{"id":946,"date":"2016-03-01T12:04:58","date_gmt":"2016-03-01T07:04:58","guid":{"rendered":"http:\/\/alexeyka.zantsev.com\/?p=946"},"modified":"2016-03-01T12:14:14","modified_gmt":"2016-03-01T07:14:14","slug":"ngrep-sip-traffic-analyze","status":"publish","type":"post","link":"https:\/\/alexeyka.zantsev.com\/?p=946","title":{"rendered":"ngrep: SIP traffic analyze"},"content":{"rendered":"<p><a href=\"http:\/\/www.tcpdump.org\/\" target=\"_blank\">tcpdump<\/a> is a nice tool, but <a href=\"https:\/\/www.wains.be\/pub\/networking\/tcpdump_advanced_filters.txt\" target=\"_blank\">some filters<\/a> seem to be too complicated for usage.<\/p>\n<p>It&#8217;s quite simple to look at SIP traffic between our server and remote server with tcpdump:<br \/>\n<code><br \/>\ntcpdump -pni eth0 udp and port 5060 and host 1.2.3.4<br \/>\n<\/code><\/p>\n<p>&#8230; or a little bit more verbose:<br \/>\n<code><br \/>\ntcpdump -pni eth0 -v udp and port 5060 and host 1.2.3.4<br \/>\n<\/code><\/p>\n<p>&#8230; or even:<br \/>\n<code><br \/>\ntcpdump -pni eth0 -v -As0 udp and port 5060 and host 1.2.3.4<br \/>\n<\/code><\/p>\n<p>But how to capture only INVITE messages?<br \/>\nThis is the case to use <a href=\"http:\/\/ngrep.sourceforge.net\/\" target=\"_blank\">ngrep<\/a>:<\/p>\n<pre>\r\nroot@voip-ge:~# ngrep -W byline \"INVITE sip\" port 5060 and host zz.nn.159.114\r\ninterface: eth0 (10.219.3.0\/255.255.255.0)\r\nfilter: (ip or ip6) and ( port 5060 and host zz.nn.159.114 )\r\nmatch: INVITE sip\r\n#\r\nU xx.yy.94.130:5060 -> zz.nn.159.114:5060\r\nINVITE sip:412753@zz.nn.159.114 SIP\/2.0.\r\nv: SIP\/2.0\/UDP xx.yy.94.130:5060;branch=z9hG4bK51d42193.\r\nMax-Forwards: 70.\r\nf: \"SomeCallerID\" sip:0606@xx.yy.94.130;tag=as07e569d2.\r\nt: sip:412753@zz.nn.159.114.\r\nm: sip:0606@xx.yy.94.130:5060.\r\ni: 795031de44fe066e3751fdc6218368e7@xx.yy.94.130:5060.\r\nCSeq: 102 INVITE.\r\nUser-Agent: Cisco-SIPGateway\/IOS-12.x.\r\nDate: Tue, 01 Mar 2016 07:05:13 GMT.\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE.\r\nk: replaces.\r\nc: application\/sdp.\r\nl: 299.\r\n.\r\nv=0.\r\no=CiscoSystemsSIP-GW-UserAgent 886157825 886157825 IN IP4 xx.yy.94.130.\r\ns=SIP Call.\r\nc=IN IP4 xx.yy.94.130.\r\nt=0 0.\r\nm=audio 19504 RTP\/AVP 8 0 101.\r\na=rtpmap:8 PCMA\/8000.\r\na=rtpmap:0 PCMU\/8000.\r\na=rtpmap:101 telephone-event\/8000.\r\na=fmtp:101 0-16.\r\na=silenceSupp:off - - - -.\r\na=ptime:20.\r\na=sendrecv.\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>tcpdump is a nice tool, but some filters seem to be too complicated for usage. It&#8217;s quite simple to look at SIP traffic between our server and remote server with tcpdump: tcpdump -pni eth0 udp and port 5060 and host 1.2.3.4 &#8230; or a little bit more verbose: tcpdump -pni eth0 -v udp and port [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[218,219],"class_list":["post-946","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-ngrep","tag-tcpdump"],"_links":{"self":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts\/946","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=946"}],"version-history":[{"count":8,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts\/946\/revisions"}],"predecessor-version":[{"id":954,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=\/wp\/v2\/posts\/946\/revisions\/954"}],"wp:attachment":[{"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=946"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=946"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/alexeyka.zantsev.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=946"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}