cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
368443
Views
602
Helpful
83
Comments
Ayodeji Okanlawon
VIP Alumni
VIP Alumni

 

SIP traces provide key information in troubleshooting SIP Trunks, SIP endpoints and other SIP related issues. Even though these traces are in clear text, these texts can be gibberish unless you understand fully what they mean.

This document attempts to break down each component of the SIP interaction using a practical approach. We will look at various logs, the SIP messages, headers, SDP information and try to figure out what is going on in a sip voice call transaction.

In as much as I will try to define the under lying layer of the SIP messaging, this document will not go into in-depth analysis of the SIP protocol, so it is advisable to understand SIP protocol technology to be able to understand sip traces.

One key element of troubleshooting is this: To fix a problem, you need to understand the issue, how it works before you can restore it to order.

One popular debug used in troubleshooting a sip solution on a cisco IOS router is

 

“Debug ccsip messages”.

 

To understand The output generated by this debug..We need to understand the Key/fundamental sip messages exchanged during a sip voice call..

1. Invite

2. Trying

3. Ringing

4. ACK

5. OK

 

 

We will look at these messages as we try to understand the debugs. These messages are key in knowing what’s going on. They help us to understand the language been spoken so we are not lost like a non French speaking man in Paris!

Ok enough of grammars, lets dive in! Ready?

INVITE:

An Invite is a SIP requests called methods. There are Six SIP methods described in the SIP specification document RFC 3261 [1].

The INVITE, REGISTER, BYE, ACK, CANCEL, and OPTIONS methods are the original six methods

in SIP.

 

The INVITE method is used to establish media sessions between user agents. In

telephony, it is similar to a Setup message in ISDN

 

 

An INVITE usually has a message body containing the media information

of the caller. The message body can also contain other session information, such

as a resource list in the case of an early offer. If an INVITE does not contain media information, the ACK contains the media information of the UAC.

 

To identify the caller, the called number, the media information and resources advertised in the Invite, SIP invites use headers. Headers are key parameters within the SIP invite and we shall look at them so as to gain full clarity of what’s going on.

 

Let’s look at a sample SIP trace from CUCM. Note this is very similar to what a debug ccsip messages will produce on a CUBE gateway.

 

Here is the call setup for this trace

 

CUCM----------sip trunk------>CUBE---------SIP Trunk--------------->ITSP

(10.105.80.114)                        (10.105.80.174)

 

INVITE with SDP.

 

INVITE sip:14107154522807@10.105.80.174:5060 SIP/2.0

Via: SIP/2.0/UDP 10.105.80.114:5060;branch=z9hG4bK98e4117d52a6

From: "Solihull" <sip:01214248526@10.105.80.114>;tag=25526~ffa80926-5fac-4dd6-b405-2dbbc56ae9a2-551664735

To: <sip:14107584528207@10.105.80.174>

Date: Mon, 02 Apr 2012 18:12:31 GMT

Call-ID: 68781700-f791ec0f-2d26-e28690a@10.105.80.114

Supported: timer,resource-priority,replaces

Min-SE: 1800

User-Agent: Cisco-CUCM8.6

Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY

CSeq: 101 INVITE

Expires: 180

Allow-Events: presence, kpml

Supported: X-cisco-srtp-fallback

Supported: Geolocation

Call-Info: <sip:10.105.80.114:5060>;method="NOTIFY;Event=telephone-event;Duration=500"

Cisco-Guid: 1752700672-0000065536-0000007823-0237529354

Session-Expires: 84600

Contact: <sip:01214248526@10.105.80.114:5060>

Max-Forwards: 70

Content-Length: 0

Content-Type: application/sdp

Content-Length: 238

 

v=0

o=CiscoSystemsCCM-SIP 811669 1 IN IP4 10.105.40.14

s=SIP Call

c=IN IP4 10.133.92.102

t=0 0

m=audio 25268 RTP/AVP 18 101

a=rtpmap:18 G729/8000

a=ptime:20

a=fmtp:18 annexb=no

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-15

 

Now let’s break it up or dissect this piece of information.

 

As we can see there are lots of headers in this invite…

 

 

Via

To

From

Call-ID

CSeq

Contact

Max-Forwards

Expires

 

The INVITE header

 

INVITE sip:14107584528207@10.105.80.174:5060 SIP/2.0

 

This is the first part of the trace usually refrred to as the Request-URI This shows four key things

1. The called number

2. The device responsible for the called number or the device through which the called number will be routed

3. SIP Port number

4. Sip Version..

 

So here we see the called number is: 14107584528207

The gateway responsible for routing to this number is 10.105.80.174

SIP port is 5060 and the Sip version is 2.0

 

The Via Header:

 

Via: SIP/2.0/UDP 10.105.80.114:5060;branch=z9hG4bK98e4117d52a6

 

The required Via header field is used to record the SIP route taken by a request

and is used to route a response back to the originator. A UA generating a request

records its own address in a Via header field.

 

Here we see that CUCM is the UA generating this invite and it stamps it IP on the call. This helps identify the origin of the call.

Via header fields contain protocol name, version number, and transport

(SIP/2.0/UDP, SIP/2.0/TCP, etc)

 

The Via header contains what is called the sent-by field. The image below shows the sent by field and this is where the required response will be sent to.

In SIP responses follow the via header except for future requests like ACK and BYE where responses are sent to the contact header

The To and From Headers

 

From: <sip:01214248526@10.105.80.114>;tag=25526~ffa80926-5fac-4dd6-b405-2dbbc56ae9a2-551664735

 

To: sip:14107584528207@10.105.80.174

 

The next header fields are the To and From header fields, which show the

originator and destination of the SIP request.

 

Note that the To and From header fields are not reversed in the response message as one might expect them to be. This is because the To and From header fields in SIP are defi ned to indicate the direction of the request, not the direction of the message. Since <sip:01214248526@10.105.80.114 initiated this request, all responses to this INVITE will read

To: sip:14107584528207@10.105.80.174

From: <sip:01214248526@10.105.80.114.

 

Date Header:

 

 

A key component of the sip message. Its tells us the time of the sip request.

 

 

Call ID:

 

Call-ID: 68781700-f791ec0f-2d26-e28690a@10.105.80.114

 

The Call-ID header field is an identifier used to keep track of a particular SIP session. The originator of the request creates a locally unique string. Some older implementations also add an “@” and its host name to the string. The initiator of the session that generates the establishing INVITE generates the unique Call-ID and From tag.

 

The Call ID is one of the key components used in troubleshooting. Each UA generates its own Call ID. Sowhen a call originates from CUCM, CUCM generates its own call id and when a call origate from the CUBE, CUBE generate its own call ID.

 

 

 

Cseq Header:

 

 

CSeq: 101 INVITE

The command sequence CSeq header field is a required header field in every request. The CSeq header field contains a decimal number that increases for each request. Usually, it increases by 1 for each new request, with the exception of CANCEL and ACK requests, which use the CSeq number of the INVITE request to which it refers. The CSeq count is used by UASs to determine out-of-sequence requests or to differentiate between a new request (different CSeq) or a retransmission (same CSeq). The CSeq header fi eld is used by UACs to match a response to the request it references

 

 

 

User Agent Header:

 

 

User-Agent: Cisco-CUCM8.6

 

 

This header identifies the UA that is originating this request/response. In this trace we can see that the UA above is CUCM version 8.6.The user agent header helps identify the originator of the request/response.

 

SDP Extensions and Attributes

 

The SDP extensions used in the application/SDP header lists the media capabilities the calling party is willing to receive or negotiate or support for the session. The table below shows the SDP attributes in this test call and the meaning of each attribute/extension. Please note that The RFC 3264[17] specifies that the attributes containing “a=rtpmap” should be used for each media field

 

 

SDP Parameter Parameter                                                             Name

 

v=0

Version Number

o=CiscoSystemsCCM-SIP 811669 1 IN IP4 10.105.40.14

 

Origin

s=SIP Call

Call Subject

c=IN IP4 10.133.92.102

Connection/IP address for RTP stream

t=0 0

time

m=audio 25268 RTP/AVP 18 101

Media

a=rtpmap:18 G729/8000

Attributes-media

a=ptime:20

Attributes-Packetization

a=rtpmap:101 telephone-event/8000

Dtmf attributes

a=fmtp:101 0-15

Dtmf tones

 

Lets look at media attributes below

 

                                             m=audio 25268 RTP/AVP 18 0 8 101

 

This line defines the media attribtes that will be used for the call.

 

               Audio:           means that this is an Audio call, we can also have m=video in case of a Video call

               25268:           Is the dynamic RTP port used for the call

               RTP/AVP:      Represents the RTP/AVP profile number for each of the profiles listed. The profile numbers are explained below

              

               18=G729

               0=PCMU

               8=PCMA

               101=rtp-nte payload

 

 

 

DISSECTING A SIP TRACE

 

Now we have looked at the basics of sip headers and messages, lets use this to understand the following sip trace

 

The call flow for this call is as shown:

 

 

PSTN-------->ITSP------->CUBE--------------->CUCM---------------->IP PHONE

 

 

 

 

ITSP: 10.10.33.132

CUBE:10.100.0.74

CUCM:10.100.0.14

 

 

 

 

1. An inbound call is received on the CUBE from the ITSP. This invite was sent with SDP. NB that this inbound leg of this call will have a unique call ID that shows the origin of the call, highlighted below.

 

Received:
INVITE sip:441127653485@10.100.0.74:5060 SIP/2.0
Via: SIP/2.0/UDP 10.10.33.24:5070;branch=z9hG4bK9377fo00cg5ha7l0g3t0.1
From: <sip:07455900064@212.136.178.216:5060;user=phone>;tag=1526438727-1338998848384-
To: "voice-lab-aokanlawon"<sip:441127653485@pbx.emea.ipcom.com>
Call-ID: BW1807283840606121067600210@212.136.178.216
CSeq: 558267841 INVITE
Contact: <sip:07455900064@10.10.33.24:5070;transport=udp>
Allow: ACK,BYE,CANCEL,INFO,INVITE,OPTIONS,PRACK,REFER,NOTIFY
Accept: multipart/mixed,application/media_control+xml,application/sdp
Supported:
Max-Forwards: 69
Content-Type: application/sdp
Content-Length: 207

v=0
o=BroadWorks 161384582 1 IN IP4 10.10.33.132
s=-
c=IN IP4 10.10.33.132
t=0 0
m=audio 11164 RTP/AVP 18 0 8 101
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=fmtp:18 annexb=no

 

+++From our understanding of the traces, we see that the call originates from a device called Broadworks, which advertises G711a, G711u, G729 and uses rtp-nte for DTMF. We also see the IP address for the CUBE to stream its RTP to.+++++

 

2. A new Invite Sent to CUCM.

 

After the CUBE receives the invite, it sends an invite to cucm based on the dial-peers configured.

 

NB: that this new invite is sent with a new CALL-ID. This is very important in understanding the order of thigs especially when troubleshooting issues. We can also see that the CUBE advertises all its SDP attributes, codec, dtmf supported, fax etc.

 

002791: Jun  6 16:07:28.394: //260863/8C38FA5E95E3/SIP/Msg/ccsipDisplayMsg:
Sent:
INVITE sip:901926653485@10.100.0.14:5060 SIP/2.0
Via: SIP/2.0/TCP 10.100.0.74:5060;branch=z9hG4bK7953C1859
Remote-Party-ID: <sip:07455900064@10.100.0.74>;party=calling;screen=no;privacy=off
From: <sip:07455900064@10.100.0.74>;tag=4C85762C-1A2D
To: <sip:901127653485@10.100.0.14>
Date: Wed, 06 Jun 2012 16:07:28 GMT
Call-ID: 8C394872-AF2811E1-95E98F4D-5D7E5E41@10.100.0.74
Supported: timer,resource-priority,replaces,sdp-anat
Min-SE:  1800
Cisco-Guid: 2352544350-2938638817-2514718541-1568562753
User-Agent: Cisco-SIPGateway/IOS-12.x
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
CSeq: 101 INVITE
Timestamp: 1338998848
Contact: <sip:07455900064@10.100.0.74:5060;transport=tcp>
Expires: 180
Allow-Events: kpml, telephone-event
Max-Forwards: 68
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 355

v=0
o=CiscoSystemsSIP-GW-UserAgent 8773 2764 IN IP4 10.100.0.74
s=SIP Call
c=IN IP4 10.100.0.74
t=0 0
m=audio 19264 RTP/AVP 18 0 8 100 101
c=IN IP4 10.100.0.74
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:100 X-NSE/8000
a=fmtp:100 192-194
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15

 

3. Next the CUBE sends a trying to ITSP. Trying simply means: I am looking for the number you have requested.

 

002792: Jun  6 16:07:28.394: //260862/8C38FA5E95E3/SIP/Msg/ccsipDisplayMsg:

Sent:

SIP/2.0 100 Trying

Via: SIP/2.0/UDP 10.10.33.24:5070;branch=z9hG4bK9377fo00cg5ha7l0g3t0.1

From: <sip:07455900064@212.136.178.216:5060;user=phone>;tag=1526438727-1338998848384-

To: "voice-lab-aokanlawon"<sip:441127653485@pbx.emea.ipcom.com>

Date: Wed, 06 Jun 2012 16:07:28 GMT

Call-ID:

BW1807283840606121067600210@212.136.178.216

 

CSeq: 558267841 INVITE

Allow-Events: kpml, telephone-event

Server: Cisco-SIPGateway/IOS-12.x

Content-Length: 0

 

4. Next the CUBE receives a trying from CUCM. The call-ID help us to know where these responses are coming from.

 

002793: Jun  6 16:07:28.396: //260863/8C38FA5E95E3/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 100 Trying
Via: SIP/2.0/TCP 10.100.0.74:5060;branch=z9hG4bK7953C1859
From: <sip:07455900064@10.100.0.74>;tag=4C85762C-1A2D
To: <sip:901127653485@10.100.0.14>
Date: Wed, 06 Jun 2012 16:07:28 GMT
Call-ID: 8C394872-AF2811E1-95E98F4D-5D7E5E41@10.100.0.74
CSeq: 101 INVITE
Allow-Events: presence
Content-Length: 0

 

5. Next the CUBE receives ringing from CUCM This informs the CUBE that the called endpoint is ringing

 

002794: Jun  6 16:07:28.412: //260863/8C38FA5E95E3/SIP/Msg/ccsipDisplayMsg:

Received:

SIP/2.0 180 Ringing

Via: SIP/2.0/TCP 10.100.0.74:5060;branch=z9hG4bK7953C1859

From: <sip:07455900064@10.100.0.74>;tag=4C85762C-1A2D

To: <sip:901127653485@10.100.0.14>;tag=811674~ffa80926-5fac-4dd6-b405-2dbbc56ae9a2-477917854

Date: Wed, 06 Jun 2012 16:07:28 GMT

Call-ID:

8C394872-AF2811E1-95E98F4D-5D7E5E41@10.100.0.74

 

CSeq: 101 INVITE

Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY

Allow-Events: presence

Supported: X-cisco-srtp-fallback

Supported: Geolocation

Contact: <sip:901926653485@10.100.0.14:5060;transport=tcp>

Content-Length: 0

 

 

6. The CUBE relays this message to the calling party

 

002795: Jun  6 16:07:28.412: //260862/8C38FA5E95E3/SIP/Msg/ccsipDisplayMsg:

Sent:

SIP/2.0 180 Ringing

Via: SIP/2.0/UDP 10.10.33.24:5070;branch=z9hG4bK9377fo00cg5ha7l0g3t0.1

From: <sip:07455900064@212.136.178.216:5060;user=phone>;tag=1526438727-1338998848384-

To: "voice-lab-aokanlawon"<sip:441127653485@pbx.emea.ipcom.com>;tag=4C85763E-1CF8

Date: Wed, 06 Jun 2012 16:07:28 GMT

Call-ID:

BW1807283840606121067600210@212.136.178.216

 

CSeq: 558267841 INVITE

Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER

Allow-Events: kpml, telephone-event

Remote-Party-ID: <sip:901926653485@10.100.0.74>;party=called;screen=no;privacy=off

Contact: <sip:901127653485@10.100.0.74:5060>

Server: Cisco-SIPGateway/IOS-12.x

Content-Length: 0

 

 

7. Now the CUBE receives a 200 ok from CUCM. Please note that some elements of the SDP has changed

 

c=IN IP4 10.100.20.10------------------------IP address to send RTP stream to

t=0 0 -------------------------------------------Duration of the call

m=audio 16730 RTP/AVP 18 101---------Codec to use for call and DTMF type to use

a=rtpmap:18 G729/8000-------------------Codec = G729

 

 

 

002796: Jun  6 16:07:28.556: //260863/8C38FA5E95E3/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 200 OK
Via: SIP/2.0/TCP 10.100.0.74:5060;branch=z9hG4bK7953C1859
From: <sip:07455900064@10.100.0.74>;tag=4C85762C-1A2D
To: <sip:901127653485@10.100.0.14>;tag=811674~ffa80926-5fac-4dd6-b405-2dbbc56ae9a2-477917854
Date: Wed, 06 Jun 2012 16:07:28 GMT
Call-ID: 8C394872-AF2811E1-95E98F4D-5D7E5E41@10.100.0.74
CSeq: 101 INVITE
Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY
Allow-Events: presence, kpml
Supported: replaces
Supported: X-cisco-srtp-fallback
Supported: Geolocation
Session-Expires:  84600;refresher=uas
Require:  timer
Contact: <sip:901127653485@10.100.0.14:5060;transport=tcp>
Content-Type: application/sdp
Content-Length: 237

v=0
o=CiscoSystemsCCM-SIP 811674 1 IN IP4 10.100.0.14
s=SIP Call
c=IN IP4 10.100.20.10

t=0 0

m=audio 16730 RTP/AVP 18 101
a=rtpmap:18 G729/8000
a=ptime:20
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15

 

8. CUBE sends an ACK to CUCM to acknowledge the last 200 Ok message

 

002797: Jun 6 16:07:28.556: //260863/8C38FA5E95E3/SIP/Msg/ccsipDisplayMsg:

Sent:

ACK sip:901127653485@10.105.40.14:5060;transport=tcp SIP/2.0

Via: SIP/2.0/TCP 10.100.0.74:5060;branch=z9hG4bK7953DC95

From: <sip:07455900064@10.100.0.74>;tag=4C85762C-1A2D

To: <sip:901127653485@10.105.40.14>;tag=811674~ffa80926-5fac-4dd6-b405-2dbbc56ae9a2-477917854

Date: Wed, 06 Jun 2012 16:07:28 GMT

Call-ID: 8C394872-AF2811E1-95E98F4D-5D7E5E41@10.100.0.74

Max-Forwards: 70

CSeq: 101 ACK

Allow-Events: kpml, telephone-event

Content-Length: 0

 

9. CUBE then sends a 200 OK to ITSP with the SDP attributes to use for the Call based on what it received from CUCM.

 

Sent:
SIP/2.0 200 OK
Via: SIP/2.0/TCP 10.100.0.14:5060;branch=z9hG4bK198a0b7ee5d33c
From: <sip:901127653485@10.100.0.14>;tag=811674~ffa80926-5fac-4dd6-b405-2dbbc56ae9a2-477917854
To: <sip:07455900064@10.100.0.74>;tag=4C85762C-1A2D
Date: Wed, 06 Jun 2012 16:07:28 GMT
Call-ID: 8C394872-AF2811E1-95E98F4D-5D7E5E41@10.100.0.74
CSeq: 101 SUBSCRIBE
Content-Length: 0
Contact: <sip:07455900064@10.100.0.74:5060;transport=tcp>
Expires: 7200

Sent:
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.10.33.24:5070;branch=z9hG4bK9377fo00cg5ha7l0g3t0.1
From: <sip:07455900064@212.136.178.216:5060;user=phone>;tag=1526438727-1338998848384-
To: "voice-lab-aokanlawon"<sip:441127653485@pbx.emea.ipcom.com>;tag=4C85763E-1CF8
Date: Wed, 06 Jun 2012 16:07:28 GMT
Call-ID: BW1807283840606121067600210@212.136.178.216
CSeq: 558267841 INVITE
Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
Allow-Events: kpml, telephone-event
Remote-Party-ID: <sip:901926653485@10.100.0.74>;party=called;screen=no;privacy=off
Contact: <sip:441127653485@10.100.0.74:5060>
Supported: replaces
Supported: sdp-anat
Server: Cisco-SIPGateway/IOS-12.x
Supported: timer
Content-Type: application/sdp
Content-Disposition: session;handling=required
Content-Length: 270

v=0
o=CiscoSystemsSIP-GW-UserAgent 7413 6169 IN IP4 10.100.0.74
s=SIP Call
c=IN IP4 10.100.0.74
t=0 0
m=audio 29626 RTP/AVP 18 101
c=IN IP4 10.100.0.74
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20

 

10. CUBE then receives an ACK

 

002803: Jun  6 16:07:28.594: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:

Received:

ACK sip:441127653485@10.100.0.74:5060 SIP/2.0

Via: SIP/2.0/UDP 10.10.33.24:5070;branch=z9hG4bKfj8rji3008r0m4lbg7e0.1

From: <sip:07455900064@212.136.178.216:5060;user=phone>;tag=1526438727-1338998848384-

To: "voice-lab-aokanlawon"<sip:441127653485@pbx.emea.ipcom.com>;tag=4C85763E-1CF8

Call-ID:

BW1807283840606121067600210@212.136.178.216

 

CSeq: 558267841 ACK

Contact: <sip:07455900064@10.10.33.24:5070;transport=udp>

Max-Forwards: 69

Content-Length: 0

 


11. Finally the call is ended. Now when troubleshooting the direction of call termination is important. In this case we can see that the CUBE receives a BYE, which is the sip method for call termination. However who sent the BYE, is it CUCM or ITSP…The answer is in the Call-ID. As we call can see the CALL-ID is for the leg from the ITSP. So we see that the call was terminated from the ITSP side.

 

Next important thing is the cause code. The reason why the call was terminated.

 

                                CSeq: 558267842 BYE

        Reason: Q.850;cause=16

 

Here we see as normal call clearing Cause=16.

 

Received:
BYE sip:441127653485@10.100.0.74:5060 SIP/2.0
Via: SIP/2.0/UDP 10.10.33.24:5070;branch=z9hG4bKfj8rji3008r0m4lbg7e0cd1hhq713.1
From: <sip:07455900064@212.136.178.216:5060;user=phone>;tag=1526438727-1338998848384-
To: "voice-lab-aokanlawon"<sip:441127653485@pbx.emea.ipcom.com>;tag=4C85763E-1CF8
Call-ID: BW1807283840606121067600210@212.136.178.216
CSeq: 558267842 BYE
Max-Forwards: 69
Content-Length: 0

 

002809: Jun  6 16:07:34.470: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.10.33.24:5070;branch=z9hG4bKfj8rji3008r0m4lbg7e0cd1hhq713.1
From: <sip:07455900064@212.136.178.216:5060;user=phone>;tag=1526438727-1338998848384-
To: "voice-lab-aokanlawon"<sip:441127653485@pbx.emea.ipcom.com>;tag=4C85763E-1CF8
Date: Wed, 06 Jun 2012 16:07:34 GMT
Call-ID: BW1807283840606121067600210@212.136.178.216
Server: Cisco-SIPGateway/IOS-12.x
CSeq: 558267842 BYE
Reason: Q.850;cause=16
P-RTP-Stat: PS=295,OS=5900,PR=292,OR=5840,PL=0,JI=0,LA=0,DU=5
Content-Length: 0


002810: Jun  6 16:07:34.470: //260863/8C38FA5E95E3/SIP/Msg/ccsipDisplayMsg:
Sent:
BYE sip:901127653485@10.100.0.14:5060;transport=tcp SIP/2.0
Via: SIP/2.0/TCP 10.100.0.74:5060;branch=z9hG4bK7954021A8
From: <sip:07455900064@10.100.0.74>;tag=4C85762C-1A2D
To: <sip:901127653485@10.100.0.14>;tag=811674~ffa80926-5fac-4dd6-b405-2dbbc56ae9a2-477917854
Date: Wed, 06 Jun 2012 16:07:28 GMT
Call-ID: 8C394872-AF2811E1-95E98F4D-5D7E5E41@10.100.0.74
User-Agent: Cisco-SIPGateway/IOS-12.x
Max-Forwards: 70
Timestamp: 1338998854
CSeq: 103 BYE
Reason: Q.850;cause=16

 

Received:
SIP/2.0 200 OK
Via: SIP/2.0/TCP 10.100.0.74:5060;branch=z9hG4bK7954021A8
From: <sip:07455900064@10.100.0.74>;tag=4C85762C-1A2D
To: <sip:901127653485@10.100.0.14>;tag=811674~ffa80926-5fac-4dd6-b405-2dbbc56ae9a2-477917854
Date: Wed, 06 Jun 2012 16:07:34 GMT
Call-ID: 8C394872-AF2811E1-95E98F4D-5D7E5E41@10.100.0.74
CSeq: 103 BYE
Content-Length: 0

 

Below are a few of the Threads that we have used the indepth understanding of sip trcaes to help resolve thier issues. Please take a look as this will help you to understand better sip traces and how they play a key part in troubleshooitng issues

 

https://supportforums.cisco.com/message/3646952#3646952

 

https://supportforums.cisco.com/message/3634572#3634572

 

https://supportforums.cisco.com/message/3624258#3624258

 

https://supportforums.cisco.com/message/3653801#3653801

 

Please feel free to ask any questions and I will be happy to answer to the best of my knowledge. Dont forget to hit the stars, if you find this useful.

Comments
supuferna
Level 1
Level 1

This is nice explanation.shared with my classmates also..Good work

Regards

Helpsmaster

AhmadAba61070
Level 1
Level 1

Infected host email cache  by malware router mobile template fonts attacker 

dimigav1977
Level 1
Level 1

Dear Mr. Okanlawon,

The explanations provided are very useful. I want to ask if we can retrieve from a trace how one device is acting (CUCM, CUBE, etc.).

Lets say in the attached trace we found an IP address 10.220.41.176. How the device with this IP address acts?

 

Received from UDP:10.120.25.54:5060 (828 bytes) at Fri Aug 13 21:23:55:407 2021

SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.220.41.176:5060;received=10.220.41.176;rport=5060;branch=z9hG4bKe24c3a8c20801f509c430d34e67f20bf
To: <sip:2531031644@ngn.hol.net>;tag=h7g4Esbg_26291376-1628879027137
From: <sip:2392305534@ngn.hol.net>;tag=1a-3978157
Call-ID: 1086421077-645F-0010
CSeq: 222 INVITE
Contact: <sip:sgc_c@10.120.25.54;transport=udp>
Record-Route: <sip:10.120.25.54;transport=udp;lr>
Require: timer
Session-Expires: 1800;refresher=uac
Supported: timer
Content-Type: application/sdp
Content-Length: 204
Allow: ACK, BYE, CANCEL, INFO, INVITE, OPTIONS, PRACK, REFER, NOTIFY
Accept: application/sdp

v=0
o=BroadWorks 1511776810 1 IN IP4 10.120.25.54
s=-
c=IN IP4 10.120.60.7
t=0 0
a=sendrecv
m=audio 54686 RTP/AVP 8 18
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=sendrecv

---------------------------------------------------------------------------------------------------

Sent to UDP:10.120.25.54:5060 (546 bytes) at Fri Aug 13 21:23:55:413 2021

ACK sip:sgc_c@10.120.25.54;transport=udp SIP/2.0
Call-ID: 1086421077-645F-0010
Contact: <sip:2392305534@10.220.41.176:5060;user=phone>
Content-Length: 0
CSeq: 222 ACK
From: <sip:2392305534@ngn.hol.net>;tag=1a-3978157
Max-Forwards: 70
Privacy: none
Route: <sip:10.120.25.54;transport=udp;lr>
Session-ID: 114aeef934be4b580592afd7d007fa01
To: <sip:2531031644@ngn.hol.net>;tag=h7g4Esbg_26291376-1628879027137
User-Agent: VFH300S / FW 1.0.10.07T3
Via: SIP/2.0/UDP 10.220.41.176:5060;rport;branch=z9hG4bK496efe0f5832f7b5b38c2aa64d98ba4c


---------------------------------------------------------------------------------------------------

Sent to UDP:10.120.25.54:5060 (584 bytes) at Fri Aug 13 21:26:51:513 2021

REGISTER sip:ngn.hol.net SIP/2.0
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,REGISTER,INFO,PRACK,REFER,SUBSCRIBE,NOTIFY,UPDATE
Call-ID: 2926633456-9491-0001
Contact: <sip:2392305534@10.220.41.176:5060;user=phone>
Content-Length: 0
CSeq: 224 REGISTER
Expires: 1800
From: <sip:2392305534@ngn.hol.net>;tag=ff-1572672654
Max-Forwards: 70
Session-ID: 507470d8b96c68909aadb92b841eafd8
Supported: replaces,timer,100rel,199
To: <sip:2392305534@ngn.hol.net>
User-Agent: VFH300S / FW 1.0.10.07T3
Via: SIP/2.0/UDP 10.220.41.176:5060;rport;branch=z9hG4bK557e50ac5d5401b48bbde0f49ee26e32


---------------------------------------------------------------------------------------------------

Received from UDP:10.120.25.54:5060 (548 bytes) at Fri Aug 13 21:26:51:586 2021

SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.220.41.176:5060;received=10.220.41.176;rport=5060;branch=z9hG4bK557e50ac5d5401b48bbde0f49ee26e32
To: <sip:2392305534@ngn.hol.net>;tag=h7g4Esbg_3fc070780ca8c05c974fecccfba
From: <sip:2392305534@ngn.hol.net>;tag=ff-1572672654
Call-ID: 2926633456-9491-0001
CSeq: 224 REGISTER
Contact: <sip:2392305534@10.220.41.176:5060;user=phone>;expires=900
P-Associated-Uri: <sip:2392305534@ngn.hol.net>
P-Associated-Uri: <tel:+302392305534>
Service-Route: <sip:10.120.25.54:5060;transport=udp;lr>
Content-Length: 0


---------------------------------------------------------------------------------------------------

Sent to UDP:10.120.25.54:5060 (713 bytes) at Fri Aug 13 21:26:56:463 2021

BYE sip:sgc_c@10.120.25.54;transport=udp SIP/2.0
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,REGISTER,INFO,PRACK,REFER,SUBSCRIBE,NOTIFY,UPDATE
Call-ID: 1086421077-645F-0010
Content-Length: 0
CSeq: 225 BYE
From: <sip:2392305534@ngn.hol.net>;tag=1a-3978157
Max-Forwards: 70
P-Asserted-Identity: "Account1"<sip:2392305534@ngn.hol.net>
Privacy: none
Route: <sip:10.120.25.54;transport=udp;lr>
Session-ID: 114aeef934be4b580592afd7d007fa01
Supported: replaces,timer,100rel,199
To: <sip:2531031644@ngn.hol.net>;tag=h7g4Esbg_26291376-1628879027137
User-Agent: VFH300S / FW 1.0.10.07T3
Via: SIP/2.0/UDP 10.220.41.176:5060;rport;branch=z9hG4bK2018e7e31c4caf046d15b27222fc9d43
Reason: SIP;text="the user on hook"


---------------------------------------------------------------------------------------------------

Received from UDP:10.120.25.54:5060 (322 bytes) at Fri Aug 13 21:26:56:489 2021

SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.220.41.176:5060;received=10.220.41.176;rport=5060;branch=z9hG4bK2018e7e31c4caf046d15b27222fc9d43
To: <sip:2531031644@ngn.hol.net>;tag=h7g4Esbg_26291376-1628879027137
From: <sip:2392305534@ngn.hol.net>;tag=1a-3978157
Call-ID: 1086421077-645F-0010
CSeq: 225 BYE
Content-Length: 0

 

jwilder01
Level 1
Level 1

Thank you!

great article!, the links to the threads on the support forum are down

Wonxie
Level 1
Level 1

very good article. found it very helpful

Thanks.

david79
Level 1
Level 1

Thanks  Ayodeji Okanlawon.

Professionally Explained. Keep it up and spread the word of knowledge. 

A+ rating.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: