An open-source libpcap-based SIP sniffer. Listens on a network interface and saves SIP/RTP sessions to files. Each session goes in a separate, fancy-named .pcap file. Those could be opened with tcpdump, wireshark and friends.


(subversion a.k.a. "svn", make, gcc and libpcap-dev are required)

svn checkout https://svn.code.sf.net/p/pcapsipdump/code/trunk pcapsipdump-code
cd pcapsipdump-code
sudo make install


Usage: pcapsipdump [-fpU] [-i <interface> | -r <file>] [-d <working directory>]
                   [-v level] [-R filter] [-n filter] [-l filter] [-B size]
 -f   Do not fork or detach from controlling terminal.
 -p   Do not put the interface into promiscuous mode.
 -U   Make .pcap files writing 'packet-buffered' - slower method,
      but you can use partitially written file anytime, it will be consistent.
 -i   Specify network interface name (i.e. eth0, em1, ppp0, etc).
 -r   Read from .pcap file instead of network interface.
 -d   Set directory, where captured files will be stored.
 -v   Set verbosity level (higher is more verbose).
 -B   Set the libpcap capture buffer size, a.k.a. ring buffer size.
      This can be expressed in bytes/KB(*1000)/KiB(*1024)/MB/MiB/GB/GiB. ex.: '-B 64MiB'
      Set this to few MiB or more to avoid packets dropped by kernel.
 -R   RTP filter. Specifies what kind of RTP information to include in capture:
      'rtp+rtcp' (default), 'rtp', 'rtpevent', 't38', or 'none'.
 -n   Number-filter. Only calls to/from specified number will be recorded
      Argument is string. Recompile as 'make DEFS=-DUSE_REGEXP' to get regexp support.
 -l   Record only each N-th call (i.e. '-l 3' = record only each third call)
 For the expression syntax, see 'man 7 pcap-filter'

Found a bug? Want to contribute?

See pcapsipdump's Sourceforge Project page