Let’s say you need to catch INVITEs only. In this case do:
ngrep -q -W byline -d eth0 INVITE\ sip
‘-W byline’ means to print each SIP packet in readable text mode, line by line
‘-q’ means to be quiet, not to print packet reception hash marks. Without this option your screen will fill up with ###### signs between captured types of packets.
‘-d eth0’ it’s clear
‘INVITE\ sip’ means show INVITEs only. Be careful: if you type ‘INVITE’ word only, you’ll catch nearly every SIP packet, as not only INVITE requests contain the word ‘INVITE’. For example a reply for OPTION request also contains this word among allowed mwthods described in the ‘Allow:’ header field.
And each INVITE request has a request-line like
INVITE sip:123@dmn.co...
I mean starting with ‘INVITE’ word, following space and following ‘sip’ word.