How to use ngrep for fast SIP packet analysis

By January 5, 2017Tutorials

1、SIP debugging

AsterCC call center system is a system based on SIP communication, compared with the traditional telephone system, voice transmission based on IP network, so learn how to debug VoIP communications network administrators must master one of the skills. Here we will gradually introduce some VoIP debugging tools, hoping to help us better design, maintenance, voice communications and call center systems.

2、What’s ngrep

Ngrep is the network version of grep, used to filter specific information from the network, we learn how to use ngrep to debug SIP system.

3、Install and use ngrep

yum install -y ngrep

The most common command format for sip, as follows.

ngrep -dany -qWbyline "" port 5060
ngrep_any

This command outputs all packets arriving on port 5060 of the server 5060 as the default port for sip so that all sip packets are output to the screen.
If we want to see the packets sent from/to the server astercc.org, the command as follows.

ngrep -dany -qWbyline "" port 5060 and host astercc.org
ngrep_astercc

We can also use regex to filter specific information, for example we want view packets from astercc-1000 device.

ngrep -dany -qWbyline "astercc-1000" port 5060 and host astercc.org

Use ngrep filter information with regex, for example only view SIP REGISTER packets.
ngrep -deth0 -qWbyline "^REGISTER" port 5060

Where ^ REGISTER represents a packet starting with REGISTER

We can also specify a NIC (eth0) for inquiries, for example.

ngrep -deth0 -qWbyline "astercc-1000" port 5060

[su_highlight]Note ngrep capture packet priority is large than iptables firewall, if ngrep see a package but asterisk can not see, it is iptables problem, you need to check the iptables settings.[/su_highlight][] [/]
Using ngrep we can also save the output to the specified file, the command format as follows.

ngrep -W byline -d eth0 port 5060 -O capture_file

The other two parameters are included.
  • -t : Displays the timestamp of each packet in year/month/day format.
  • -T : Prints the time in the format of + S.UUUUUU and is used to indicate the time difference between the two packages.

4、Asterisk’s SIP debugging

Asterisk’s check sip packets method, login linux system, connect to asterisk’s console.

asterisk -r

Open sip debug mode.

sip set debug on

asterisk_sip_debug

Check specific IP

sip set debug ip 76.68.146.197

Close SIP debug mode.

sip set debug off
asterisk_sip_debug_off