Traffic Analysis Using Sngrep

Sngrep is a command-line utility for analyzing SIP traffic.

Use this application to analyze logs and send them to technical support.

To start working with the application, follow the SSH connection to the PBX guide.

To start the application, use the command:

sngrep -r

If multiple network interfaces are used, specify the interface ID when launching the application:

bashCopy codesngrep -d eth1 -r

The -r key allows capturing audio traffic.

You can view the list of interfaces using the following command:

# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:08:EF:FD  
          inet addr:172.16.156.223  Bcast:172.16.156.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:81838 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38019 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:66203565 (63.1 Mb)  TX bytes:7603334 (7.2 Mb)

eth1      Link encap:Ethernet  HWaddr 00:0C:29:08:EF:07  
          inet addr:172.16.32.162  Bcast:172.16.32.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:48506 errors:0 dropped:4432 overruns:0 frame:0
          TX packets:5386 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3698996 (3.5 Mb)  TX bytes:1886690 (1.7 Mb)

Example of Sngrep Interface:

The application window displays a list of all SIP dialogues:

Use the ⇑ and ⇓ arrows to navigate between dialogues.
Press Enter to view detailed information about a dialogue.

In the detailed view, you can examine specific SIP packets by selecting them with ⇑ and ⇓.
Press Enter to view the contents of a SIP packet.

Press ESC to return to the previous window.
Use the Space key to select multiple SIP dialogues and press Enter to view them in one window.
In the detailed view, use the Space key to select two SIP packets for comparison.