Reprocess Historical Calls

From VoIPmonitor.org


Reprocess Historical Calls

This guide explains how to re-analyze previously captured PCAP files using VoIPmonitor. This is useful for applying new configurations, testing detection methods, or recovering data after schema changes.

Use Cases

Use Case Description
Pre-deployment verification Upload sample traffic (VoLTE, WebRTC, TLS) to confirm VoIPmonitor can parse the protocol before deploying live mirroring
Retroactive SIP response capture Enable save_sip_responses = yes to find intermediate SIP codes (like 491) from calls captured before this feature was enabled
Testing new detection methods Apply updated algorithms for fax/DTMF/silence detection to historical data
Configuration experimentation Test how new capture rules would have behaved on past traffic
Schema upgrades Reprocess old PCAPs to leverage new database features
License reset recovery Reprocess PCAPs after truncating CDR tables (see License Lock)

Methods

Method 1: Single PCAP File (-r option)

Process a single PCAP file and generate CDRs: 

voipmonitor --config-file /etc/voipmonitor.conf -r /path/to/capture.pcap

GUI alternative: Use Tools → Load PCAP to upload files via web interface.

ℹ️ Note: Configure the upload sniffer config path in Settings → System Configuration → Upload sniffer conf path

Method 2: Directory Processing (--readpcapdir)

Process all PCAPs in a directory (e.g., the spooldir): 

voipmonitor --config-file /etc/voipmonitor.conf --readpcapdir /var/spool/voipmonitor

This recursively processes the spooldir structure (YYYY-MM-DD/HH/MM/).

Method 3: Continuous Directory Scanning (scanpcapdir)

For near-real-time processing of PCAP files as they are created (e.g., by tcpdump): 

# /etc/voipmonitor.conf
scanpcapdir = /dev/shm/voipmonitor
scanpcapmethod = newfile
Parameter Description
scanpcapdir Directory to monitor for new PCAP files
scanpcapmethod Detection method: newfile (default) or rename

Example tcpdump command creating 5-second PCAP files: 

tcpdump -i eth0 -G 5 -w /dev/shm/voipmonitor/%s.pcap

Processing to a Separate Database

⚠️ Warning: Never reprocess directly to your production database. Always use a separate database for reprocessed data.

Step 1: Create Isolated Database

mysql -u root -p -e "CREATE DATABASE voipmonitor_reprocess;"

Step 2: Create Dedicated Configuration

cp /etc/voipmonitor.conf /etc/voipmonitor-reprocess.conf

Edit the reprocess config: 

# /etc/voipmonitor-reprocess.conf
mysqldb = voipmonitor_reprocess

# Disable live capture
interface =

# Apply desired new settings
save_sip_responses = yes
silencedetect = yes
inbanddtmf = yes

# Different manager port to avoid conflicts
managerport = 5030

Step 3: Run Reprocessing

voipmonitor --config-file /etc/voipmonitor-reprocess.conf --readpcapdir /var/spool/voipmonitor

Step 4: Connect GUI to Reprocessed Data

Either:

  • Change mysqldb in GUI's configuration.php temporarily, or
  • Create a second GUI instance pointing to the reprocess database

PCAP to Audio Conversion

Extract audio from a PCAP file without database: 

# /tmp/voipmonitor-audio.conf
spooldir = /tmp/audio_output
saveaudio = ogg
nocdr = yes
savesip = no
savertp = no

voipmonitor --config-file=/tmp/voipmonitor-audio.conf -k -v1 -r /path/to/call.pcap

Audio formats: ogg, wav, mp3

Performance Considerations

  • CPU: Reprocessing is CPU-intensive. Monitor t0CPU usage.
  • I/O: SSD recommended for large datasets. Spooldir uses nested TAR archives.
  • Memory: Same requirements as live capture.
  • Parallelization: Use multiple instances with different date ranges for faster processing.

💡 Tip: Schedule reprocessing during off-peak hours to avoid impacting live monitoring.

Troubleshooting

Problem Solution
No CDRs generated Verify PCAP contains complete SIP dialogs (INVITE through BYE). Check sipport matches ports in PCAP.
CDR count mismatch Some calls may span multiple PCAP files. Ensure all related files are processed.
Permission errors Run as root or ensure voipmonitor user has read access to PCAP files.
Database connection failed Verify MySQL credentials in config and that target database exists.
Missing audio Ensure PCAP contains both SIP and RTP packets. Check savertp = yes.

See Also

AI Summary for RAG

Summary: Guide for reprocessing historical PCAP files in VoIPmonitor. Three methods available: (1) Single file with -r option or GUI Load PCAP tool, (2) Directory processing with --readpcapdir for bulk reprocessing, (3) Continuous scanning with scanpcapdir config for near-real-time tcpdump integration. Critical safety rule: always use separate database for reprocessed data, never production. Common use cases include pre-deployment protocol verification (VoLTE, WebRTC), retroactive SIP response capture, testing new detection methods (silence, DTMF), and license lock recovery after CDR truncation. For audio extraction without database, use nocdr=yes with saveaudio option.

Keywords: reprocess, pcap, readpcapdir, scanpcapdir, historical calls, offline processing, batch processing, audio extraction, pre-deployment verification, retroactive capture, separate database, voipmonitor -r, Load PCAP, scanpcapmethod

Key Questions:

  • How do I reprocess historical PCAP files in VoIPmonitor?
  • How do I upload and process a PCAP file to verify protocol support?
  • How do I extract audio from a PCAP file without a database?
  • How do I process multiple PCAP files from a directory?
  • How do I set up continuous PCAP scanning from tcpdump output?
  • Can I reprocess calls to apply new configuration settings retroactively?
  • How do I safely reprocess data without affecting production?
  • How do I recover calls after truncating the CDR table?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Reprocess_Historical_Calls&oldid=10204"