VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
helmut.kuper at ewetel.de
Guest
|
 Posted: Fri Jan 30, 2009 8:54 am Post subject: [Freeswitch-users] Q931 decoding Update |
 |
|
Hello,
today I uploaded the Q931-To-Pcap patch into openzap's trunk (r628). So
you can test it.
How to start Q931 to pcap ?
In FS just enter "oz q931_pcap <span_id> on [pcapfilename without
suffix]" to start logging q931 packets to pcap. It opens a file called
"q931.pcap" or "<yourname>.pcap". It is saved in FS's log directory.
<span_id> has currently not really an affect to the command. It is only
used to make sure that you have at least one valid span configured.
Further it is put into 802.1q vlan tag id which is displayed in
wireshrak and tshark. Unfortunately I couldn't test it yet (On my side
it's always zero).
How to stop Q931 pcap?
Simply enter "oz q931_pcap <span_id> off" into FS console. <span_id>
must be valid, but has no affect. Second way is to unload openzap module
or shutdown FS.
How are the packets saved?
All Q931 packets send or received by any span are saved into one file.
To see from where to where the packets was send, the FreeSWITCH's side
is always marked with ethernet address "02:00:01:AA:AA:AA" and IP
address "1.1.1.1"
Remote side is always marked with ethernet address "02:00:01:BB:BB:BB"
and IP adresss "2.2.2.2"
Span ID is intended to be put into VLAN ID, but this is currently not
sure. Maybe it's spanid-1 or always zero - I don't know.
The pcap timestamp starts with 0 and is increased by each q931 packet.
(Maybe a real timestamp is better here)
After each saved q931 packet data is flushed into pcap file. This is
needed for the small perl script below.
How to decode it with wireshark?
Get the pcap file from FS log dir and send it via email, ftp or scp to
where you have wireshark running. Open it in wireshark. Current
wireshark decode the stuff by default as "TPKT - Unknown TPDU type
(0x0)". Of course we have a TPKT packet, but wireshark is not able to
detect the Q931 packet by default. So just do a right click on such a
packet list entry, choose "decode as ..." and click on "do not decode".
You can also click on "Decode" and then choose AIM or CFLOW protocol.
Yes, AIM is not really Q931 or TPKT, but it works... After applying the
packets are decoded as wanted. The black color in the packet list marks
some little bugs in the TCP packet generated by this patch. E.g. tcp
checksum is zero, but should be vaild. I have code to calculate it, but
in my eyes it is an unescessary load for FS.
How to decode it with tshark?
tshark allows us to decode pcap files right on cli. To do so just enter
this:
tshark -d tcp.port==102,aim -Rq931 -Ttext -V -r <pcap file>
aim is the protocol as what tshark should decode the tcp payload. Some
other protocols are working to to get tcp's payload decoded as TPKT with
q931 (she so called "Q931 over IP").
Unfortunately it decodes not just q931 but the whole overhead
(ethernet,ip,tcp,tpkt) so I build a perl script, which extracts only
Q931 packets. For this script I have to flush each Q931 packet into the
pcap file, cause this allows to have some kind of real time decoding.
You have to start Q931ToPcap logging in FS first, then start the script.
You need to have tshark installed for this. The script has the pcap
filename incl. path as an optional argument. If not given, it uses the
default filename defined within the script. To stop the script press
"ctrl+c".
Here is the script:
#!/usr/bin/perl
$default_filename="/opt/app/voip/ippbx/log/q931.pcap";
$display=0;
if($#ARGV<0){
$filename=$default_filename;
}
else{
$filename=$ARGV[0];
}
$cmd="tail -n +0 -f ".$filename." | tshark -d tcp.port==102,aim -Rq931
-Ttext -V -i - 2>1|";
print "\n";
open(PCAP, $cmd);
while ($line=<PCAP>)
{
chomp($line);
if($line=~/^Frame ([0-9]+) \(/)
{
$number=$1;
}
if($line=~/Destination: 02:00:01:aa:aa:aa/i)
{
$direction=1;
}
elsif($line=~/Destination: 02:00:01:bb:bb:bb/i)
{
$direction=0
}
elsif($line=~/802.1Q Virtual LAN, PRI: 7, CFI: 0, ID: ([0-9]+)/i)
{
$spanid=$1;
}
elsif($line eq "Q.931")
{
$display=1;
$intro=1;
next;
}
elsif(length($line)==0)
{
$display=0;
$intro=0;
print "\n\n";
next;
}
if($display == 1)
{
if($intro==1)
{
$mode=$direction?"RECEIVING -----":
"SENDING -------";
printf("-- $mode Packet number: %05i --- SpanID:
%i ----------------\n", $number, $spanid);
$intro=0;
}
print "$line\n";
}
}
close(PCAP);
regards
Helmut
_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org |
|
| Back to top |
|
 |
helmut.kuper at ewetel.de
Guest
|
| Posted: Mon Feb 02, 2009 1:07 pm Post subject: [Freeswitch-users] Q931 decoding Update |
|
|
Hello,
today I uploaded a little patch for openzap concerning missed linking of
the pcap library. So loading ozmod_isdn failed with some kind of
"unknown symbol pcap_flush_dump" error message. This keeps mod_openzap
from loading at FS startup.
regards
helmut
_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org |
|
| Back to top |
|
|
mike at jerris.com
Guest
|
|
| Back to top |
|
|
saigop at gmail.com
Guest
|
| Posted: Wed Feb 04, 2009 12:56 pm Post subject: [Freeswitch-users] Q931 decoding Update |
|
|
Hi,
Its a awesome. Can the packet capturing be done with event socket?
--
Thank you with regards,
Gopal, |
|
| Back to top |
|
|
msc at freeswitch.org
Guest
|
|
| Back to top |
|
|
saigop at gmail.com
Guest
|
| Posted: Thu Feb 05, 2009 12:15 am Post subject: [Freeswitch-users] Q931 decoding Update |
|
|
Yes I can do that with any integration
On Thu, Feb 5, 2009 at 2:22 AM, Michael Collins <msc@freeswitch.org (msc@freeswitch.org)> wrote:
--
Thank you with regards,
Gopal, |
|
| Back to top |
|
|
helmut.kuper at ewetel.de
Guest
|
| Posted: Thu Feb 05, 2009 4:58 am Post subject: [Freeswitch-users] Q931 decoding Update |
|
|
Hello,
if you have more than one call in your q931.pcap file captured, you may
like to seperate the call flows in wireshark's packet list. wireshark
allows you to sort the packets by e.g. q931 call reference first. All
you have to do is this:
Open q931 pcap file in wireshark, goto edit->preferences...->Columns
Enter a title of your new column e.g "Q931 Call Ref" in title-field.
Select "Custom" from Format-field. Enter exactly "q931.call_ref" without
quotes into the field next to Format-field. Then apply it and close the
window. Now you have a "Q931 Call Ref" column in the packet list. Click
on it and the Flows a sorted first by "q931 call reference" and second
by time.
regards
Helmut
_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
