cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

SIP Basic Trace Analysis

Abdul Jaseem
Beginner
Beginner

Hi Experts,

Please help me to analyse the attached SIP Trace and identify the following.

1. Firmware of the phone
2. Phone model :
3. Called Number
4. CI1
5. SIP Call ID 1
6. CI2
7. SIP call ID 2
8. which message indicates that the phone went off hook?
9. Type of DTMF method supported by the phone?

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions

Adarsh Chauhan
Participant
Participant

Hi,

Analysis of call made at 22:58:28.018 from 5006 to 5010.
Strictly on the basis of SIP signalling in CUCM traces and not diving into CUCM architecture.

1. Firmware of the phone(calling):
Line:19329
User-Agent: Cisco-CP7861/10.3.1


2. Phone model(calling):
Line:19329
User-Agent: Cisco-CP7861/10.3.1


3. Called Number
Line:20561
Remote-Party-ID: <sip:5010


4. CI1
Line:20552
CI:21384627 (last part of to value)
To: <sip:5@10.173.98.10>;tag=4990~8d4ebf65-f2dd-4e5a-96d8-9741c8d14440-21384627


5. SIP Call ID 1
line:19325
Call-ID: 885a92d9-acf80020-6877c6ce-38005827@10.173.247.125


6. CI2
Line:20320
CI:21384628 (last part of tag value)
From: <sip:5006@10.173.98.10>;tag=4992~8d4ebf65-f2dd-4e5a-96d8-9741c8d14440-21384628


7. SIP call ID 2
Line:20323
Call-ID: d3e1e600-7d3184e5-236-a62ad0a@10.173.98.10


8. which message indicates that the phone went off hook?
Line:20653
SIP/2.0 200 OK
A 200okay from SIPCallID2 means that the other phone went offhook.


9. Type of DTMF method supported by the phone (calling)?
Line (rfc2833):19354
a=rtpmap:101 telephone-event/8000

Line (kpml):19336
Allow-Events: kpml,dialog

Also you should refer to reading SIP TRACES

Please rate and mark correct if helpful

Regards,

Adarsh Chauhan


Please rate and mark correct if helpful
Regards,
Adarsh Chauhan

View solution in original post

18 REPLIES 18

Adarsh Chauhan
Participant
Participant

Hi,

Analysis of call made at 22:58:28.018 from 5006 to 5010.
Strictly on the basis of SIP signalling in CUCM traces and not diving into CUCM architecture.

1. Firmware of the phone(calling):
Line:19329
User-Agent: Cisco-CP7861/10.3.1


2. Phone model(calling):
Line:19329
User-Agent: Cisco-CP7861/10.3.1


3. Called Number
Line:20561
Remote-Party-ID: <sip:5010


4. CI1
Line:20552
CI:21384627 (last part of to value)
To: <sip:5@10.173.98.10>;tag=4990~8d4ebf65-f2dd-4e5a-96d8-9741c8d14440-21384627


5. SIP Call ID 1
line:19325
Call-ID: 885a92d9-acf80020-6877c6ce-38005827@10.173.247.125


6. CI2
Line:20320
CI:21384628 (last part of tag value)
From: <sip:5006@10.173.98.10>;tag=4992~8d4ebf65-f2dd-4e5a-96d8-9741c8d14440-21384628


7. SIP call ID 2
Line:20323
Call-ID: d3e1e600-7d3184e5-236-a62ad0a@10.173.98.10


8. which message indicates that the phone went off hook?
Line:20653
SIP/2.0 200 OK
A 200okay from SIPCallID2 means that the other phone went offhook.


9. Type of DTMF method supported by the phone (calling)?
Line (rfc2833):19354
a=rtpmap:101 telephone-event/8000

Line (kpml):19336
Allow-Events: kpml,dialog

Also you should refer to reading SIP TRACES

Please rate and mark correct if helpful

Regards,

Adarsh Chauhan


Please rate and mark correct if helpful
Regards,
Adarsh Chauhan

Abdul

In addition to the excellent answers provided by Adarsh (+5)

Here are more details (NB that my log references a different time stamp from Adarsh's)

Please refer to understanding CUCM traces for ore explanation.

https://supportforums.cisco.com/document/12724111/understanding-cucm-traces-end-end


## The phone going off hook process is indicated by CUCM SUBSCRIBE request to the phone
Phone goes off hook and cucm tells phone to subscribe to KPML to dial digits ##


00331001.006 |22:51:22.161 |AppInfo |//SIP/Stack/Info/0x0/ccsip_spi_process_app_subscribe_event: Event [SIPSPI_EV_CC_SUBSCRIBE] received in State [SUBSCRIBE_STATE_IDLE]
--
00331001.029 |22:51:22.162 |AppInfo |//SIP/Stack/Info/0x0/act_idle_continue_subscribe_event: Changing from State: SUBSCRIBE_STATE_IDLE to state SUBSCRIBE_STATE_DIALOG_PENDING
--
00331002.001 |22:51:22.162 |AppInfo |//SIP/SIPUdp/wait_SdlSPISignal: Outgoing SIP UDP message to 10.173.247.125:[5060]:
[11654,NET]
SUBSCRIBE sip:0994af0a-ce7e-b885-b943-30c6f518bab6@10.173.247.125:5060;transport=udp SIP/2.0
Via: SIP/2.0/UDP 10.173.98.10:5060;branch=z9hG4bK301d84de38
From: <sip:5@10.173.98.10>;tag=1220406462
To: <sip:5006@10.173.247.125>
Call-ID: d55ede80-7d31833a-22d-a62ad0a@10.173.98.10

## phone responds with 200 OK to subscribe request ##


00331003.001 |22:51:22.178 |AppInfo |//SIP/SIPUdp/wait_SdlDataInd: Incoming SIP UDP message size 452 from 10.173.247.125:[5060]:
[11655,NET]
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.173.98.10:5060;branch=z9hG4bK301d84de38
From: <sip:5@10.173.98.10>;tag=1220406462
To: <sip:5006@10.173.247.125>;tag=885a92d9acf8007847113ced-7f682005
Call-ID: d55ede80-7d31833a-22d-a62ad0a@10.173.98.10
Date: Sat, 10 Sep 2016 03:51:21 GMT
CSeq: 101 SUBSCRIBE
Server: Cisco-CP7861/10.3.1

### dialled number can be seen after DA ###
dd="5010"
00331053.007 |22:51:23.066 |AppInfo |Digit analysis: match(pi="2", fqcn="5006", cn="5006",plv="5", pss="Global Learned E164 Numbers:Global Learned E164 Patterns:Internal", TodFilteredPss="Global Learned E164 Numbers:Global Learned E164 Patterns:Internal", dd="5010",dac="0")

##CI 1 ##
you can find CIs in the CcCiReq and CciRes ###
21384619

## CI 2 (21384620 ##
You can find your CI 2 in either of the following places..

##1 LBMIF process that associates the first call leg (CI1 to the 2nd call leg, CI 2)

00331062.001 |22:51:23.069 |AppInfo |LBMIF: CI: 21384619 ASSOC 21384620

or you can find it in the From header of the outbound INVITE to called phone

INVITE sip:52f81139-c8eb-3de2-3d4c-af5b05043fc1@10.173.247.116:5060;transport=udp SIP/2.0

From: <sip:5006@10.173.98.10>;tag=4949~8d4ebf65-f2dd-4e5a-96d8-9741c8d14440-21384620

## DTMF Support ###
The answer here depends on which phone we are looking at. The called or the calling phone?
From the logs one phone wants to do both rfc 2833 and sip kpml but the other phone only wants to do rfc2833

00331236.002 |22:51:25.619 |AppInfo |SIP DTMF Info: mLocalDtmfCaps...UNSOL=0, KPML=0, Inband=1(101) mEndppointsDtmfCaps...UNSOL=0, KPML=1, Inband=1(101)

## we can also see this in both the offer and the answer from both phones ##

phone 1
SIP/2.0 200 OK
Allow-Events: kpml,dialog
--
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15

phone 2
ACK sip:52f81139-c8eb-3de2-3d4c-af5b05043fc1@10.173.247.116:5060;transport=udp SIP/2.0
--
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15

Please rate all useful posts

Hi Ayodeji,

You are simply amazing, I have seen your 'Expert VIP Live Webcast- Troubleshooting SIP in Cisco Unified Communications Deployments' video and started with SIP trace analysis.

Thanks for your explanation in the above question, I got pretty good understanding of Basic SIP trace.

-Abdul