Sngrep output is completely empty

Hello everybody,

I’ve been trying to use sngrep for learning, yet I can’t seem to get it working. I’ve searched for hours, but I just can’t understand why it won’t show anything, even during calls. Asterisk log is full and alive.

I’m running FreePBX on a VM in proxmox, but the vm is configured for using a bare metal NIC through a PCI passthrough, and if traffic is flowing without any problem for months now, I can’t imagine how it might cause sngrep to malfunction.

I tried listening to specific ports, devices, etc., but nothing. I’m running FreePBX fully updated and I’ll be more than happy to add more information.

Thanks and good evening, Noam.

Just guessing that a quirk in proxmox is preventing packet capture from working. What network devices does the VM see? If more than one, sngrep could be selecting the wrong one and explicitly specifying the device with -d will work. Otherwise, does tcpdump fail in the same way?

Unless you’re doing video calls, Asterisk doesn’t use much bandwidth so you could just set up bridged networking (instead of the passthrough), at least for testing. And if that also failed, you could run sngrep on the host.

Or, with the present networking setup, if the switch has a port mirror/monitor function, you could run sngrep on the host (or an unrelated machine).

Sorry, I know nothing about proxmox.

1 Like

Hey, thank you for trying to help.

So, I obviously was in the wrong, as I was trying to monitor TLS traffic, but the sngrep that comes with FreePBX does not have TLS enabled.

Thanks again :slight_smile:

Thanks for the update. For future readers of this thread, how did you solve it? As I understand it, modern TLS can’t be decrypted from an external capture, even with access to the private key.

Unfortunately sngrep never got past 1.1 but tshark (so of course wireshark) can do that job.

To the OP, when learning, take ‘baby steps’ first, it is always less painful :wink:

But it requires cooperation from the monitored process (Firefox in your example). Can Asterisk provide that? Even if it can, only traffic ‘seen’ by Asterisk could be decrypted, so sngrep can’t see anything that wouldn’t show up in pjsip logger. The only benefit would be its analysis and filtering abilities, which in my experience are inadequate for the tough problems, e.g., one-way audio on 1% of calls.

sngrep is the wrong tool to debug TLS it is great for debugging basic SIP and SDP sessions, as I said the OP needs to get it working with TCP first. only when that works, then . . .
If TLS was easy to de-crypt, then it kinda doesn’t do it’s job well.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.