SIP Flow

How to capture a SIP trace with sngrep

CLI tools.pcap.txt

`sngrep` is a terminal SIP-aware sniffer that renders ladder diagrams in the shell and can live-capture, replay from a pcap, and export. It's the fastest way to grab a clean SIP-only pcap from a Linux PBX or SBC without installing a GUI.

When to reach for this

  • You're SSH'd into a headless box and can't open Wireshark
  • You want a SIP-only pcap without dragging RTP into the file
  • You need to triage on a PBX *right now* before getting the trace into a real analyzer

Before you start

  • `sngrep` installed (`apt install sngrep` / `dnf install sngrep` / `brew install sngrep`)
  • Root or `cap_net_raw` to capture on a live interface
  • You know the interface name (e.g. `eth0`, `ens192`, `bond0`)

Steps

  1. 1

    Live-capture SIP from an interface

    Run sngrep against the SIP-bearing interface. By default it captures UDP/TCP/TLS on the common SIP ports and shows live dialogs as they happen. 

    sudo sngrep -d eth0
  2. 2

    Capture straight to a pcap file

    Use `-O` to write every captured packet to a pcap as you go. You can keep the UI open and stop with `Esc` → `Y` when you're done. 

    sudo sngrep -d eth0 -O /tmp/sip-capture.pcap
  3. 3

    Filter to a specific Call-ID or number

    Inside sngrep, press `/` to open the filter, or pre-filter with `-c` to limit to one Call-ID, or `--filter` for a BPF-style expression. Reduces noise on busy PBXs fast. 

    sudo sngrep -d eth0 -c 'abc123@pbx.example.com' -O /tmp/one-call.pcap
  4. 4

    Replay an existing pcap

    You can also point sngrep at an existing capture to ladder-view it before sending it to SIP Flow. 

    sngrep -I /tmp/sip-capture.pcap
  5. 5

    Save just the dialogs you care about

    Highlight the dialogs in the UI (use the spacebar to multi- select), press `P`, then `S` to save the selection as a new, much smaller pcap.

Tips from people who've done this 1,000 times

  • Add `-r` to also include RTP — useful if you want one-way-audio analysis later
  • On capture-heavy boxes use `--no-interface` plus `-O` for unattended capture (cron, systemd)
  • sngrep can also export plain text dialogs (`E` in the call-flow view) which SIP Flow accepts directly

Pitfalls

  • Without `sudo` (or `setcap cap_net_raw,cap_net_admin=eip $(which sngrep)`) sngrep silently shows zero traffic
  • sngrep doesn't decrypt TLS — for 5061 you need to capture before TLS terminates, or grab the trace from the SBC after decryption
  • On bonded interfaces, capture the underlying NIC, not the bond, or you may double-count packets

Got the trace? Render the ladder.

Drop your sngrep export into SIP Flow and we'll render the call flow, surface RFC issues, and (optionally) ask Gemini to explain what went wrong — all client-side by default.

Open analyzer

Related capture guides

Capture from a different tool

SIP Flow · Free, private SIP/VoIP analyzer

Core utility runs entirely in your browser. AI debugging is opt-in and pseudonymizes by default.