packet capture tools
SIP Registration Analyzer
The SIP Registration Analyzer focuses on endpoint registration behavior. It reads the capture in the browser, tracks REGISTER messages and responses, and checks DNS traffic when no registration packets appear.
What It Checks
- REGISTER requests and matching SIP responses.
- 401 and 407 authentication challenges.
- Repeated auth loops where challenges continue without a 200 OK.
- Contact and Expires headers that affect where and how long the device registers.
- Final 4xx, 5xx, or 6xx failures for REGISTER.
- DNS responses that may explain why no REGISTER packets were sent.
When To Use It
Use it when a phone, ATA, PBX, or SIP endpoint will not register, keeps asking for credentials, shows registration expired, or never appears to reach the SIP service.
How To Read Results
- A 401 or 407 followed by another REGISTER and then 200 OK is usually normal challenge-response authentication.
- Repeated 401 or 407 responses without a 200 OK suggest wrong credentials, realm mismatch, stale nonce behavior, or an auth header problem.
- A REGISTER without any response may point to routing, firewall, NAT, or capture placement.
- No REGISTER plus SERVFAIL, NXDOMAIN, REFUSED, or empty SIP-related DNS answers suggests name resolution should be checked first.
- Contact and Expires values help explain where the registrar will send future requests and how often the endpoint refreshes.
Privacy Note
The analyzer runs locally in the browser. Review captures before sharing them and use PCAP Redactor if customer-facing evidence needs IP or call-leg masking.
How To Use SIP Registration Analyzer
- Upload a PCAP or PCAPNG captured while the endpoint attempts to register.
- Review the registration summary for success, auth loop, failure, or missing REGISTER packets.
- Open each registration flow to compare REGISTER requests, 401/407 challenges, 200 OK responses, Contact, and Expires values.
- If no REGISTER packets appear, review DNS clues for SIP-related lookup failures.
- Use SIP Call Flow Analyzer for a broader signaling view or PCAP Redactor before sharing the capture externally.
Troubleshooting Flow
Example Result
Status: challenge then registered
Auth challenges: 1
Expires: 300
Contact header shown
- This is a common healthy registration pattern.
- Confirm the expiry interval matches the expected refresh behavior.
Status: no REGISTER seen
DNS: SERVFAIL or NXDOMAIN
Suggested next check: resolver path and SIP domain records
- No REGISTER packets can mean the endpoint never resolved a target.
- Capture closer to the endpoint if DNS traffic is missing too.
What Good And Bad Results Look Like
- 401 or 407 is followed by REGISTER with auth and then 200 OK.
- Contact and Expires values match expected registration behavior.
- DNS answers exist before the registration attempt.
- Repeated 401 or 407 responses without 200 OK.
- REGISTER receives final 4xx, 5xx, or 6xx failure.
- No REGISTER appears and DNS shows SERVFAIL, NXDOMAIN, REFUSED, or empty SIP-related answers.
Common Mistakes
- Treating every 401 or 407 as a failure instead of checking whether a 200 OK follows.
- Ignoring DNS when the capture contains no REGISTER packets.
- Looking only at the final response instead of the full REGISTER challenge sequence.
Practical Troubleshooting Workflow
- Capture the endpoint while it attempts to register.
- Check whether REGISTER packets exist at all.
- Review challenge-response flow, Contact, and Expires.
- Use DNS clues first when no REGISTER packets are present.
FAQ
Is a 401 or 407 always a registration failure?
No. SIP registrars commonly challenge a REGISTER first. It becomes suspicious when challenges repeat and no successful 200 OK follows.
Why check DNS when no REGISTER packets exist?
If the endpoint cannot resolve the registrar or SIP SRV/NAPTR target, it may never send a REGISTER packet to the expected destination.
Can this prove credentials are wrong?
It can show repeated authentication challenges or failed registration responses, but credentials should be confirmed in the endpoint or registrar logs.