With the widespread adoption of SIP-based VoIP, understanding the characteristics of SIP traffic behavior is critical to problem diagnosis and security protection of VoIP services. A general methodology is provided for profiling SIP-based VoIP traffic behavior at several levels: SIP server host, server entity (e.g., registrar and call proxy) and individual user levels. Using SIP traffic traces captured in a production VoIP network, the characteristics of SIP-based VoIP traffic behavior in an operational environment is illustrated and the effectiveness of the general profiling methodology is demonstrated. In particular, the profiling methodology identifies anomalies due to performance problems and/or implementation flaws through a case study. The efficacy of the methodology in detecting potential VoIP attacks is also demonstrated through a test bed experimentation.