If you are building anything that touches voice — a softphone, a call center integration, or a webhook that fires on incoming calls — you need to understand SIP at the protocol level. This is the guide I wish I had when I started.
SIP in 60 Seconds
SIP (Session Initiation Protocol) does three things:
- Finds the person you are calling (registration, location)
- Sets up the call (invite, negotiate codecs)
- Tears down the call when someone hangs up (bye)
SIP does NOT carry voice. That is RTP's job. SIP is the signaling layer — think of it as the phone ringing and being answered, not the actual conversation.
Key SIP Methods
REGISTER → "I am here, this is my IP address"
INVITE → "I want to start a call with you"
ACK → "I confirm the call is connected"
BYE → "I am hanging up"
CANCEL → "Never mind, cancel that invite"
OPTIONS → "Are you alive? What can you do?"
A Real SIP INVITE (Annotated)
INVITE sip:bob@example.com SIP/2.0
Via: SIP/2.0/UDP 192.168.1.100:5060;branch=z9hG4bK776
From: "Alice" <sip:alice@example.com>;tag=1928301774
To: <sip:bob@example.com>
Call-ID: a84b4c76e66710@192.168.1.100
CSeq: 314159 INVITE
Contact: <sip:alice@192.168.1.100>
Content-Type: application/sdp
Content-Length: 142
v=0
o=alice 2890844526 2890844526 IN IP4 192.168.1.100
c=IN IP4 192.168.1.100
m=audio 49170 RTP/AVP 0 8 97
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:97 opus/48000/2
The SDP body (after Content-Length) is where codec negotiation happens. In this example, Alice offers three codecs: G.711u (0), G.711a (8), and Opus (97).
Debugging SIP Issues
Tool: sngrep (Linux)
sudo sngrep -d eth0
# Shows SIP messages in real-time with call flow diagrams
Common Response Codes
200 OK → Success
401 Unauthorized → Bad credentials
403 Forbidden → IP not whitelisted
404 Not Found → User does not exist
408 Timeout → No response from remote end
486 Busy → Callee is on another call
503 Unavailable → Server overloaded
The 408 Timeout Debugging Path
408 Timeout usually means:
1. Firewall blocking SIP (check port 5060/5061)
2. DNS resolution failure (check SRV records)
3. NAT traversal failure (enable STUN)
4. Provider outage (check status page)
Security Essentials
ALWAYS use:
- TLS (port 5061) instead of UDP (port 5060)
- SRTP instead of RTP for media
- Strong registration passwords (16+ chars)
- IP-based access control on registrar
NEVER:
- Expose port 5060 to the internet without SBC
- Use default SIP passwords
- Skip SIP ALG disabling on NAT devices
For production deployments, VestaCall at https://vestacall.com handles this well for small and mid-sized teams handles all SIP infrastructure — registration, codec negotiation, NAT traversal, and encryption — so your developers can focus on application logic.
Top comments (0)