Live sniffer
The Live Sniffer feature displays SIP packets in real-time as they are captured by the sensor. This is useful for debugging call flows, network issues, or configuration problems.
Overview
Live Sniffer streams live SIP packets from the sensor to the GUI in real-time. To use this feature:
- Navigate to Live Sniffer in the GUI
- Select the sensor you want to monitor from the dropdown
- Click Start to begin capturing packets
- Optionally enter an IP address or phone number in the filter toolbar to limit the display
Note: It is recommended to use the filter toolbar when the sniffer is capturing a high volume of SIP traffic to improve performance.
Features
- Call coloring: Each call or REGISTER message is colored according to Call-ID to visualize which packets belong to the same call
- Packet details: Click the
[+]icon to unfold and view detailed packet contents - RTP filtering: Live Sniffer does not display RTP packets (SIP only)
- PCAP export:
- Save individual packets to PCAP file using the save button
- Save multiple packets by holding
Ctrland clicking, or select a range usingShift+ click - Save all sniffed packets using the bulk save option
- Pause functionality: Click pause to stop the web page refresh while the sniffer continues capturing
- Multi-user support: Multiple users can safely use Live Sniffer simultaneously
Filtering
The filter toolbar supports filtering by IP address or phone number.
Phone Number Filtering
When filtering by phone number, enter either the prefix (first digits) or suffix (last digits) of the number. Substring matching from the middle of a number is not supported.
| Filter Input | Matches | Example Number: 1536713030
|
|---|---|---|
1536 |
Numbers starting with 1536 | ✅ Match (prefix) |
713030 |
Numbers ending with 713030 | ✅ Match (suffix) |
367130 |
Middle substring | ❌ No match |
1536713030 |
Exact number | ✅ Match |
ℹ️ Note: Multiple filters: Entering a space creates two separate filters. For example, 1536 713030 creates two filters that match independently. This is why adding a space sometimes appears to "fix" filtering - it's actually creating two separate prefix/suffix filters.
IP Address Filtering
IP address filtering matches source or destination addresses:
| Filter Input | Matches |
|---|---|
192.168.1.100 |
Exact IP address |
192.168.1 |
IPs starting with 192.168.1.x |
192.168 |
IPs starting with 192.168.x.x |
💡 Tip: When monitoring high-traffic systems, always use filters to reduce the volume of displayed packets and improve GUI performance.
Live Sniffer Image
Troubleshooting
Live Sniffer Fails with "Sniffer version(s) must be >= 21.6" Error
If you attempt to start Live Sniffer and receive the error Sniffer version(s) must be >= 21.6, this can be caused by multiple issues even when your sensor version meets or exceeds the required version.
= Cause 1: Incorrect Manager IP Configuration (127.0.0.1)
Symptoms:
- Error:
Sniffer version(s) must be >= 21.6 - Sensor version shown in Settings > Sensors meets the requirement
- One or more sensors configured with IP address
127.0.0.1
Root Cause:
When you attempt to start Live Sniffer, the GUI checks the version of all sensors defined in Settings -> Sensors. If one or more sensors are configured with 127.0.0.1 (localhost), the GUI queries itself instead of the actual remote sensor. This can cause the version check to fail.
Resolution:
1. Navigate to Settings -> Sensors in the VoIPmonitor GUI
2. Check the Manager IP column for each sensor
3. Identify any sensor using 127.0.0.1 or duplicate IP addresses
4. Change the Manager IP to the actual unique IP address of each sensor
5. Click Save** to apply the changes
6. Attempt to start Live Sniffer again
For more details, see Sniffer Upgrade: Troubleshooting.
= Cause 2: Encryption Key Mismatch
Symptoms:**
- Error:
Sniffer version(s) must be >= 21.6 - All Manager IPs are correctly configured (not 127.0.0.1)
- Sensor version meets the requirement
- Sensor appears disconnected in Settings > Sensors
Root Cause:
This issue is caused by a mismatch in the server_password (encryption key) used for communication between the GUI and the sensors. The GUI cannot properly authenticate with the sensor to retrieve version information or start the Live Sniffer session.
Resolution: 1. Regenerate or set a new encryption key (server_password):
# On the central server
server_password = your_new_strong_password
# On each remote sensor
server_password = your_new_strong_password
2. Restart the sniffer service on all affected sensors:
systemctl restart voipmonitor
3. Test the Live Sniffer functionality to confirm the issue is resolved
Important: All sensors and the central server must use the same server_password value.
For distributed architecture details, see Distributed Architecture Documentation.
Live Sniffer Shows No Packets
- Verify the selected sensor is capturing traffic by checking CDRs in the GUI
- Ensure the sensor is running:
systemctl status voipmonitor - Check network connectivity from GUI to sensor on port 5029 (Manager API)
- Verify firewall rules allow traffic on the required ports
Live Sniffer Cannot Start
- Check that the sensor is connected to the GUI (visible in Settings -> Sensors)
- Verify the Manager IP and Manager Port settings are correct
- Ensure the
voipmonitorservice is running on the sensor - Check sensor logs:
journalctl -u voipmonitor -f
Technical Details
Live Sniffer communicates with sensors over the Manager API (default TCP port 5029). When you select a sensor in the Live Snifter dropdown and click Start, the GUI: 1. Verifies the sensor meets the minimum version requirement (21.6) 2. Establishes a connection to the sensor's Manager API 3. Streams SIP packets from the sensor to the GUI in real-time
The GUI enforces the version check to ensure protocol compatibility. Errors during version verification can occur if:
- The Manager IP is misconfigured (pointing to localhost instead of the actual sensor)
- The encryption keys (
server_password) do not match - The sensor is not running or cannot be reached
- There are network/connectivity issues
AI Summary for RAG
Summary: The Live Sniffer feature displays SIP packets in real-time from sensors to the GUI. To use: select sensor, click Start, optionally filter by IP/number. Features include call coloring by Call-ID, packet details unfold, multi-user support, pause function, no RTP display, and PCAP export options. TROUBLESHOOTING: Error "Sniffer version(s) must be >= 21.6" has two common causes: (1) Incorrect Manager IP 127.0.0.1 in Settings > Sensors - fix by changing to actual sensor IPs; (2) Encryption key mismatch (server_password) - fix by regenerating/changing password to match on all sensors and restarting services. Other issues: no packets (verify sensor capturing traffic, service running, port 5029 connectivity), cannot start (check sensor connected in Settings, Manager IP/Port correct, voipmonitor service running). Live Sniffer uses Manager API port 5029 for real-time streaming with minimum version 21.6 requirement for protocol compatibility. Keywords: Live Sniffer, real-time SIP monitoring, packet capture, troubleshooting, version error, 21.6, Manager IP, localhost, 127.0.0.1, server_password, encryption key, authentication, sensor connection, packet filtering, pause, PCAP export, Call-ID coloring, Manager API, port 5029, distributed sensors Key Questions:
- What is Live Sniffer and how do I use it?
- How do I start Live Sniffer in the VoIPmonitor GUI?
- Why does Live Sniffer show the error "Sniffer version(s) must be >= 21.6"?
- How do I fix Live Sniffer error when sensor version meets requirements?
- What causes Manager IP 127.0.0.1 issues in Live Sniffer?
- How do I fix encryption key mismatch between GUI and sensors?
- Does Live Sniffer display RTP packets?
- How do I filter packets in Live Sniffer?
- Why is Live Sniffer showing no packets?
- Can multiple users use Live Sniffer simultaneously?