sngrep

Capture SIP traffic

$ sngrep

$ sngrep -d [eth0]

$ sngrep -I [capture.pcap]

$ sngrep -c [INVITE]

$ sngrep -O [output.pcap]

$ sngrep host [192.168.1.100]

$ sngrep -q

sngrep [-d device] [-I file] [-O file] [options] [filter]

sngrep is a terminal-based tool for capturing and analyzing SIP (Session Initiation Protocol) traffic used in VoIP systems. It provides an interactive ncurses interface that displays active SIP dialogs, call flow diagrams with directional arrows, and full message content including headers and body.
The tool captures SIP packets in real time from network interfaces or reads previously captured pcap files for offline analysis. Filters narrow results by SIP method, source or destination address, and custom BPF expressions. Captured traffic can be saved to pcap format for later review or sharing with other analysis tools.
Call flow visualization is the tool's standout feature, showing the sequence of SIP messages (INVITE, 200 OK, ACK, BYE) between endpoints with timing information. This makes it particularly effective for diagnosing VoIP call setup failures, registration problems, and codec negotiation issues.

-d DEVICE

Capture device.

Read pcap file.

Write pcap file.

Filter SIP method.

Rotate files.

No interface.

Quiet mode.

Rotate only.

Arrow keys - Navigate
Enter - Show details
F2 - Save
F7 - Filter
F10/q - Quit

Requires root for capture. TLS traffic needs decryption. High-volume may miss packets.

sngrep was created by Irontec for VoIP troubleshooting. It provides visual SIP analysis in the terminal.

tcpdump(1), tshark(1), wireshark(1)