traffic-analysis-using-sngrep.md

Traffic Analysis Using Sngrep

Sngrep is a command-line tool for capturing and analyzing SIP traffic. It allows you to visualize SIP sessions, filter them, and track issues in voice connections.

{% hint style="info" %} Use this application to analyze logs and send them to technical support. {% endhint %}

To start working with the application, follow the SSH connection to the PBX guide.

To start the application, use the command:

sngrep -r

{% hint style="success" %} If multiple network interfaces are used, specify the interface ID when launching the application:

bashCopy codesngrep -d eth1 -r

The -r key allows capturing audio traffic. {% endhint %}

You can view the list of interfaces using the following command:

# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:08:EF:FD  
          inet addr:172.16.156.223  Bcast:172.16.156.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:81838 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38019 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:66203565 (63.1 Mb)  TX bytes:7603334 (7.2 Mb)

eth1      Link encap:Ethernet  HWaddr 00:0C:29:08:EF:07  
          inet addr:172.16.32.162  Bcast:172.16.32.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:48506 errors:0 dropped:4432 overruns:0 frame:0
          TX packets:5386 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3698996 (3.5 Mb)  TX bytes:1886690 (1.7 Mb)

Example of Sngrep Interface:

The view of Sngrep

The application window displays a list of all SIP dialogues:

• Use the ⇑ and ⇓ arrows to navigate between dialogues.
• Press Enter to view detailed information about a dialogue.

information about the dialogue

• In the detailed view, you can examine specific SIP packets by selecting them with ⇑ and ⇓.
• Press Enter to view the contents of a SIP packet.

Contents of the SIP packet

• Press ESC to return to the previous window.
• Use the Space key to select multiple SIP dialogues and press Enter to view them in one window.
• In the detailed view, use the Space key to select two SIP packets for comparison.

Comparison of two SIP packages

Saving a Dump

1. Use the Space key to select the SIP dialogue "Call" of interest.

Dialogue "Call"

2. Press F2 to open the save dump dialogue:

• Use the ⇑ and ⇓ arrows to navigate between form fields.
• Enter the path and file name.
• Select the save action and press ENTER.
• Download the file using SSH connection to the PBX with WinSCP.

Filtering

1. Press F7 to open the filter dialogue:

2. Use the ⇑ and ⇓ arrows to navigate between form fields.
3. Use the Space key to select SIP methods for analysis.
4. Select the Filter action and press ENTER.