During my experience of joining the UC escalation team, one thing I needed to do was get ramped up on the SIP protocol used by our products. Coming from the Exchange world, I was very familiar with client to server networking over many protocols. Exchange Server even offered IM at one time, but it’s a FAR cry from what we have today. So I started as any good engineer would, looking at my own Communicator traffic and trying to understand it.
By default, OCS 2007 clients all use TLS out of the box, which makes network tracing more difficult. Since the traffic is encapsulated in TLS then you can really only see the endpoints and TLS negotiation. This can be useful for some troubleshooting, but for my purposes of better understanding SIP it was not so good. Good thing for me, there was pretty good proprietary logging built-in to the clients.
Since the Messenger & Communicator 2005 clients were introduced, we have offered several types of log files. With earlier clients it was necessary to edit the registry to enable this logging (more). Starting with Communicator 2007 we moved this into the GUI which correlates to the same registry keys.
The ‘Turn on logging in Communicator’ results in all diagnostic logging being enabled in the registry. Where as the newer option ‘Turn on Windows Event logging for Communicator’ results in just local event logging. Again, good for some things but not for reading SIP.
Ok, so after enabling the diagnostic logging and restarting Communicator, you can find these logs in the %USERPROFILE%\TRACING folder of your client machine. Among them will be the .UCCAPILOG and .ETL files. The Communicator.ETL file is very proprietary. It is only useful for sending to Microsoft for troubleshooting client side connections.
The .UCCAPILOG however is clear text and may be viewed with notepad or SNOOPER.EXE from the OCS ResKit. Using SNOOPER.EXE results in removing the tracing info and formatting the SIP packets to a nice readable format, definitely recommended!
And SNOOPER.EXE does have the ability to read the file while Communicator is running. Using the Reload File command will allow you to refresh the latest entries for viewing.
So this was plenty for me to get ramped up on SIP protocol and start my adventure. However, I went one step further looking for a method to see my SIP traffic real-time!
In the UNIX world the TAIL command has been used for years to view real-time running log files. There are many variations on this command for Windows and I have used them many times for monitoring SMTP or W3SVC logs. I wonder?
One of my favorite Windows versions of this utility is BareTail from Bare Metal Software. They offer a free and commercial version of the utility. By downloading the free version, pointing it towards my .UCCAPILOG file I was able to see my SIP traffic real-time!
Another thing I like about BareTail is the ability to add filters to highlight specific entries. By creating some SIP specific filters, I can now see at a glance my SIP traffic in real-time!
(IP’s and server names removed to protect the innocent!)