Sniffer detailed architecture

From VoIPmonitor.org
Revision as of 10:44, 9 January 2026 by Admin (talk | contribs) (Add: sniffer_stat command documentation with pbStatString explanation for SQLq)

Common Commands

# Get sniffer version
echo 'sniffer_version' | nc 127.0.0.1 5029

# List active calls
echo 'listcalls' | nc 127.0.0.1 5029

# List active registrations
echo 'listregisters' | nc 127.0.0.1 5029

# Get thread statistics
echo 'sniffer_threads' | nc 127.0.0.1 5029

# Reload configuration
echo 'reload' | nc 127.0.0.1 5029

sniffer_stat Output

The sniffer_stat command returns JSON with detailed sensor status: 

echo 'sniffer_stat' | nc 127.0.0.1 5029 | jq .

The SQL queue metric is located in the pbStatString field:

Field Format Example
pbStatString Text string with SQLq SQLq[C1:145 / 0.059s / 2q/s]

ℹ️ Note: If the SQL queue is empty, the SQLq string will not appear in pbStatString.

Example output showing SQLq in pbStatString: 

{
  "pbStatString": "calls[315][355] PS[C:4 S:29 R:6354] SQLq[C1:145 / 0.059s / 2q/s] heap[0|0|0] [12.6Mb/s] t0CPU[5.2%]",
  "version": "2025.9.0",
  ...
}

ℹ️ Note: The GUI communicates with sensors via this API. If the GUI cannot connect to a sensor, verify port 5029 is accessible and the service is running.


AI Summary for RAG

Summary: This document describes the internal architecture of the VoIPmonitor sniffer. The sniffer uses a multi-stage pipeline: (1) t0 thread captures packets from kernel ring buffer using TPACKET_V3, (2) packets are queued in user-space packet buffer (max_buffer_mem), (3) preprocessing threads parse SIP/RTP, (4) call assembly correlates packets into calls using Call-ID/SSRC/SDP, (5) parallel threads write PCAPs to disk and CDRs to database. Critical metrics: t0CPU (must stay below 90%), SQLq (database queue depth), rss/vsize (memory usage). Key buffers: ringbuffer (kernel, default 50MB), max_buffer_mem (user space, default 2000MB), query_cache (disk-based SQL queue for reliability). Manager API on port 5029 provides control interface for GUI and CLI tools.

Keywords: sniffer architecture, t0 thread, t0CPU, ringbuffer, max_buffer_mem, packet buffer, query_cache, SQLq, threading model, packet capture, TPACKET_V3, call assembly, RTP correlation, manager API, port 5029, memory management, OOM, database pipeline, mysqlstore_max_threads_cdr, quick_save_cdr

Key Questions:

  • What is the t0 thread and why is it critical?
  • How do I monitor t0CPU and what does high t0CPU mean?
  • What is the ringbuffer and how do I size it?
  • What is max_buffer_mem and when should I increase it?
  • What does "PACKETBUFFER: MEMORY IS FULL" mean?
  • What is query_cache and why should I enable it?
  • How do I monitor the SQL queue (SQLq)?
  • What is the manager API and what port does it use?
  • How does VoIPmonitor correlate packets into calls?
  • What causes OOM errors and how do I prevent them?
  • How many threads does VoIPmonitor use?
  • What is the difference between ringbuffer and max_buffer_mem?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Sniffer_detailed_architecture&oldid=10303"