ngrep is like GNU grep applied to the network layer. It's a PCAP-based tool that allows you to specify an extended regular or hexadecimal expression to match against data payloads of packets. It understands many kinds of protocols, including IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw, across a wide variety of interface types, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
I test new version and now better filter packets, but trash in sip udp packets remained when -d any.
Example:
SIP/2.0 200 OK.
Via: SIP/2.0/UDP 213.170.84.105:5060;branch=z9hG4bK6476719.
From: sip:ping@ringme.ru;tag=uloc-591da6eb-7745-005a02-3b80aa86-565d0154.
To: sip:0004207@192.168.10.97:5060;transport=udp;user=phone;tag=2e4daf14d0b51a35.
Call-ID: 61b02552-5429af26-caac511@213.170.84.105.
CSeq: 1 OPTIONS.
User-Agent: Grandstream GXP1200 1.2.3.5.
Contact: <sip:0004207@192.168.10.97:5060;transport=udp;user=phone>.
Allow: INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE,PRACK,MESSAGE.
Supported: replaces, timer.
Content-Length: 0.
.
B6.
Contact: <si
(look to end with B6 Contact ...) - may be any readable trash. If i set as -d eno1 - all packets are clean.
Run as: bin/ngrep -d any -q -W byline '0004*2' udp port 5080 or udp port 5060 or udp port 5068
I think, trouble in SLL, need some backport from tcpdump or option for ip sockets, when only ip can be catched but without SLL.
From dragonfly.net@gmail.com: