sngrep

Visualize SIP packets from a PCAP file

$ sngrep -I [path/to/file.pcap]

$ sngrep -crI [path/to/file.pcap]

$ sngrep -cr

$ sngrep -NO [path/to/file.pcap]

sngrep [options] [expression]

-d, --dev
    Specify the network interface to capture from, e.g., eth0 or wlan0.

-i, --infile
    Read packets from a specified PCAP file instead of live capture.

-w, --outfile
    Write captured raw packets to a specified PCAP file.

-v, --verbose
    Increase verbosity, providing more detailed output.

-q, --quiet
    Suppress the initial banner and copyright information.

-l, --logfile
    Log events and messages to a specified file.

-e, --expression
    Apply a BPF-style filter expression to narrow down traffic.

-x, --extended
    Display packet data in both ASCII and hexadecimal formats.

-c, --color
    Force color output, even if terminal support is not detected.

-r, --raw
    Show raw packet data without any interpretation.

-u, --udp
    Filter and display only UDP packets.

-t, --tcp
    Filter and display only TCP packets.

-p, --port
    Filter traffic by a specific port number.

-s, --host
    Filter traffic by a specific host IP address or hostname.

--help
    Display a brief help message and exit.

--version
    Show the program's version information and exit.

sngrep is a powerful command-line tool for displaying network traffic in an interactive curses-based interface.
It provides a live view of packet data, allowing users to inspect network communications in real-time or from previously captured PCAP files. Similar to tcpdump or ngrep, but with an enhanced user experience, sngrep allows for quick filtering, searching, and detailed inspection of packet payloads. It supports Berkeley Packet Filter (BPF) syntax for complex filtering expressions, enabling users to focus on specific protocols, ports, hosts, or traffic types.
Its interactive nature makes it ideal for troubleshooting network connectivity, analyzing application layer protocols like SIP, debugging VoIP issues, and performing general network monitoring. The tool offers various display modes, including ASCII, hexadecimal, and raw packet views, making it versatile for different analysis needs.

Capturing live network traffic with sngrep typically requires root privileges or appropriate capabilities (e.g., CAP_NET_RAW).
The interactive ncurses interface, while powerful, may not be suitable for automated scripting tasks without external tools. Filtering expressions rely on Berkeley Packet Filter (BPF) syntax, which requires familiarity for effective use.
On very busy networks, sngrep can consume significant resources or drop packets if not properly filtered.

sngrep offers a rich interactive environment. Within the ncurses interface, users can navigate through packets, search for content, switch display modes (ASCII, HEX, RAW), follow TCP streams, and apply filters dynamically using various keybindings. Pressing 'h' or '?' inside the application typically reveals a help screen with a list of available hotkeys and their functions, greatly enhancing its utility for live troubleshooting and exploration of network data.

sngrep emerged as an interactive alternative to command-line network sniffers like ngrep. While ngrep provides similar packet inspection capabilities, sngrep distinguishes itself with its ncurses-based graphical user interface, making real-time analysis and navigation of network flows more intuitive. Its development focuses on enhancing usability for network troubleshooting, especially for protocols like SIP (Session Initiation Protocol), which are often challenging to debug with raw packet captures. It is an open-source project continuously maintained to support modern network analysis needs.

tcpdump(1), ngrep(8), grep(1), wireshark(1)