sngrep

sngrep [-d device] [-I file] [-O file] [options] [filter]

sngrep is a terminal-based tool for capturing and analyzing SIP (Session Initiation Protocol) traffic used in VoIP systems. It provides an interactive ncurses interface that displays active SIP dialogs, call flow diagrams with directional arrows, and full message content including headers and body.The tool captures SIP packets in real time from network interfaces or reads previously captured pcap files for offline analysis. Filters narrow results by SIP method, source or destination address, and custom BPF expressions. Captured traffic can be saved to pcap format for later review or sharing with other analysis tools.Call flow visualization is the tool's standout feature, showing the sequence of SIP messages (INVITE, 200 OK, ACK, BYE) between endpoints with timing information. This makes it particularly effective for diagnosing VoIP call setup failures, registration problems, and codec negotiation issues.

-d DEVICE

Capture device (or comma-separated list).

Read packets from pcap file.

Save captured packets to pcap file.

Only display dialogs starting with INVITE.

Maximum number of dialogs to capture.

No interface mode (capture only).

Quiet mode (suppress output in no-interface mode).

Capture RTP packet payloads.

Rotate calls when capture limit is reached.

RSA private key for TLS decryption.

Pcap buffer size in MB (default: 2).

Send captured packets to Homer sipcapture URL.

Load specific configuration file.

Print active configuration and exit.

Arrow keys - NavigateEnter - Show detailsF2 - SaveF7 - FilterF10/q - Quit

Requires root for capture. TLS traffic needs decryption. High-volume may miss packets.

sngrep was created by Irontec for VoIP troubleshooting. It provides visual SIP analysis in the terminal.

tcpdump(1), tshark(1), wireshark(1)