irontec / sngrep

Ncurses SIP Messages flow viewer
GNU General Public License v3.0
1.02k stars 187 forks source link

Feature Request: Start sngrep with no listening interface (HEP only) #433

Open rsmck opened 1 year ago

rsmck commented 1 year ago

It would be really helpful to be able to start sngrep with no listening interface (i.e. for HEP only), the workaround for this suggested in various places is to use -dlo but this doesn't work if you have SIP traffic on the local interface.

gmaruzz commented 1 year ago

IIRC You can also use the last argument (bpf filter) to listen only to the HEP receiving port

depending on which address you receive HEP packets: sngrep -LE udp:127.0.0.1:9060 port 9060 sngrep -LE udp:192.168.1.61:9060 port 9060

Kaian commented 1 year ago

Hi all!

What version are you using? I think 1.7.0 does not start network capture if you run in hep mode:

sngrep -Ludp:127.0.0.1:9060              # Current Mode: Online [L:9060]
sngrep -Ludp:127.0.0.1:9060 -d any       # Current Mode: Online [multi][L:9060]

Also, -E flag tells sngrep to parse HEP packets from network capture, so if you capture from 9060 and use -E, you will see each packet twice (one from network capture and another one from HEP Listen socket).

Regards!

rsmck commented 1 year ago

@Kaian thanks, will try that, how do those flags correspond to the options in .sngreprc as I currently have;

set eep.listen on
set eep.listen.version 3
set eep.listen.address 127.0.0.1
set eep.listen.port 9060
set eep.listen.uuid off
Kaian commented 1 year ago

That seems ok to me, testing with those settings in sngrep 1.7.0 displays Current Mode: Online [L:9060] so no network capture is being done.

I'm closing this as already fixed, feel free to reopen if it doesn't work! :)

Kaian commented 1 year ago

I need to test more this. Trying 1.7.0 in debian seems to enable network capture even with HEP listen on.