Sniffer news

Revision as of 19:31, 7 April 2015 by Festr (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Version 11 enhances voipmonitor writing capability. It lowers write IOPS by factor 10 and more which means that now it can write thousands of simultaneous calls to ordinary hard drives / network shares etc. Here are highlights of the new version 11:

  • 10x less write IOPS
  • Certain tasks are now split to more threads allowing processing more calls on a single server
  • SIP TLS SSL decrytption
  • Digital signaling processor for G711 alaw/ulas - DTMF inband detection, FAX CNG detection, clipping deteciton, silence / noise detection

Complete changelog [1]


Version 10 is much faster and robust. It adds more threading and pcap file handling like native pcap compression and additional buffers. New software packet mirroring over TCP compressed stream was added. Here are some highlights:

  • optimized pcap file saving makes the sniffer the fastest pcap voip solution.
  • Better RTP handling - allow RTP stream to be assigned to two independent calls with different call-id.
  • graph files are now in binary form (10x less space)
  • native pcap compression
  • more GRE support
  • implement autocleaning to prevent 100% disk space usage.


Version 9.0 is formerly version 8.4RC27. Version 8.4 was never released as stable and because there was so many ridiculous release candidates it deserves new major version.

Version 9.0 contains huge amount of new features bug fixes and optimizations - full detailed log is as usual in complete changelog [2]

Here are some highlights:

  • One sniffer instance can now listen on multiple interfaces - interface = eth1,eth2,...
  • Sniffer can now receive from multiple mirroring sniffers
  • FreeBSD support
  • Support GRE tunnel
  • graph files changes to binary format reducing size by 5x
  • Improvements in MOS score which fixes some inappropriate low MOS scores
  • DSCP support
  • Fixes cleaning of spooldir and cachedir
  • Fixes audio decoding for some cases
  • Fixes IP defragmentation
  • Fixes graph jump issues and audio issues when DTMF used
  • Fixes stability issues when reloading sniffer and mysql race conditions


Optimizes REGISTER queries and fixes some audio decoding issues.


Version 8.2 brings support for opus decoding and fixes mysql issues (since 8 versions)


Version 8.1 fixes new packet buffer feature in corner cases (low memory, I/O blocking) so everyone using version 8 should upgrade. This version also fixes long term problem in case the mysql is blocking writes and cdrqueue was rising which used all memory quickly. This is not the problem anymore and the sniffer is able to handle millions of sql statements in case the mysql slows down or the connection is interrupted. Full changelog is here: [3]


Version 8 implements new way of buffering packets from the linux kernel ringbuffer into a dynamically allocated buffer which has now no memory limit. The old vmbuffer was allocated statically up to maximum 4GB memory but the new buffer grows dynamically up to desired memory.

What is the buffer good for? In case a storage disk is temporarily overloaded and the sniffer is storing all packets to a disk the buffer is growing faster than the I/O rate. For some high network traffic the 4GB buffer was not enough and can handle only a few minutes under high pressure.

The new buffer can also be compressed with snappy library (~50% ratio) thus doubling the overall memory. If the memory buffer is completely filled the disk buffer is used which is also new feature for those who wants to not loose any single packet in any situation. A storage for disk buffer is recommended dedicated which is not shared with pcap or mysql (so it can guarantee desired I/O throughput). The new buffer also reduces number of packets copies to only 1 instead of 3 reducing CPU by 10%.

New packet mirror

With the new buffer mechanism we also implemented new mirroring option which sends compressed buffer over TCP socket to remote voipmonitor sniffer. This approach is now recommended way how to do software packet mirroring between two linux servers. Sometimes it is not desired to overload Linux based PBX/SBC by voipmonitor sniffer so the sniffer acts only as a mirror. The mirroring can do auto-reconnect in case of connection failure and can use the new buffering mechanism - in memory and on disk with compression which means that the mirroring can be interrupted for as long as allocated memory or disk space.

New debug

New debug messages - if voipmonitor sniffer is running with at least "-v 1" (enabled by default init.d script now) you can watch several metrics: tail -f /var/log/syslog (on debian/ubuntu) tail -f /var/log/messages (on redhat/centos) calls[365][401] cdrqueue[0] heap[0.1%] heapoverruns[0] comp[41.3%] traffic[25.9Mb/s] t0CPU[6.3%] t1CPU[1.6%] t2CPU[1.4%] calls[365][405] cdrqueue[0] heap[0.0%] heapoverruns[0] comp[41.3%] traffic[25.2Mb/s] t0CPU[6.4%] t1CPU[1.6%] t2CPU[1.5%] calls[346][386] cdrqueue[0] heap[0.1%] heapoverruns[0] comp[41.3%] traffic[25.6Mb/s] t0CPU[6.3%] t1CPU[1.6%] t2CPU[1.5%]*calls - [X][Y] - X is actual calls in voipmonitor memory. Y is total calls in voipmonitor memory (actual + queue buffer) *cdrqueue - is number of calls waiting to be written to MySQL. If this number is growing the MySQL is not able to handle it. See Scaling#innodb_flush_log_at_trx_commit*heapoverruns - if this number grows the heap buffer was completely filled. In this case the primary thread will stop reading packets from ringbuffer and if the ringbuffer is full packets will be lost - this occurrence will be logged to syslog. *comp - compression buffer ratio (if enabled)*t0CPU - This is %CPU utilization for thread 0. Thread 0 is process reading from kernel ring buffer. Once it is over 90% it means that the current setup is hitting limit processing packets from network card. Please write to if you hit this limit. *t1CPU - This is %CPU utilization for thread 1. Thread 1 is process reading packets from thread 0, adding it to the buffer and compress it (if enabled). *t2CPU - This is %CPU utilization for thread 2. Thread 2 is process which parses all SIP packets. If >90% there the sensor is hitting limit - please contact if you see >90%.

skip cdr

With version 8 it is now possible to add capture rules with "skip" flag which completely skips processing certain calls based on IP or Tel. number rules.

new cleaning spool

Old cleaning spool directory was replaced by new different cleaning mechanism which was developed to minimize I/O operations and it also finally brings more features. Cleaning procedure iterates through indexed files and unlink it without needs to scan directories. Cleaning procedure runs every hour and checks maximum size or maximum days. If you set maxpoolsize it will wipe out the oldest data every hour until the size is reached. maxpooldays keeps maximum number of data to set days. The same is for sip rtp and graph so you can keep sip pcaps longer than rtp pcaps for example. All options can be activated at once it is good to always have maxpoolsize = N where the N is maximum disk space you are willing to use by sniffer. All sizes are in MB

maxpoolsize             = 102400
#maxpooldays            =
#maxpoolsipsize         =
#maxpoolsipdays         =

#maxpoolrtpsize         =
#maxpoolrtpdays         =

#maxpoolgraphsize       =
#maxpoolgraphdays       =


New option cdrproxy = yes (enabled by default) - this is for case a SIP session travels across several proxies (and Call-ID header does NOT change) and you would like to track all sip proxies and make them searchable in GUI / database. If disabled in cdr.sipcalledip will be a destination IP from the first INVITE. If enabled in cdr.sipcalledip will be a destination IP from the last INVITE and all IP from middle INVITE will be inserted in cdr_proxy table. In the GUI is new proxy column.


Version 8 adds partitions to several more tables - all register tables and messages.

Bug fixes

capture rules was broken - if there is NULL in column ignore the flag completely. This fixes issue when the rule is created and user wants to override only one flag and leave others untouched (NULL)