How to capture a SIP trace.

Wireshark is the de-facto GUI packet analyzer. It can live-capture on any interface, filter SIP/RTP, and export to .pcap or .pcapng - the formats SIP Flow understands natively.

Read the Wireshark guide

`sngrep` is a terminal SIP-aware sniffer that renders ladder diagrams in the shell and can live-capture, replay from a pcap, and export. It's the fastest way to grab a clean SIP-only pcap from a Linux PBX or SBC without installing a GUI.

Read the sngrep guide

`tshark` is Wireshark's command-line sibling. It uses the same dissectors and capture filters as Wireshark, but runs headless, so it's the right tool for grabbing a clean SIP pcap from a server you can only reach over SSH.

Read the tshark guide

`tcpdump` is the lowest-common-denominator packet capture tool - installed on virtually every Linux/BSD/macOS box. It can't dissect SIP itself, but it produces clean .pcap files that SIP Flow, Wireshark, and sngrep all read natively. Reach for it first when you're triaging a server you've never touched before.

Read the tcpdump guide

`ngrep` is grep for network packets. It can't write a clean pcap with the same fidelity as tcpdump, but its real strength is tailing SIP on the console with a regex filter - perfect for "is this REGISTER even reaching us?" debugging in a couple of seconds.

Read the ngrep guide

Homer (sipcapture.org) is the open-source HEP-based SIP capture platform that ships with most modern PBX deployments. It stores every SIP message centrally, and you can export any call as a pcap-equivalent or HEP dump for offline analysis.

Read the Homer / sipcapture guide

Asterisk's PJSIP and chan_sip stacks both expose verbose SIP logging from the CLI. You can dump SIP messages straight to the Asterisk console or full log file, then either send the text log to SIP Flow or pcap the loopback to convert it to .pcap.

Read the Asterisk guide

FreeSWITCH exposes SIP via the Sofia stack, and `sofia loglevel` / `sofia global siptrace` give you message-level traces without restarting. Combine with `fs_cli` and tcpdump for a complete capture suitable for SIP Flow.

Read the FreeSWITCH guide

Cisco CUBE (Unified Border Element) exposes SIP messaging via IOS `debug ccsip` commands. You can stream the trace to the terminal monitor or buffer it to memory, then copy off the box and feed it to SIP Flow as text - or pull a built-in IOS packet capture.

Read the Cisco CUBE guide

Twilio's SIP Debugger (Console → Voice → Debugger) records every SIP message Twilio sees on Elastic SIP Trunks, BYOC, SIP Domains, and Programmable Voice. You can download the trace as PCAP per call, or stream errors via webhook.

Read the Twilio guide