SIP Flow

How to capture a SIP trace with ngrep

CLI tools.txt.pcap

`ngrep` is grep for network packets. It can't write a clean pcap with the same fidelity as tcpdump, but its real strength is tailing SIP on the console with a regex filter — perfect for "is this REGISTER even reaching us?" debugging in a couple of seconds.

When to reach for this

  • You want a one-liner that prints SIP messages live, in plain text, with regex match
  • You need to confirm a specific Call-ID, From-number, or User-Agent is on the wire right now
  • You're triaging on a minimal system where Wireshark and sngrep aren't installed

Before you start

  • `ngrep` installed (`apt install ngrep` / `dnf install ngrep` / `brew install ngrep`)
  • Root or `cap_net_raw`
  • Interface name (`ip -br a`)

Steps

  1. 1

    Tail SIP live on an interface

    Print every SIP message that crosses eth0, with timestamps and the full message body. Ctrl-C when you've seen enough. 

    sudo ngrep -W byline -d eth0 -t 'sip:' 'port 5060'
  2. 2

    Filter by phone number, Call-ID, or header

    ngrep's first arg is a regex applied to packet payloads. Want only INVITEs from a specific number? Match the From line. 

    sudo ngrep -W byline -d eth0 'From:.*\+15551234567' 'port 5060'
  3. 3

    Watch for a single Call-ID end-to-end

    Lock onto one dialog and ignore everything else. Useful when the box is busy and you only want one conversation. 

    sudo ngrep -W byline -d eth0 'Call-ID:.*abc123@pbx' 'port 5060 or port 5061'
  4. 4

    Dump matched SIP to a pcap

    ngrep can write libpcap output too. Pair with a regex filter to grab only the messages you care about and skip the rest of the noise on the wire. 

    sudo ngrep -d eth0 -O /tmp/registers.pcap '^REGISTER ' 'port 5060'
  5. 5

    Replay an existing pcap with a regex

    Already have a fat capture? Use ngrep to grep it for SIP messages matching a pattern — way faster than scrolling Wireshark. 

    ngrep -W byline -I /tmp/full.pcap 'CSeq:.*INVITE' 'port 5060'

Tips from people who've done this 1,000 times

  • `-W byline` is almost always what you want — it prints SIP message lines on separate lines instead of one wall of text
  • Combine with `-q` to suppress hash-mark progress noise on quiet pipes
  • `-t` adds timestamps; `-T` adds time deltas between matches — handy for retransmission triage

Pitfalls

  • ngrep is text-oriented; SIP-over-TLS (5061) and SIP-over-WebSocket are opaque to it
  • Long-running ngrep on busy interfaces can drop packets — for forensic captures, use tcpdump or tshark and feed *that* to ngrep
  • Some distributions ship an ancient ngrep that doesn't honor `-W byline` correctly; build from source if matches look mangled

Got the trace? Render the ladder.

Drop your ngrepexport into SIP Flow and we'll render the call flow, surface RFC issues, and (optionally) ask SipFlow AI to explain what went wrong — all client-side by default.

Open analyzer

Related capture guides

Capture from a different tool

SIP Flow · Free, private SIP/VoIP analyzer

Core utility runs entirely in your browser. AI debugging is opt-in and pseudonymizes by default.

ContactPrivacy