The wonders of troubleshooting SIP never cease.
Ever try to open a pcap with sngrep only to get the following error?
Couldn't open pcap file XYZ.pcap: unknown file format
And then, even though you hate looking at SIP on wireshark, you are left wondering… Why does this file open in Wireshark, but not in sngrep?
Well, most of the time, this is because the pcap file is actually compressed.
Easy fix.
You can use gzcat to decompress and open the file in one line.
Example:
gzcat FILE.pcap | sngrep -I -
(replacing FILE.pcap with the appropriate file name)
Now, if only we could get certain vendors to either append the filename or otherwise let us know the pcap was compressed in the first place.