Some of Packet Capturing Tools


Ngrep Command-Line Tool

“ngrep” is a network layer grepping tool. It is pcap-aware and has been used to debug plain-text protocol such as HTTP, SMTP, FTP, SIP, Raw protocols across Ethernet etc.. We will see how we can use it to track SIP transactions.

  •  Install ngrep tool

# yum install ngrep

  • Start capturing packets using ngrep

Example 1: Capturing SIP packets on port 5060 on the interface “wlp2s0”

# ngrep -q -d wlp2s0 -W byline port 5060 > test.txt &
Type “#man ngrep” to know about command options.

Example 2: Capturing SIP packets containing “username”‘on port 5060

# ngrep -W byline -tqd any username port 5060

Tshark Command-Line Tool

Example:  Capture SIP packets on port 5060 on the interface “wlp2s0”

# tshark -nq -i wlp2s0 port 5060

Type “# man tshark” to know about the options and do more sophisticated commands.

Wireshark Graphical Interface

Tshark capture files are supported by Wireshark.

snap10Sipgrep Command-Line Tool

It is a pcap-aware capturing tool. It was a wrapper for ngrep but now it is a standalone application with numerous additional features for SIP signaling. The user can specify extended regular expressions to match against SIP headers. Among other features, you can kill the scanner automatically and friendly. You can use it to duplicate all traffic to Homer sipcapture node. Please see the whole agenda in the project’s github wiki page.

More Information