Difference between revisions of "Manual export of pcap files from spooldir"

Notes

RTP format: With default config shipped with latest voipmonitor sensor, is RTP compression enabled into LZO in time of capture - those LZOed files are tared into RTP archives based on date-hourminute of a call start and its call's call-id.

option pcap_dump_zip_rtp = lzo

SIP format: With default config shipped with latest voipmonitor sensor, is SIP compression enabled after tar archive was created:

option tar_compress_sip = gzip

Export pcap file with default config used

precondition

call needs to be captured with sensor's compression settings like in default voipmonitor.conf (no change to compression options)

pcap_dump_zip_rtp = lzo
option tar_compress_sip = gzip

information needed from CDR detail for export

You will need:

1.CDR.id (103)
2.Date time of a call start (2016-08-23 16:37:38)
3.Call-ID (CwA8j-SNSN)
4.Location of your spooldir ('spooldir' option is defined in /etc/voipmonitor.conf)

If your GUI is working

example :

If your GUI is not working

You can ask database for those CDR's values with a query like this ( it will list calls of a caller starting with '+222' in date 2017-02-01:

mysql> select cdr.calldate,cdr.caller,cdr.called,cdr.id as cdrID,cdr_next.fbasename as callID from cdr,cdr_next where cdr.id=cdr_next.cdr_ID and cdr.calldate >= '2017-02-01 00:00:00' and cdr.calldate < '2017-02-02 00:00:00' and cdr.caller like '+222%';

export SIP pcap

From spooldir location (by default its '/var/spool/voipmonitor' and calldate start '2016-08-23 16:37:38' in example and from CALL-ID header 'CwA8j-SNSN' you can write command:

tar --wildcards -xOf '/var/spool/voipmonitor/2016-08-23/16/37/SIP/sip_2016-08-23-16-37.tar.gz' 'CwA8j-SNSN.pcap*' > /tmp/expsip.pcap

Export RTP pcap

voipmonitor -kc --unlzo-gui='input.pcap output.pcap'
#if path to file is not absolute (/...) it is relative to the spooldir directory
(GUI decompress it on the fly and serve it as gzip)

Export RTP pcap

(harder way for old sniffers)

First we will need to get lzo positions from database (calldate start '2016-08-23 16:37:38'in example and from CALL-ID header 'CwA8j-SNSN' you can write a query), type=2 (means RTP filetype):

mysql> SELECT pos FROM voipmonitor.cdr_tar_part where cdr_id = 103 and type = 2 and calldate = '2016-08-23 16:37:38';

Returned:

pos: 0
pos: 164352
pos: 328704
pos: 493056
4 rows in set (0,00 sec)

Second we use positions returned from db to export RTP and unLZO using voipmonitor binary:

/usr/local/sbin/voipmonitor -kc -d /var/spool/voipmonitor/ --untar-gui='/var/spool/voipmonitor//2016-08-23/16/37/RTP/rtp_2016-08-23-16-37.tar CwA8j-SNSN.pcap 0,164352,328704,493056 /tmp/exprtp.pcap'

merge SIP and RTP into one file

mergecap -w /tmp/export.pcap /tmp/exportSIP.pcap /tmp/exportRTP.pcap

Export pcap file when LZO compression disabled for RTP in config

preconditions

call captured when sensor's compression settings changed from default voipmonitor.conf

pcap_dump_zip_rtp = no
option tar_compress_sip = gzip

information needed to collect from CDR

From picture in section above you will need:

2.Date time of a call start
3.Call-ID

export SIP pcap

tar --wildcards -xOf '/var/spool/voipmonitor/2016-08-23/15/27/SIP/sip_2016-08-23-15-27.tar' 'R3YqlN7pnY.pcap*' > ./exportSIP.pcap

export RTP pcap

tar --wildcards -xOf '/var/spool/voipmonitor/2016-08-23/15/27/RTP/rtp_2016-08-23-15-27.tar' 'R3YqlN7pnY.pcap*' > ./exportRTP.pcap

merge SIP and RTP into one file

mergecap -w /tmp/export.pcap /tmp/exportSIP.pcap /tmp/exportRTP.pcap