Difference between revisions of "Manual export of pcap files from spooldir"
| Line 29: | Line 29: | ||
tar --wildcards -xOf '/var/spool/voipmonitor/2016-08-23/16/37/SIP/sip_2016-08-23-16-37.tar.gz' 'CwA8j-SNSN.pcap*' > /tmp/expsip.pcap | tar --wildcards -xOf '/var/spool/voipmonitor/2016-08-23/16/37/SIP/sip_2016-08-23-16-37.tar.gz' 'CwA8j-SNSN.pcap*' > /tmp/expsip.pcap | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| Line 65: | Line 58: | ||
If LZO compression for RTP pcas is enabled you have to unLZO it first before merging with SIP | If LZO compression for RTP pcas is enabled you have to unLZO it first before merging with SIP | ||
| − | + | voipmonitor -kc --unlzo-gui='/path/to/rtp.pcap /path/to/rtp-uncompressed.pcap' | |
| − | voipmonitor -kc --unlzo-gui='rtp.pcap rtp-uncompressed.pcap' | + | #if path to file is not absolute (/...) it is relative to the spooldir directory |
| − | |||
=== merge SIP and RTP into one file === | === merge SIP and RTP into one file === | ||
(apt-get install tshark | yum install wireshark) | (apt-get install tshark | yum install wireshark) | ||
mergecap -w rtp.pcap sip.pcap final.pcap | mergecap -w rtp.pcap sip.pcap final.pcap | ||
Revision as of 12:41, 27 November 2019
Notes
RTP format: With default voipmonitor.conf RTP pcap chunks are compressed by LZO which are tared and archived in directory in date-hourminute
option pcap_dump_zip_rtp = lzo
SIP format: With default voipmonitor.conf SIP compression uses gzip
option tar_compress_sip = gzip
Export pcap file with default config used
Get information about CDR from database
You will need:
1.cdr.id (103) 2.Date time of call start (2016-08-23 16:37:38) 3.Call-ID (CwA8j-SNSN) 4.Location of your spooldir (spooldir=X)
example : 
SQL Query:
SELECT cdr.calldate,cdr.caller,cdr.called,cdr.id as cdrID,cdr_next.fbasename as callID FROM cdr,cdr_next WHERE cdr.id=cdr_next.cdr_ID AND cdr.calldate >= '2017-02-01 00:00:00' AND cdr.calldate <= '2017-02-01 23:59:59' AND cdr.caller like '+222%';
You MUST use cdr.calldate condition otherwise database will be overloaded by searching in all partitions
export SIP pcap
tar --wildcards -xOf '/var/spool/voipmonitor/2016-08-23/16/37/SIP/sip_2016-08-23-16-37.tar.gz' 'CwA8j-SNSN.pcap*' > /tmp/expsip.pcap
export RTP
Get RTP positions
mysql> SELECT pos FROM voipmonitor.cdr_tar_part where cdr_id = 103 and type = 2 and calldate = '2016-08-23 16:37:38';
Returned:
pos: 0 pos: 164352 pos: 328704 pos: 493056 4 rows in set (0,00 sec)
use positions returned from db and extract pcap
/usr/local/sbin/voipmonitor -kc -d /var/spool/voipmonitor/ --untar-gui='/var/spool/voipmonitor//2016-08-23/16/37/RTP/rtp_2016-08-23-16-37.tar CwA8j-SNSN.pcap 0,164352,328704,493056 rtp.pcap'
Alternative RTP extraction without knowing positions from database - this will consume more IO reads as tar file has to be fully scanned
tar --wildcards -xOf '/var/spool/voipmonitor/2016-08-23/15/27/RTP/rtp_2016-08-23-15-27.tar' 'R3YqlN7pnY.pcap*' > rtp.pcap
if LZO compression for RTP pcaps is enabled
If LZO compression for RTP pcas is enabled you have to unLZO it first before merging with SIP
voipmonitor -kc --unlzo-gui='/path/to/rtp.pcap /path/to/rtp-uncompressed.pcap' #if path to file is not absolute (/...) it is relative to the spooldir directory
merge SIP and RTP into one file
(apt-get install tshark | yum install wireshark)
mergecap -w rtp.pcap sip.pcap final.pcap