Provided by: sipgrep_2.1.0-2_amd64 bug


       sipgrep - sip packet grep


       sipgrep  <-ahNViwgGJpevxlDTRMmqCJj> <-IO pcap_dump > < -n num > < -d dev > < -A num > < -s
       snaplen > < -S limitlen > < -c contact user > < -j user agent > < -f from user > <  -t  to
       user > < -H capture URL > < -q seconds > < -P portrange > < -F file > < match expression >
       < bpf filter >


       sipgrep strives to provide most of GNU grep's common features, applying them  to  the  SIP
       signaling  protocol.  sipgrep is a pcap-aware tool that will allow you to specify extended
       regular expressions to match  against  data  payloads  of  SIP  packets  with  application
       specific  filtering  options.   The  tool  understands filter logic common to other packet
       sniffing tools, such as tcpdump(8) and sipgrep(1).


       -h     Display help/usage information.

       -V     Display version information.

       -e     Display empty packets.

       -i     Ignore case.

       -v     Invert match.

       -R     Do not try to drop privileges to the DROPPRIVS_USER.

              sipgrep makes no effort to validate input from live or offline  sources  as  it  is
              focused  more  on  performance  and  handling  large  amounts of data than protocol
              correctness, which is most often a fair assumption to make.  However, sometimes  it
              matters  and  thus  as  a  rule  sipgrep will try to be defensive and drop any root
              privileges it might have.

              There exist scenarios where this behaviour can become an obstacle, so  this  option
              is  provided  to end-users who want to disable this feature, but must do so with an
              understanding of the risks.  Packets can be randomly malformed or even specifically
              designed  to  overflow  sniffers  and  take  control  of  them,  and  revoking root
              privileges is currently the only risk mitigation sipgrep employs  against  such  an
              attack.  Use this option and turn it off at your own risk.

       -w     Match the regex expression as a word.

       -p     Don't put the interface into promiscuous mode.

       -l     Make stdout line buffered.

       -D     When  reading  pcap_dump files, replay them at their recorded time intervals (mimic

       -T     Print a timestamp in the form of +S.UUUUUU, indicating  the  delta  between  packet

       -m     Disable SIP Dialog matching.

       -M     Disable multi-line match (prefers single-line match instead).

       -I pcap_dump
              Input  file  pcap_dump  into  sipgrep.   Works  with  any pcap-compatible dump file
              format.  This option is useful for searching for a wide range of different patterns
              over the same packet stream.

       -O pcap_dump
              Output  matched  packets  to  a  pcap-compatible  dump file.  This feature does not
              interfere with normal output to stdout.

       -n num Match only num packets total, then exit.

       -A num Dump num packets of trailing context after matching a packet.

       -s snaplen
              Set the bpf caplen to snaplen (default 65536).

       -S limitlen
              Set the upper limit on the size of packets that sipgrep will look at.   Useful  for
              looking at only the first N bytes of packets without changing the BPF snaplen.

       -C     Do not use colors in stdout.

       -c     Match user in Contact: SIP header.

       -f     Match user in From: SIP header.

       -t     Match user in To: SIP header.

       -F file
              Read in the bpf filter from the specified filename.  This is a compatibility option
              for users familiar with tcpdump.  Please note that specifying ``-F'' will  override
              any bpf filter specified on the command-line.

       -H ip:port
              Duplicate matching traffic to HEP Capture Server / HOMER.

       -N     Show  sub-protocol  number  along  with  single-character  identifier  (useful when
              observing raw or unknown protocols).

       -g     Disable clean-up of Dialogs during trace.

       -G     Print Dialogs report during trace.

       -J     Automatically send SIP packet-of-death to SipVicious scanners (kill).

       -j     For matching user-agent strings send SIP  packet-of-death  to  SipVicious  scanners

       -q     Terminate sipgrep after a specified number of seconds.

       -a     Enable packet re-assemblation.

       -P     Specify SIP port range (default 5060-5061).

       -d dev By  default  sipgrep will select a default interface to listen on.  Use this option
              to force sipgrep to listen on interface dev.


       Errors from sipgrep, libpcap, and the GNU regex library are all output to stderr.


       Written by Alexandr Dubovikov <>.


       Please report bugs to the sipgrep Bug Tracker, located at


       Non-bug, non-feature-request general feedback should be sent to  the  author  directly  by



*nux                                        March 2014                                 SIPGREP(8)