SIP Flow

How to capture a SIP trace with Asterisk

PBX-side traces.txt.pcap

Asterisk's PJSIP and chan_sip stacks both expose verbose SIP logging from the CLI. You can dump SIP messages straight to the Asterisk console or full log file, then either send the text log to SIP Flow or pcap the loopback to convert it to .pcap.

When to reach for this

  • You can SSH into the Asterisk box and reach `asterisk -rvvv`
  • You want vendor-shaped output that mirrors what shows up in `/var/log/asterisk/full`
  • The box is too locked-down to install sngrep/Wireshark

Before you start

  • Asterisk 16+ (PJSIP) or 13+ (chan_sip)
  • Read access to `/var/log/asterisk/` (or wherever `logger.conf` writes `full`)
  • Optional but recommended — `tcpdump` for a parallel pcap

Steps

  1. 1

    Enable PJSIP message logging

    For modern Asterisk (PJSIP) drop into the CLI and turn on the SIP logger. This prints every inbound and outbound SIP message to the console and to `full` if `verbose` is set high enough in `logger.conf`. 

    asterisk -rx 'pjsip set logger on'
  2. 2

    Or, for legacy chan_sip

    Older deployments still use chan_sip. Same idea, different command. Turn it back off when you're done — chan_sip debug is chatty. 

    asterisk -rx 'sip set debug on'
  3. 3

    Reproduce the call and capture the log

    Trigger the failing call. Then grab the relevant slice of the `full` log — usually the last 30-60 seconds is plenty. 

    tail -n 5000 /var/log/asterisk/full > /tmp/asterisk-sip.txt
  4. 4

    Optionally, run tcpdump in parallel

    Asterisk's text log is great for context, but a real .pcap gives SIP Flow exact timestamps and lets it ladder RTP too. Run this in a second SSH session before you reproduce the call. 

    sudo tcpdump -i any -n -s 0 -w /tmp/asterisk.pcap \
  'udp port 5060 or tcp port 5060 or tcp port 5061'
  5. 5

    Disable the logger when finished

    PJSIP/chan_sip logger overhead is small but non-zero on busy systems. Always turn it back off after you've grabbed the trace. 

    asterisk -rx 'pjsip set logger off'

Tips from people who've done this 1,000 times

  • Filter logging to one host with `pjsip set logger host 203.0.113.10` — invaluable on busy SBC-fronted PBXs
  • `pjsip set logger pcap /tmp/asterisk.pcap` (Asterisk 18+) writes a real pcap directly from PJSIP — no tcpdump needed
  • Pair the text log with the pcap when filing a ticket — vendors love both

Pitfalls

  • If `logger.conf` `console` channel is at default verbosity you'll only see truncated lines; set `verbose=5` minimum
  • chan_sip is deprecated and removed in Asterisk 21+ — if `sip set debug` errors, you're on PJSIP
  • PJSIP logger output redacts nothing — strip credentials before pasting into a public ticket

Got the trace? Render the ladder.

Drop your Asterisk export into SIP Flow and we'll render the call flow, surface RFC issues, and (optionally) ask Gemini to explain what went wrong — all client-side by default.

Open analyzer

Related capture guides

Capture from a different tool

SIP Flow · Free, private SIP/VoIP analyzer

Core utility runs entirely in your browser. AI debugging is opt-in and pseudonymizes by default.