Using Ngrep To capture network activity

You can use ngrep to diagnose your sip or other network activity :

Dependency : libpcap-devel

yum install libpcap-devel

Download ngrep

wget tar -jxvf ngrep-1.45.tar.bz2 cd ngrep-1.45 ./configure

make make all

Capture Packet for a particular Port :

ngrep -W byline -d eth0 port 5060

Capture to a file :

ngrep -W byline -d eth0 port 5060 -O capture_file

Capture only a method  ( eg. INVITE, GET, POST ) :

ngrep -W byline -d eth0 INVITE

Capture by Port and Protocol :

ngrep -l -q -d eth0 udp and port 514

Capture Traffic on default interface :

ngrep -itq -W byline

Capture all traffic on a specific interface :

ngrep -d eth1 -itq -W byline

Capture for traffic with specific string :

ngrep -itq -W byline testing

Capture traffic from specific source :

ngrep -itq -W byline src x.x.x.x

Capture Traffic to specific source :

ngrep -itq -W byline dst x.x.x.x

Capture traffic with gateway address x.x.x.x :

ngrep -itq -W byline gateway x.x.x.x

Capture all traffic across a specific port :

ngrep -d any port 25

Capture all network based syslog traffic with a specific word :

ngrep -d any 'error' port syslog

Capture all network traffic for FTP for username and password :

ngrep -wi -d any 'user|pass' port 21

Capture all network traffic with specific src and destination address :

ngrep –itq –W byline src x.x.x.x and dst y.y.y.y