An open-source libpcap-based SIP sniffer.
Listens on a network interface and saves SIP/RTP sessions to files.
Each session goes in a separate, fancy-named .pcap file.
Those could be opened with tcpdump, wireshark and friends.
(subversion a.k.a. "svn", make, gcc and libpcap-dev are required)
svn checkout https://svn.code.sf.net/p/pcapsipdump/code/trunk pcapsipdump-code cd pcapsipdump-code make sudo make install
Usage: pcapsipdump [-fpU] [-i <interface> | -r <file>] [-d <working directory>] [-v level] [-R filter] [-n filter] [-l filter] [-B size] [expression] -f Do not fork or detach from controlling terminal. -p Do not put the interface into promiscuous mode. -U Make .pcap files writing 'packet-buffered' - slower method, but you can use partitially written file anytime, it will be consistent. -i Specify network interface name (i.e. eth0, em1, ppp0, etc). -r Read from .pcap file instead of network interface. -d Set directory, where captured files will be stored. -v Set verbosity level (higher is more verbose). -B Set the libpcap capture buffer size, a.k.a. ring buffer size. This can be expressed in bytes/KB(*1000)/KiB(*1024)/MB/MiB/GB/GiB. ex.: '-B 64MiB' Set this to few MiB or more to avoid packets dropped by kernel. -R RTP filter. Specifies what kind of RTP information to include in capture: 'rtp+rtcp' (default), 'rtp', 'rtpevent', 't38', or 'none'. -n Number-filter. Only calls to/from specified number will be recorded Argument is string. Recompile as 'make DEFS=-DUSE_REGEXP' to get regexp support. -l Record only each N-th call (i.e. '-l 3' = record only each third call) For the expression syntax, see 'man 7 pcap-filter'
See pcapsipdump's Sourceforge Project page