Difference between revisions of "Manual export of pcap files from spooldir"
Line 1: | Line 1: | ||
== Notes == | == Notes == | ||
− | '''RTP format:''' With default | + | '''RTP format:''' With default voipmonitor.conf RTP pcap chunks are compressed by LZO which are tared and archived in directory in date-hourminute |
+ | |||
option '''pcap_dump_zip_rtp = lzo''' | option '''pcap_dump_zip_rtp = lzo''' | ||
− | '''SIP format:''' With default | + | '''SIP format:''' With default voipmonitor.conf SIP compression uses gzip |
option '''tar_compress_sip = gzip''' | option '''tar_compress_sip = gzip''' | ||
== Export pcap file with default config used == | == Export pcap file with default config used == | ||
− | |||
− | |||
− | |||
− | |||
− | === information | + | === Get information about CDR from database === |
You will need: | You will need: | ||
− | 1. | + | 1.cdr.id (103) |
− | 2.Date time of | + | 2.Date time of call start (2016-08-23 16:37:38) |
3.Call-ID (CwA8j-SNSN) | 3.Call-ID (CwA8j-SNSN) | ||
− | 4.Location of your spooldir ( | + | 4.Location of your spooldir (spooldir=X) |
− | + | ||
example : [[File: cdr_detail_for_export_pcap_default.jpg]] | example : [[File: cdr_detail_for_export_pcap_default.jpg]] | ||
− | + | SQL Query: | |
− | + | SELECT cdr.calldate,cdr.caller,cdr.called,cdr.id as cdrID,cdr_next.fbasename as callID from cdr,cdr_next where cdr.id=cdr_next.cdr_ID and cdr.calldate >= '2017-02-01 00:00:00' and cdr.calldate <= '2017-02-01 23:59:59' and cdr.caller like '+222%'; | |
− | |||
+ | You MUST use cdr.calldate condition otherwise database will be overloaded by searching in all partitions | ||
=== export SIP pcap === | === export SIP pcap === | ||
− | + | ||
tar --wildcards -xOf '/var/spool/voipmonitor/2016-08-23/16/37/SIP/sip_2016-08-23-16-37.tar.gz' 'CwA8j-SNSN.pcap*' > /tmp/expsip.pcap | tar --wildcards -xOf '/var/spool/voipmonitor/2016-08-23/16/37/SIP/sip_2016-08-23-16-37.tar.gz' 'CwA8j-SNSN.pcap*' > /tmp/expsip.pcap | ||
Line 39: | Line 36: | ||
− | === export RTP | + | === export RTP === |
− | + | ||
− | + | Get RTP positions | |
+ | |||
mysql> SELECT pos FROM voipmonitor.cdr_tar_part where cdr_id = 103 and type = 2 and calldate = '2016-08-23 16:37:38'; | mysql> SELECT pos FROM voipmonitor.cdr_tar_part where cdr_id = 103 and type = 2 and calldate = '2016-08-23 16:37:38'; | ||
Line 51: | Line 49: | ||
4 rows in set (0,00 sec) | 4 rows in set (0,00 sec) | ||
− | + | use positions returned from db and extract pcap | |
− | |||
− | = | + | /usr/local/sbin/voipmonitor -kc -d /var/spool/voipmonitor/ --untar-gui='/var/spool/voipmonitor//2016-08-23/16/37/RTP/rtp_2016-08-23-16-37.tar CwA8j-SNSN.pcap 0,164352,328704,493056 rtp.pcap' |
− | + | ||
+ | '''Alternative RTP extraction without knowing positions from database - this will consume more IO reads as tar file has to be fully scanned''' | ||
+ | |||
+ | tar --wildcards -xOf '/var/spool/voipmonitor/2016-08-23/15/27/RTP/rtp_2016-08-23-15-27.tar' 'R3YqlN7pnY.pcap*' > rtp.pcap | ||
+ | '''if LZO compression for RTP pcaps is enabled ''' | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | If LZO compression for RTP pcas is enabled you have to unLZO it first before merging with SIP | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | voipmonitor -kc --unlzo-gui='rtp.pcap rtp-uncompressed.pcap' | |
− | |||
=== merge SIP and RTP into one file === | === merge SIP and RTP into one file === | ||
− | mergecap -w | + | (apt-get install tshark | yum install wireshark) |
+ | |||
+ | mergecap -w rtp.pcap sip.pcap final.pcap |
Revision as of 12:38, 27 November 2019
Notes
RTP format: With default voipmonitor.conf RTP pcap chunks are compressed by LZO which are tared and archived in directory in date-hourminute
option pcap_dump_zip_rtp = lzo
SIP format: With default voipmonitor.conf SIP compression uses gzip
option tar_compress_sip = gzip
Export pcap file with default config used
Get information about CDR from database
You will need:
1.cdr.id (103) 2.Date time of call start (2016-08-23 16:37:38) 3.Call-ID (CwA8j-SNSN) 4.Location of your spooldir (spooldir=X)
SQL Query:
SELECT cdr.calldate,cdr.caller,cdr.called,cdr.id as cdrID,cdr_next.fbasename as callID from cdr,cdr_next where cdr.id=cdr_next.cdr_ID and cdr.calldate >= '2017-02-01 00:00:00' and cdr.calldate <= '2017-02-01 23:59:59' and cdr.caller like '+222%';
You MUST use cdr.calldate condition otherwise database will be overloaded by searching in all partitions
export SIP pcap
tar --wildcards -xOf '/var/spool/voipmonitor/2016-08-23/16/37/SIP/sip_2016-08-23-16-37.tar.gz' 'CwA8j-SNSN.pcap*' > /tmp/expsip.pcap
export RTP pcap
voipmonitor -kc --unlzo-gui='input.pcap output.pcap' #if path to file is not absolute (/...) it is relative to the spooldir directory (GUI decompress it on the fly and serve it as gzip)
export RTP
Get RTP positions
mysql> SELECT pos FROM voipmonitor.cdr_tar_part where cdr_id = 103 and type = 2 and calldate = '2016-08-23 16:37:38';
Returned:
pos: 0 pos: 164352 pos: 328704 pos: 493056 4 rows in set (0,00 sec)
use positions returned from db and extract pcap
/usr/local/sbin/voipmonitor -kc -d /var/spool/voipmonitor/ --untar-gui='/var/spool/voipmonitor//2016-08-23/16/37/RTP/rtp_2016-08-23-16-37.tar CwA8j-SNSN.pcap 0,164352,328704,493056 rtp.pcap'
Alternative RTP extraction without knowing positions from database - this will consume more IO reads as tar file has to be fully scanned
tar --wildcards -xOf '/var/spool/voipmonitor/2016-08-23/15/27/RTP/rtp_2016-08-23-15-27.tar' 'R3YqlN7pnY.pcap*' > rtp.pcap
if LZO compression for RTP pcaps is enabled
If LZO compression for RTP pcas is enabled you have to unLZO it first before merging with SIP
voipmonitor -kc --unlzo-gui='rtp.pcap rtp-uncompressed.pcap'
merge SIP and RTP into one file
(apt-get install tshark | yum install wireshark)
mergecap -w rtp.pcap sip.pcap final.pcap