This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SIP - look inside of authentication packets?

0

We experienced a problem today with all outbound SIP calls for about 10 minutes today. All inbound calls continued to function fine. None of the active calls were disconnected. I was lucky enough to capture the data going to/from the ISP edge router in our office.

What i noticed was a very large loop of Invites, Trying, Unauthorized, ACK then repeat for each call. This would continue until the user hung up their phone.

I'm using wireshark in Windows. How would i look inside of these packets to see what is wrong? My ISP and VOIP vendors are both pointing fingers at each other.

Below is a sample. I removed all the IPs and phone number. Any suggestions?

|587.613086000|         INVITE SDP (g711U te          |SIP From: "WORK" <[email protected]:5060;user=phone to:<sip:[email protected]:5060;user="phone" |="" |(5060)="" ------------------="">  (5060)   |
|587.619187000|         100 Trying|                   |SIP Status
|         |(5060)   <------------------  (5060)   |
|587.633932000|         401 Unauthorized              |SIP Status
|         |(5060)   <------------------  (5060)   |
|587.636301000|         ACK       |                   |SIP Request
|         |(5060)   ------------------>  (5060)   |
|587.637561000|         INVITE SDP (g711U te          |SIP From: "WORK" <sip:[email protected]:5060;user=phone to:<sip:[email protected]:5060;user="phone" |="" |(5060)="" ------------------="">  (5060)   |
|587.644035000|         100 Trying|                   |SIP Status
|         |(5060)   <------------------  (5060)   |
|587.658965000|         401 Unauthorized              |SIP Status
|         |(5060)   <------------------  (5060)   |
|587.661240000|         ACK       |                   |SIP Request
|         |(5060)   ------------------>  (5060)   |
|587.662205000|         INVITE SDP (g711U te          |SIP From: "WORK" <sip:[email protected]:5060;user=phone to:<sip:[email protected]:5060;user="phone" |="" |(5060)="" ------------------="">  (5060)   |
|587.668582000|         100 Trying|                   |SIP Status

asked 17 Jun '15, 19:45

mjtvillanova's gravatar image

mjtvillanova
6112
accept rate: 0%

edited 17 Jun '15, 23:20

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

One Answer:

1

It's tough to see without an actual pcap, but your server is requiring Authentication, and either your UAC is not formulating an authentication response with the www-authenticate header, or it is failing in its response (i.e. bad password).

Again, too many variables.....need actual trace. You can anonymize it with Jasper's trace wrangler software if that is your concern for not providing a trace. ---> http://www.tracewrangler.com

answered 17 Jun '15, 21:15

Rooster_50's gravatar image

Rooster_50
23891218
accept rate: 15%