Skip to content
Switch branches/tags
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


sipzamine (previously sipcaparseye)

Command line SIP dialog matching and searching through offline PCAPs.



$ sudo apt-get install python-libpcap  # or yum install..
$ sudo pip install sipzamine


A basic example, finding all dialogs that last shorter than 1.5 seconds:

$ sipzamine -m ^BYE -H ^BYE --maxdur 1.5 --pcap 'host' stored.pcap
[ 179978155f707e3622c0886752336210@ ]
2011-11-23 22:27:20.746782 > 102 INVITE
2011-11-23 22:27:20.747508 > 102 INVITE(100)
2011-11-23 22:27:20.783424 > 102 INVITE(200)
2011-11-23 22:27:20.783956 > 102 ACK
2011-11-23 22:27:21.665581 > 103 BYE <--
2011-11-23 22:27:21.665721 > 103 BYE(200)

Command options

Normally you use -m to match a dialog by regular expression. And -p to filter by IP.

To highlight a particular text string in the concise output, use -H.

Basic matching options:

--pcap filter, -p filter
    pcap filter expression
--pmatch regex, -m regex
    any packet in dialog must match regex (can be used
    multiple times), e.g. ^INVITE to match calls
--amatch regex, -M regex
    all packets in dialog must match regex (can be used
    multiple times), e.g. ^(SIP/2.0|INVITE|BYE) to match
    calls without an ACK

Output options:

    show complete packet contents
--dateskew seconds
    offset added to all dates, can be negative (use when
    pcap clock was off)
--highlight regex, -H regex
    highlight first matchgroup in packets (multiple
    highlights are identified by letters a..z)

Special dialog/packet matching options:

--mindate date
    packets must be younger than specified date
--maxdate date
    packets must be older than specified date
--mindur seconds
    dialogs/transactions must be shorter than duration
--maxdur seconds
    dialogs/transactions must be longer than duration
--retransmits count
    at least count retransmits must be involved


  • Add tests: begin with a smallish pcap.
  • Add the ability to write pcaps from the filter. Combine capability with sipscrub?
  • Compare this to sipgrep (and other tools?). And homer?

Q & A

How do I get pcap files?

You're encouraged to always write SIP pcaps on your VoIP machine. tcpdump allows you easy rotation of pcaps so you won't run out of disk space. You can use the tcpdump247 init script if you like.


Command line SIP dialog search/display of offline PCAP contents (formerly sipcaparseye)





No packages published