sipgrep(8) sip packet grep


sipgrep <-ahNViwgGJpevxlDTRMmqCJj> <-IO pcap_dump > < -n num > < -d dev > < -A num > < -s snaplen > < -S limitlen > < -c contact user > < -j user agent > < -f from user > < -t to user > < -H capture URL > < -q seconds > < -P portrange > < -F file > < match expression > < bpf filter >


sipgrep strives to provide most of GNU grep's common features, applying them to the SIP signaling protocol. sipgrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of SIP packets with application specific filtering options. The tool understands filter logic common to other packet sniffing tools, such as tcpdump(8) and sipgrep(1).


Display help/usage information.

Display version information.

Display empty packets.

Ignore case.

Invert match.

Do not try to drop privileges to the DROPPRIVS_USER.

sipgrep makes no effort to validate input from live or offline sources as it is focused more on performance and handling large amounts of data than protocol correctness, which is most often a fair assumption to make. However, sometimes it matters and thus as a rule sipgrep will try to be defensive and drop any root privileges it might have.

There exist scenarios where this behaviour can become an obstacle, so this option is provided to end-users who want to disable this feature, but must do so with an understanding of the risks. Packets can be randomly malformed or even specifically designed to overflow sniffers and take control of them, and revoking root privileges is currently the only risk mitigation sipgrep employs against such an attack. Use this option and turn it off at your own risk.

Match the regex expression as a word.

Don't put the interface into promiscuous mode.

Make stdout line buffered.

When reading pcap_dump files, replay them at their recorded time intervals (mimic realtime).

Print a timestamp in the form of +S.UUUUUU, indicating the delta between packet matches.

Disable SIP Dialog matching.

Disable multi-line match (prefers single-line match instead).

-I pcap_dump
Input file pcap_dump into sipgrep. Works with any pcap-compatible dump file format. This option is useful for searching for a wide range of different patterns over the same packet stream.

-O pcap_dump
Output matched packets to a pcap-compatible dump file. This feature does not interfere with normal output to stdout.

-n num
Match only num packets total, then exit.

-A num
Dump num packets of trailing context after matching a packet.

-s snaplen
Set the bpf caplen to snaplen (default 65536).

-S limitlen
Set the upper limit on the size of packets that sipgrep will look at. Useful for looking at only the first N bytes of packets without changing the BPF snaplen.

Do not use colors in stdout.

Match user in Contact: SIP header.

Match user in From: SIP header.

Match user in To: SIP header.

-F file
Read in the bpf filter from the specified filename. This is a compatibility option for users familiar with tcpdump. Please note that specifying ``-F'' will override any bpf filter specified on the command-line.

-H ip:port
Duplicate matching traffic to HEP Capture Server / HOMER.

Show sub-protocol number along with single-character identifier (useful when observing raw or unknown protocols).

Disable clean-up of Dialogs during trace.

Print Dialogs report during trace.

Automatically send SIP packet-of-death to SipVicious scanners (kill).

For matching user-agent strings send SIP packet-of-death to SipVicious scanners (kill).

Terminate sipgrep after a specified number of seconds.

Enable packet re-assemblation.

Specify SIP port range (default 5060-5061).

-d dev
By default sipgrep will select a default interface to listen on. Use this option to force sipgrep to listen on interface dev.


Errors from sipgrep, libpcap, and the GNU regex library are all output to stderr.


Written by Alexandr Dubovikov <[email protected]>.


Please report bugs to the sipgrep Bug Tracker, located at

Non-bug, non-feature-request general feedback should be sent to the author directly by email.