[OpenSIPS-Users] Using sngrep for visualising encrypted SIP traffic

Giovanni Maruzzelli gmaruzz at gmail.com
Wed Mar 24 14:29:26 EST 2021

Ciao Ovidiu!

We're often in parallel :)

I found that if you create the transaction before creating (if any) the
dialog, then the ACK is traced even from HEP.

What I would add to the super nice recipe is:

- let's give a portrange to sngrep, so it will not analyze all traffic on
all ports, and will not trace the RTP packets too
- let's give a limit on how many dialogs will keep in memory, default is
- let's do a rotation of dialogs, FIFO, so will keep the latest and discard
the older
- let's try to understand fragmented udp too
- let's use aliases for having names for our servers
- let's not listen for HEP trace when we want (without duplicate display)

- let's send both to a local sngrep and a remote homer
- let's trace the 100 reply to INVITE too


let's put in .bashrc:

alias sngrepa='sngrep -l 5000 -R -Ludp: -v "OPTIONS\ sip"
"portrange 5050-5090 or (ip[6:2] & 0x1fff) != 0"'
alias sngrepw='sngrep -l 5000 -R -v "OPTIONS\ sip" "portrange 9069-9071 or
(ip[6:2] & 0x1fff) != 0"'

sngrepa will be used for "normal traffic", "sngrepw" for HEP trace
the negation of OPTIONS would not be useful in sngrepw, but is there so the
command line understands when the BPF filter begins



modparam("tm", "auto_100trying", 0)

modparam("proto_hep", "hep_id", "[hep_dst]; transport=udp;
modparam("proto_hep", "hep_id", "[hep_dst2];
transport=udp; version=3")
modparam("proto_hep", "homer5_on", 1)
modparam("proto_hep", "homer5_delim", "#")
modparam("proto_hep", "hep_capture_id", 100)

modparam("tracer", "trace_on", 1)
modparam("tracer", "trace_id", "[sngrep]uri=hep:hep_dst")
modparam("tracer", "trace_id", "[homer]uri=hep:hep_dst2")

route {

        if (!has_totag()) {
                if(is_method("INVITE") ) {
                        trace("sngrep", "D");
                        trace("homer", "D");
                        send_reply(100, "Trying Hard");
        } else {

                trace("sngrep", "T");
                trace("homer", "T");

local_route {
        if(is_method("NOTIFY") ) {
                trace("sngrep", "M");
                trace("homer", "M");

onreply_route[local] {
        if(is_method("NOTIFY") ) {
                trace("sngrep", "M");
                trace("homer", "M");


beginning of the commonc .sngreprc:

alias FS1
alias FS2
alias FS3
alias LB
alias LB
alias GW1
alias GW2
set background default
set eep.listen on
set eep.listen.version 3
set eep.listen.address
set eep.listen.port 9070
set eep.listen.pass
set eep.listen.uuid off


On Wed, Mar 24, 2021 at 2:43 AM Ovidiu Sas <osas at voipembedded.com> wrote:

> Hello all,
> Here's a quick recipe to ease the troubleshooting of encrypted SIP traffic:
> https://voipembedded.wordpress.com/2021/03/23/troubleshooting-opensips-encrypted-sip-traffic/
> Regards,
> Ovidiu Sas
> --
> VoIP Embedded, Inc.
> http://www.voipembedded.com
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users


Giovanni Maruzzelli
cell: +39 347 266 56 18
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20210324/5b614547/attachment.html>

More information about the Users mailing list