Page tree
Skip to end of metadata
Go to start of metadata



What is sngrep?

sngrep  is a terminal tool that groups SIP (Session Initiation Protocol) Messages by Call-Id, and displays them in arrow flows similar to the used in SIP RFCs.

The aim of this tool is to make easier the process of learning or debugging SIP.


  • Capture SIP packets from devices or read from PCAP file
  • Supports UDP, TCP and TLS (partially) transports
  • Allows filtering using BPF (Berkeley Packet Filter)
  • Save captured packets to PCAP file




To install sngrep you will need:

  • Connect to the SBC via SSH as a root
  • At CLI level createtherepofile:


 name=Irontec RPMs repository

  • Install Repository Public Key:


  • Install Package

yum-y install sngrep


At this point you are ready to start using sngrep

Command line arguments

There are some arguments that can be used from the command line to change thedefaultsngrepbehaviour

 sngrep [-hVciv] [-HL udp:address:port] [-IO pcap_dump] [-d dev] [-l limit] [-k keyfile] [<match expression>] [<bpf filter>]
  • -h or --help: Display help and usage information
  • -V or --version: Display version information
  • -I or --input <filename.pcap>: Read packetsfrompcap file instead of network devices. This option can be usedwithbpf filters
  • -O or --output <filename.pcap>: Save all captured packets to a pcap file
  • -d or --device <device>: Live capture from network device (by default,sngrep captures from all devices)
  • -k or --keyfile <keyfile.pem>: Useprivatekeyfile to decrypt TLS captured packets
  • -c or --calls: Only display dialogs starting with an INVITE request
  • -l or --limit: Change default capture limit
  • -i or --icase: Make match expression case insensitive
  • -v or --invert: Invert match expression
  • -N or --no-interface: Don'tdisplaysngrep interface, just capture
  • -q or --quiet: Don't print captured dialogs in no interface mode
  • -D or --dump-config: Printconfiguredkeybindings and settings after reading system and user resource files.
  • -H or --eep-send: Send captured data to other Homer/sngrep (udp:
  • -L or --eep-listen: Received captured data fromothercaptagent/sngrep (udp:
  • <match expression>: Matchgiven expression in Messages' payload. If one request message matches the given expression, the following messages within the same dialogwillbe also captured.
  • <bpf filter>: Filter captured/readed packets using a BPF filter

For example, capturing all SIP packets from all devices thathassourceordestination port 5060

sngrep port 5060


Or displaying SIP packets from eth0 device thathasassourceor destiny through the 5061port, saving them to /tmp/sip_capture.pcap

sngrep -d eth0 -O /tmp/sip_capture.pcap host port 5061


Or displaying all SIP packets for a given host in sip_capture.pcapPCAPfile

sngrep -I /tmp/sip_capture.pcap host 




The most typical use willbeto dolivemonitoring of calls.

Intiscaseit is enough to justexecutesngrep-c

There are multiple windows to provide different information:

Here are see some screens of sngrep windows.



  • No labels