Skip to content

Packet analysis

SIP trace analyzer online

Paste raw SIP output from sngrep, tcpdump, or Asterisk CLI. The parser formats headers, flags security issues, and highlights known scanner User-Agents like friendly-scanner and sipvicious.

Security warnings

  • User-Agent: Known SIP scanner detected: "friendly-scanner". Block this source immediately.

Parsed message

INVITE sip:1001@10.0.0.1

Headers

HeaderValue
ViaSIP/2.0/UDP 185.243.115.84:5060;branch=z9hG4bK-12345
From<sip:scanner@185.243.115.84>;tag=abc123
To<sip:1001@10.0.0.1>
Call-IDscan-001@185.243.115.84
CSeq1 INVITE
Contact<sip:scanner@185.243.115.84:5060>
Max-Forwards70
User-Agentfriendly-scanner
Content-Typeapplication/sdp
Content-Length0

Formatted output

INVITE sip:1001@10.0.0.1 SIP/2.0
Via: SIP/2.0/UDP 185.243.115.84:5060;branch=z9hG4bK-12345
From: <sip:scanner@185.243.115.84>;tag=abc123
To: <sip:1001@10.0.0.1>
Call-ID: scan-001@185.243.115.84
CSeq: 1 INVITE
Contact: <sip:scanner@185.243.115.84:5060>
Max-Forwards: 70
User-Agent: friendly-scanner
Content-Type: application/sdp
Content-Length: 0

How it works

Three steps to results

  1. 01

    Paste raw SIP text

    Copy a SIP message from sngrep, Wireshark 'Follow TCP Stream', or Asterisk verbose output. The parser handles INVITE, REGISTER, OPTIONS, BYE, and responses.

  2. 02

    Review parsed headers

    Each header is extracted into a sortable table. Request-URI, Via, Contact, User-Agent, and Authorization fields are highlighted for quick triage.

  3. 03

    Check security warnings

    Known scanner User-Agents, missing authentication on OPTIONS probes, and suspicious Request-URI patterns are flagged in red with remediation guidance.

FAQ

Frequently asked questions

Common questions about this tool and how it fits into your VoIP security workflow.

Contact support →
  • Yes. Paste the raw text of any SIP message — request line, headers, and body — into this tool. It parses and formats the message without installing desktop software.

Suspicious packet?

Check the source IP in our global honeypot database.

Cross-reference the attacking IP against 214 active SIP honeypots. See threat score, attack patterns, and first/last seen timestamps.