparison.

Saving a Dump

Use the Space key to select the SIP dialogue "Call" of interest.

Press F2 to open the save dump dialogue:

Use the ⇑ and ⇓ arrows to navigate between form fields.
Enter the path and file name.
Select the save action and press ENTER.

Filtering

Press F7 to open the filter dialogue:

Use the ⇑ and ⇓ arrows to navigate between form fields.
Use the Space key to select SIP methods for analysis.
Select the Filter action and press ENTER.

Last updated 8 months ago

Was this helpful?

# ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:08:EF:FD inet addr:172.16.156.223 Bcast:172.16.156.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:81838 errors:0 dropped:0 overruns:0 frame:0 TX packets:38019 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:66203565 (63.1 Mb) TX bytes:7603334 (7.2 Mb) eth1 Link encap:Ethernet HWaddr 00:0C:29:08:EF:07 inet addr:172.16.32.162 Bcast:172.16.32.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:48506 errors:0 dropped:4432 overruns:0 frame:0 TX packets:5386 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3698996 (3.5 Mb) TX bytes:1886690 (1.7 Mb)

Saving a Dump

Use the Space key to select the SIP dialogue "Call" of interest.

Press F2 to open the save dump dialogue:

Use the ⇑ and ⇓ arrows to navigate between form fields.

Enter the path and file name.

Select the save action and press ENTER.

Download the file using .

Filtering

Press F7 to open the filter dialogue:

Use the ⇑ and ⇓ arrows to navigate between form fields.

Use the Space key to select SIP methods for analysis.

Select the Filter action and press ENTER.