Part of my day job involves picking apart SIP packets and figuring out why things might not be happening as expected. I've only recently tried out `sngrep` as a tool to help with this and it's ace.
My toolkit for analysing SIP messages so far consists of server logs, traces stored in HOMER and if things are still hazy tcpdump and Wireshark. sngrep fits in between those last two. It’s a command line tool with visualisations for analysing SIP messages and as a bonus it’s already available as a ready-to-install package for most flavours of Linux!
Mini Feature Walk-Through
Once installed, run sngrep and immediately see what SIP messages are passing through the server.
sngrep -O your-capture-file.cap will create a pcap file as well. Read this back in with sngrep -I your-capture-file.cap. This also means you can analyze a capture file from tcpdump or similar.
Moving around supports vi-like keyboard bindings, so hjkl for movement. q or ESC takes you back a screen, ENTER takes your forward.
The initial screen is of all SIP dialogs, where a dialog is made up of messages that are grouped by Call-ID (note this isn’t just calls, but registrations etc as well). Navigate to the dialog you are interested in then press enter to see the SIP messages. These are presented in a SIP call flow form, with the message content on the right.
Aside: This image and the subsequent ones are all taken from the sngrep wiki. The full size images are linked from the thumbnails below.
Call flow on the left, packets on the right.
Diff Packets
Perhaps you have two packets in a dialog and one didn’t receive the response you expected. You can navigate to the first packet and press [space] then navigate to the second and press [space] again. You will now see a diff of the two packets. Very useful.
Get two packets side by side via differences highlighted for you.
Combining Dialogs
Let’s say we have Alice and Bob connected to our SIP server with nothing fancy going on. If Alice calls Bob this is unlikely a single SIP dialog, rather there are probably two dialogs at work here, Alice to our server and a call out from our server to Bob.
sngrep provides a way for these dialogs to be combined. In the same way we press [space] to select packets, we can do the same to select two dialogs. We can then see a combined call flow diagram. I found this particularly useful recently when troubleshooting BYE messages that were not propagating, as seeing the full flow of messages made the error more obvious.
Multiple call flows all in one place!
Live Updates
A final bonus point for sngrep is that it will automatically update not just the call listing screen but the in-progress call dialog as well.
All considered, sngrep has already proved to be a really useful tool and is well on the way to becoming a key part of my SIP debugging toolkit.