voip-monitor.conf

#
# voipmonitor.org configuration file
#
# location of this file is at ~/.voipmonitor.conf or /etc/voipmonitor.conf
# command line parameters overrides configuration directives in this file
# allowed comments are ; or #.
#
# voipmonitor automatically reads all configuration files in /etc/voipmonitor/conf.d/* which must NOT have [general] section in it
#

[general]

# set sniffer to UTC timezone (all CDR records and pcap time will be in UTC time)
# by default utc is disabled and time is taken from local timezone (do not overried timezone = ... in next section
# enable this if you have more sniffers in different timezones
#utc = 1

# override timezone (path to zoneinfo file). Use this if you do not want CDR and pcap files in UTC time but in different timezone then the server is set
#timezone = /usr/share/zoneinfo/UTC

# in case of running more voipmonitor instances on the same or another servers configured to save to one database and the same cdr table
# it is possible to differentiate CDR by id_sensor column. If you set id_sensor >= 0 the number will be saved in cdr.id_sensor column.
# The number is between 1 - 65535 (16bit number)

#id_sensor = 1

# separate spooldir by sensor id (/var/spool/voipmonitor/id_sensor/date/...) - do not enable this unless you really need it.
#spooldir_by_sensor = no

# enable this if you have multiple receivers on one server
#use_id_sensor_for_receiver_in_files = no

# watchdog will run shell script which will automatically start voipmonitor process when it is not running. Name of the script is /tmp/voipmonitor_watchdog
# sending kill signal to the voipmonitor process will also kill watchdog process
# sending kill -9 signal to the voipmonitor will not kill voipmonitor_watchdog so within 5 seconds the voipmonitor_watchdog script will start voipmonitor again
#watchdog = yes

################## START DATABASE CONFIGURATION ###############

# SQL driver - mysql is default or odbc (connecting voipmonitor to msssql please refer to README_mssql.md
sqldriver = mysql
#sqldriver = odbc
#odbcdriver = mssql
#odbsdsn = voipmonitor
#odbcuser = root
#odbcpass =


# by default partitions are created per day. For extreme CDR insert rate (>= 15000 / second) day partitions are not efficient and takes too much I/O and CPU pressure
# this option can be changed to yes/no at any time, the sniffer will start creating hour or day partitions 
# default is no 
#cdr_partition_by_hours = no

# all queries are queued in internal memory so when the mysql server is unrecheable or down the queue will start filling until all RAM is used and all CDR are lost if sniffer is restarted.
# enable query_cache which will store all queries to disk first so it will not consumes all memory and it will survive restarts - on next start the sniffer will start sending unfinished queries.
#query_cache = no

# if query_cache on server is disabled and server/client is enabled (remote sniffers sends CDR to central sniffer) it is advised 
# to enable server_sql_queue_limit on server side so the central server will not run out of memory. If queries reach the limit - clients will buffers queries on their side. 
# tip: optimal configuration is to enable query_cache = yes on server and clients 
# default is 0 (disabled) 
#server_sql_queue_limit = 1000000

# if server/client is enabled and the sniffer is receiving CDR from remote sniffers the protocol by default confirms every 1000 queries
# in case there is large round trip delay betwenn client and server the overall throughput is limited to 1000 * RTT - thus increase the value
# default is 1000
#server_sql_concat_limit = 5000


# sql query limitation for redirecting server 
#server_sql_redirect_queue_limit = 


# mysql server can be IP or hostname. mysqlsocket is faster then mysqlhost 
mysqlhost = 127.0.0.1
#mysqlsocket = /var/run/mysqld/mysqld.sock
mysqlport = 3306
mysqlusername = root
mysqlpassword =

# mysql database - will be created automatically if it does not exists
mysqldb = voipmonitor

# SSL/TLS setting for the mysql connection. You can use key + cert + cacert. Or you can use the cacert only (in the Azure environment). Etc.
# file with key
#mysqlsslkey = /etc/ssl/client-key.pem
# file with certificate
#mysqlsslcert = /etc/ssl/client-cert.pem
# file with ca certificate
#mysqlsslcacert = /etc/ssl/ca-cert.pem
# directory with certs
#mysqlsslcapath = /etc/ssl/capath
# list of allowed ciphers
#mysqlsslciphers =

# speedup CDR storing and active calls listing - by default all timeouts take around 10 seconds. For 3 second delay set yes for 1 second delay set quick.
# Default is disabled which is recommended option unless you absolutely need realtime CDR generation.
#quick_save_cdr = NO/yes/quick

# to disable mysql tables check and upgrade after service start set this to yes
#disable_dbupgradecheck = yes


# mysql connect timeout default 60 (seconds)
#mysql_connect_timeout = 60


# use partitioning cdr* tables by day. If you have schema without partitioning, you MUST start with new database. default is = yes
cdr_partition = yes

# compress connection to the mysql server (do not enable it if your mysql server is on the same host). Default is disabled.
#mysql_client_compress = no


# mysql table compression (default enabled)
mysqlcompress = yes

# how compression should be anebled for tables:
# default is "ROW_FORMAT=COMPRESSED" which uses gzip and is too slow for high calls per second traffic (>= 5000 CDR per second and it depends on CPU base frequency as well) 
# mysql >= 5.6 (https://dev.mysql.com/doc/refman/8.0/en/innodb-page-compression.html) can do innodb page compression which is superior to ROW_FORMAT - for mysql the new innodb page compression use mysqlcompress_type = compression="lz4"
# mariadb >= 10.1.22 (https://mariadb.com/kb/en/innodb-page-compression/) can do innodb page compression which is superior to ROW_FORMAT - for mysql the new innodb page compression is controlled by innodb_compression_algorithm=lz4 in your mariadb configuration (check if lz4 is compiled by checking Innodb_have_lz4) and set mysqlcompress_type=PAGE_COMPRESSED=1
# tip: one of the main difference between ROW_FORMAT and innodb page compression is that the old way (ROW_FORMAT=COMPRESSED) keeps both compressed and uncompressed page in innodb buffer pool while the new innodb page compression keeps only uncompressed. The other advantage is that if gzip is bottleneck you can use very fast lz4 compression 
# convert table from old format to new format: ALTER TABLE cdr ROW_FORMAT=dynamic compression="lz4"; (run the same command for all cdr* tables or any tables which you want to keep compressed) 
#mysqlcompress_type = ROW_FORMAT=COMPRESSED
#mysqlcompress_type = compression="lz4"
#mysqlcompress_type = PAGE_COMPRESSED=1


# load configuration from database - (from table sensor_conf) by id_sensor (SELECT * FROM sensor_conf WHERE id_sensor = N)
# if you do not set id_sensor and mysqlloadconfig is enabled it will load first row in database with id_sensor IS NULL
# configuration in this file is loaded FIRST then is OVERWRITEN by settings in MySQL!
# if this configuration option is not set default is enabled
mysqlloadconfig = yes

# disable partition creation which runs every 12 hours. If you have multiple sensors storing to one database it is redundant to create partitions by all sensors. Default = no
#disable_partition_operations = yes

# In case you need to create partitions for last 90 days use this option. This is useful when you want to migrate data. This will create partitions only if table does not exists
#create_old_partitions = 90
# or you can use create_old_partitions_from=DATE option. And set date for the oldest partition
#create_old_partitions_from = YYYY-MM-DD

# if you do not want to save cdr.callend = calldate + duration for some reason (you do not want to upgrade cdr, set it to no). Default is yes
sqlcallend = yes

# for high calls per second traffic enable this option (> 2000 new calls per second )
# options are:
# "yes" (all queries will be sent to store_001 procedure (as parameter) instaed of creating procedure with inserts 
# "per_query" - all queries are sent directly without sending it to store_001 
# default disable, for mysql >= 8 set to per_query
#mysql_enable_new_store = yes 

# generate cdr.id by the sniffer which allows to concatenate multi-insertions to all cdr tables. This is needed for extreme number of calls per second (>= 10000 CPS) 
# once you enable this option you MUST to configure all remote sensors to send CDR through one single sniffer server (server_destination, server_destination_port = 60024, packetbuffer_sender (no or yes)
# default is no 
# mysql_enable_set_id = yes

######## SQL queues fine tuning
# the sniffer uses stored procedure which is created on the fly with concatenated number of messages to overcome network latency limit
# this queue is by default 400.
# there are several internal sql queues for cdr, message, register, files(cleaning), http, ipaccount.
# specific queues mysqlstore_concat_limit_* overrides the global mysqlstore_concat_limit
#mysqlstore_concat_limit = 400
#mysqlstore_concat_limit_cdr = 400
#mysqlstore_concat_limit_message = 400
#mysqlstore_concat_limit_register = 400
#mysqlstore_limit_queue_register = 1000000
#mysqlstore_concat_limit_http = 400
#mysqlstore_concat_limit_ipacc = 400

# each queue is by default served by one thread and this is not enough for high traffic. If the queue is rising
# even though your mysql server configuration is already set innodb_flush_log_at_trx_commit = 2 you should consider
# to rise number of threads which are automatically created if the queue is > 1000. Take in mind that each thread
# creates new connection to mysql server. If any of queue is < 1000 the thread and mysql connection is released.
# number of threads are limited to number 9 so even you set it >9 it will be set to 9
#mysqlstore_max_threads_cdr = 2
#mysqlstore_max_threads_message = 2
#mysqlstore_max_threads_register = 2
#mysqlstore_max_threads_http = 2

##### cleaning database #########

# Removes cdr* partitions older then set number of days. If set to 0 it is disabled (default)
# includes message table used for saving the SIP MESSAGE
#cleandatabase_cdr = 0

# removes data from rtp_stat older > N days. Default is 2 days
#cleandatabase_rtp_stat = 2

#Removes register_state and failed partitions older then set number of days. If set to 0 it is disabled (default)
# cleandatabase_register_failed = 0
# cleandatabase_register_state = 0

#Removes sip_msg partitions older then set number of days. If set to 0 it is disabled (default)
# this table is used for the saving of the OPTIONS/SUBSCRIBE/NOTIFY data
# cleandatabase_sip_msg = 0

# Sets cleandatabase_cdr, cleandatabase_register_state, cleandatabase_register_failed, cleandatabase_sip_msg to the same values. Configuration first look at cleandatabase parameter  then it looks for other cleandatabase_* parameters.
#cleandatabase = 0

# cdr_rtp_energylevels table cleaning (number of days) 
#cleandatabase_cdr_rtp_energylevels = 0

# Removes ss7 partitions older then set number of days. If set to 0 it is disabled (default) 
#cleandatabase_ss7 = 0

### Allow partition operation only in specific time range. Default is disabled,
# dropping partitions can cause huge performance I/O drop during your peaks and in this case it is recommended to set cleaning outside your peaks
# following example will run cleaning only between 1am - 5am (it is 24hour format)
# partition_operations_enable_fromto = 1-5

## EXPERT OPTIONS ##

# creates alert partition in separate thread. Do not enable this unless you know what it does.
#partition_operations_in_thread = yes

###########  END DATABAE CONFIGURATION #################


# voipmonitor is able to sniff directly on network interface or it can read files.
# GRE and ERSPAN encapsulation is supported out of the box 

# listening interface. Can be 'any' which will listen on all interfaces - NOTE that "any" will not put interfaces into promiscuous mode
# and you have to do it with "ifconfig eth0 promisc"
# you can also sniff on multiple interfaces by providing list of them delimited by ',' example: interface = eth0,eth1

#interface = eth0,eth1
#interface = any

interface = eth0

# set interface's coalesce and ring options via ethtool (-G rx and -C rx-usecs). Default is yes.
#interfaces_optimize = yes

# put interface to promiscuouse mode so it can sniff packets which are not routed directly to us (it will not work if you use interface = any)
promisc = yes


# override snaplen which is 3200 by default and 6000 if ssl/http is enabled which might be not enough in rare cases (noone needs this to alter)
#snaplen = 20000


# Pcap filter. If you want to sniff only UDP SIP, put here 'udp'. Warning: If you set protocol to 'udp' pcap discards VLAN packets. Maximum size is 2040 chars
# udp or (vlan and udp) will capture all tagged and untagged UDP packets
# WARNING - if you need to sniff IPinIP (like mirrored packets from voipmonitor) filter = udp will filter all those packets. In this case just disable filter.
# WARNING - this rule "udp or (vlan and udp)" will not capture double VLAN tagged packets

#filter = udp or (vlan and udp)

# if many ip addresses are intended for filtering especially in sender sniffer you should use option interface_ip_filter
# because filter = host 192.168.0.1 or host 192.168.0.2 or host 102.168.0.3 or ... is slow and can overload CPU which can lead to dropping packets
# option interface_ip_filter if specified will sniff packets only with listed IP addresses. option interface_ip_filter can be specified multiple times
# interface_ip_filter can be specific IP or ip/network
#interface_ip_filter = 192.168.0.1
#interface_ip_filter = 192.168.0.2
#interface_ip_filter = 192.168.0.3
#interface_ip_filter = 192.168.2.0/24

# default threading_mod = 1 uses one thread for reading from interface doing deduplication at once
# threading_mod = 2 (which is automatically set if you have multiple interfaces (interface = eth0,eth1,...) reads from each interface
# in separate thread which is better option on multi core systems than interface = any
# threading_mod = 3 will do deduplication (if enabled) in separate thread which is needed for high traffic
# threading_mod = 4 will do deduplication in more than one threads - use this option if you enable deduplication and your traffic is over 100Mbit
# threading_mod = 5 makes more threads for RTP preprocessing
# threading_mod = 6 uses own allocator stack - use threading mode 6 when threding mode 5 is not enough (or enable t2_boost)

#threading_mod = 5

# additional threading modes - enable it for >= 10000 concurrent calls or when CPU is bottleneck for all threading modes.
#t2_boost = yes

# preprocess_rtp_threads option tells how many threads are used to preprocess RTP packets. Default value 2 is two threads which are able to handle
# 10 000 concurrent calls on Intel Xeon CPU E5-2650 with 30% reserve. If you disable (=no) this option there will be no extra thread for RTP packet
# processing. You will proably do not need to adjust this value ever.
#preprocess_rtp_threads = 2

# move removing calls from memory to separate thread. Enable this if you have >= 50000 concurrent calls and t2/c thread is above 90% 
# default = no
#destroy_calls_in_storing_cdr = yes

# numa_balance kernel feature automatically moves memory within a process to the closest numa node memory. When sniffer allocates GBs of memory running threads on all CPU cores this feature causes too much overhead (TLB shootdown). By default sniffer will automatically disable balancing system wide when TLB is over 500. 
# options:
# autodisable (default) - Automaticaly disable (echo 0 > /proc/sys/kernel/numa_balancing) when TLB shootdown is >500 / per second 
# enable - on sniffer start echo 1 > /proc/sys/kernel/numa_balancing
# disable - on sniffer start echo 0 > /proc/sys/kernel/numa_balancing
# default: autodisable
#numa_balancing_set = autodisable

# enable support for ipv6. If enabled the databaes will be created with ipv6 compatible columns
# if you have older database (database was created before ipv6 was enabled) you have to upgrade it with scripts/ipv6_alter.sql
#ipv6 = yes


## START SERVER/CLIENT configuration

# since version 19.6 sniffer implements new server/client sensor's architecture
# In this mode a GUI communicates with client's sensors via server's sensor only. So client's sensor can be behind NAT and
# still is reachable from the GUI.
# Client's sensors in database are created dynamically by server's sensor.
# Communication between server/client is encrypted.
# Can be only one server's sensor for now, the other sensors must be clients. Old fashioned remote sensors can be used together.
# Implicitly, client process a data, saves a pcaps to a local spooldir, sent the sql inserts/queries to the server's sensor
# and server's sensor does the whole sql operations. So on client side isn't needed any sql setting.
# Modification of this process can be done in client configuration.
# server_bind_port and managerport on the server's sensor need to be accessible from the GUI

# Server part
#server_bind =
#server_bind_port = 60024
# password required
#server_password =

# Client part
#server_destination =
#server_destination_port = 60024
# password required
#server_password =
# When 'packetbuffer_sender' option is set to yes, client's sensor just sent raw data (as mirror mode does) to the
# server's sensor, server's sensor process data, stores pcaps and writes to the sql. Default is no.
#packetbuffer_sender = no
# The server setting of these two options 'deduplicate', 'use_blocks' is copied to the client when packetbuffer_sender = yes.

#maximum allowable time difference 
mirror_connect_maximum_time_diff_s = 2
client_server_connect_maximum_time_diff_s = 2
receive_packetbuffer_maximum_time_diff_s = 30

# enable/disable mirroring packet confirmations. For higher traffic throughput you might need to disable it (due to round trip and other overhead) 
mirror_require_confirmation = yes

# select compression between clients and server GZIP, lzo, no
# default is GZIP
#server_type_compress = GZIP

## END of SERVER/CLIENT configuration

# The receiver's sensor differentiates packets from different sender's sensor.
# Sometimes may be useful to disable this check. E.g. you use multipath routing and packets from one call
# can go via more paths and can be sniffed by different sensor. Then the receiver's sensor can compose the call
# from packets coming from different sensors. Default is yes.
#receiver_check_id_sensor = no

# since version 8 sniffer implements new mirroring option. Sender is packing data to compressed stream over the
# TCP to remote sniffer.
# if you are going to use this sniffer only as a mirroring sniffer all you need is to set interface, packetbuffer_*
# set compression on and set packetbuffer_file_* so in case the connection to remote sniffer will die or will be
# temporarily slow the sender will not loose single packet. The mirroring is trying to reconnect in case of
# failure. Packets are mirrored including the the original timestamp and headers.
# this mirroring hopefully replaces pcapscandir feature which will be probably removed in favor of this approach.

# here set the sending (mirroring). The sender needs to set only interface, ringbuffer, packetbuffer_*, filter
# and this two folling mirror_destination_*
#mirror_destination_ip          =
#mirror_destination_port        =

# here set the receiver and do not forget to set firewall so no other except the sender will be able to connect
# to the receiver
#mirror_bind_ip               =
#mirror_bind_port             =

# all packets needs to be confirmed by receiver which prevents any data loss or corruption (can be slow on very high traffic throughput (round trip limitation)
# default yes
#mirror_require_confirmation = yes

# use block checksum which makes mirroring more robust but it uses slighly higher CPU usage
# default = yes
#mirror_use_checksum = yes

# default window lenght for sorting packets coming from different remote mirroring sniffers is 2000ms (2 seconds). In case
# there is some network latency / buffering etc. you can increase this window to higher values to prevent packet reordering
# if you are using mirror_bind_ip (default is 2000ms)
#pcap_queue_dequeu_window_length = 2000

# sip_send feature allows to send SIP packets over TCP or UDP (whichever you enable). sip_send will use TCP connection on
# chosen port and sip_send_udp (yes/no) uses UDP connection to chosen port. If you want to send the packet as soon as possible
# set sip_send_before_packetbuffer = yes. This feature is not intended for mirroring SIP packets to the voipmonitor sniffer
# but to some 3rd party applications.
#
# WARNING: Each SIP paket sent to sip_send = destination is additionaly trailed with 2 bytes - the length of SIP packet
# for example netcat in listen mode can be used to receive data on dest server
# test using TCP: nc -l 192.168.0.2 -p 1555
# test using UDP: nc -l 192.168.0.2 -p 1555 -u
#
#sip_send = 192.168.0.2:1555
#sip_send_udp = yes
#sip_send_before_packetbuffer = yes


# scan pcap files folder and read file by file. This is in conjuction with running tcpdump which creates pcap file each
# 5 seconds (-G 5) storing pcap files named by UNIX_TIMESTAMP to /dev/shm/voipmonitor folder (do not forget create it)
# using 1GB ring buffer to avoid losing packets (-B500000 - you can lower it but not higher) filtering udp packets (udp
# parameter whcih you can change to your needs). voipmonitor then reads created files (and delete it after processing.
# This approach can be used for testing throughput or for very high voip traffic (>500Mbit). If the sniffer is able to
# process pcap files in realtime - there will be in /dev/shm/voipmonitor folder only one or two pcap files. If the sniffer
# is not able to process in realtime (blocking by I/O or by CPU) number of pcap files will grow faster then the sniffer
# is able process.
#
# WARNING: libpcap < 1.1 contains memory leak when pcap filter is set - do not set filter in this config or upgrade libpcap to the latest (debian 6 libpcap contains the leak)
# static compiled voipmonitor from voipmonitor.org contains the latest libpcap
#
# tcpdump example command:
# nice -n -20 tcpdump -B500000 -i eth2 udp -G 5 -w /dev/shm/voipmonitor/voipmonitor 2>/dev/null 1>/dev/null &
#scanpcapdir = /dev/shm/voipmonitor

# When scanpcapdir is being used, voipmonitor will by default read any new file
# that is created in that directory as soon as the file is closed.  This is
# the normal setting if your packet capture software is tcpdump.  If you are
# using a different packet capture software, you may need to change this
# setting to "rename" if that software writes to a temporary file, closes it,
# and then renames it to something else after the file is closed.
#
# Default setting is "newfile"
#scanpcapmethod = newfile

# in case the SIP(media) server is behind public IP (1.1.1.1) NATed to private IP (10.0.0.3) to sniff all traffic correctly you can
# specify alias for this case. You can specify more netaliases duplicating rows.
# in most cases this is not necessary because voipmonitor is able to track both RTP streams based on the other side IP. But
# if the stream is incoming from another IP then SIP source signalization and also from another IP than the SIP device which is
# also behind NAT its impossible to track the correct IP. Please note that this is for case where the SIP server is behind NAT
# and also the client is behind NAT. If your SIP server has public IP do not bother with this.
#natalias = 1.1.1.1 10.0.0.3
#natalias = 1.1.1.2 10.0.0.3
#natalias = 1.1.1.3 10.0.0.4

# NAT helper:
# if voip SIP device (with source IP 1.1.1.1) sends in SDP that it wants RTP for example to 10.0.0.1 and port
# 10000 the call also sniff RTP from 1.1.1.1:10000 or to 1.1.1.1:10000 which does more problems than it solves.
# Now this behaviour is changed and if you need this option back you can enable it
# default no
#sdp_reverse_ipport = yes

# do not track RTP streams if IP or IP:port combination is psecified with options sdp_ignore_ip_port or sdp_ignore_ip
# examples:
# sdp_ignore_ip_port = 192.168.0.1:100
# sdp_ignore_ip_port = 192.168.0.2:101
#sdp_ignore_ip = 192.168.0.1
#sdp_ignore_ip = 192.168.0.f

# voipmonitor is tracking RTP streams by information from SDP (IP:port) combinations. RTP coming to those IP:port are assigned to calls which are in memory 
# some times it can happen that two calls shares the same IP:port combination (for example if some call will not receive BYE but on the PBX/SBC the call 
# is terminated but voipmonitor do not know it and timeout were not reached. In this case RTP will be stored/assigned for both calls. 
# sdp_multiplication parameter controls how much calls can share the same combination of IP:port - but it also means that the RTP packet will be stored
# for every of those calls which can make pressure on DISK / storage. 
# setting sdp_multiplication = 0 will cause that RTP packets will be assigned only to the newest calls 
# default value is 3 
#sdp_multiplication = 0

# if sniffer will not see RTP packets SDP parsing can be disabled
# this is recommended to disable only if calls per second > 1000
# default is no
#disable_process_sdp yes

# by default voipmonitor assings RTP stream to a call by destination IP:port taken from SDP. This can lead to problems when there are multiple RTP
# streams coming to the same IP:port destination -> call will have multiple RTP streams which belongs to different calls. Enabling this option,
# which is disabled by default, will eliminate duplicate RTP streams in a call - if source IP:port of a RTP stream will match to SDP
# voipmonitor will discard all other RTP streams.
# options:
# yes
# no (default) 
# keep_rtp_packets (same as yes + store RTP packets which should not normally belongs to this call, for debug purpose) 
#rtp_check_both_sides_by_sdp = no


# close RTP ports for a call if authentication fails (default yes) 
#ignore_rtp_after_auth_failed = yes


# store ip/port in SDP message in cdr_sdp table
# default yes
#save_sdp_ipport = yes

# when decoding audio use RTP streams only with the same IP addresses found in SIP/SKINNY src/dst IP header
# default no
#rtpfromsdp_onlysip = no

# if calls are routed through SIP proxies with RTP proxies, enable this option so the main caller and called stream will not be selected from/to sip proxy but from real caller / called destination 
# default yes
#rtpip_find_endpoints = yes


# define bind address for manager interface. Default is 127.0.0.1
# it is not recommended to change this unless really needed due to
# security. If you need it on some other IP make sure you set firewall
# and change the standard port for better security
#managerip = 127.0.0.1

# classify number without leading 00 or + to country according to local_country_code configuration option which is in ISO 3166-1 alpha-2
# format http://cs.wikipedia.org/wiki/ISO_3166-1. Default is local
#local_country_code = local
#local_country_code = US

# define TCP manager port
managerport = 5029

# define SIP ports which will voipmonitor liste. For multiple ports you can use ranges and multiple entries 
# multiple sipport lines are also supported 
# sipport detects udp / tcp and websocket (webrtc) - unencrypted. For encrypted SIP please refer to ssl* options
sipport = 5060
#sipport = 5060,5061,5062,5070-5080

# use the new TCP reassembler which is far more robust than the old one. It can reassemble much more SIP messages even better than wireshark..
#sip_tcp_reassembly_ext = yes

# enable storing sip source and destination port to database so the port from INVITE can be searched
cdr_sipport = yes

# enable storing RTP destination port to database
cdr_rtpport = yes

# enable storing RTP source port to database (default is no)
#cdr_rtpsrcport = no

############## SIP TLS SSL SUPPORT
# if you want to decrypt TLS encrypted SIP you need to enable ssl = yes and pprovide options for ssl_ipport where 10.0.0.1 is IP address of your
# TLS server 5061 is TCP port and your.key contains private key
# ssl_ipport detects websocket over SSL / TCP (webrtc)
# note that you cannot decrypt TLS where you use cipher suite with diffie hellman key exchange by nature.

#ssl = yes
#ssl_ipport = 10.0.0.1 : 5061 /path/to/your.key


# ssl sessions will expire after 12 hours by default 
#ssl_store_sessions_expiration_hours = 12

# voipmonitor supports parsing session keys sent to UDP port, by default it is disabled. 
# example UDP packet: {"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","sessionid":"BAD9ADC061C0A09C5DCCD28DB31B71E3BEDD0894043A38012357DC992C12516C", "mastersecret": "A5433C3A244945B706112EBBAF3FA5F0995BjACOC7883EC0F13952B9F89A0F6657CCC4279BE4727631DBBFA93A91E067"}
# to restrict parsing UDP packets from certain IP ranges use ssl_sessionkey_udp_port or ssl_sessionkey_udp_ip which will allow packets only with destination port == ssl_sessionkey_udp_port and destination IP ssl_sessionkey_udp_ip

#ssl_sessionkey_udp = yes
#ssl_sessionkey_udp_port = 1234
#ssl_sessionkey_udp_ip = 192.168.178.0/24

# preserve SSL/TLS keys between restart
# default no
#ssl_store_sessions = yes

# determine the table type for SSL/TLS keys: persistent: innodb, memory: memory
#ssl_store_sessions = memory
#ssl_store_sessions = persistent

#option ssl_ignore_error_bad_finished_digest = YES


####################################

########### SRTP ###################

# SRTP decryption (RTP and RTCP)  uses keys from SIP SDP
# supported keys:
#AES_CM_128_HMAC_SHA1_32
#AES_CM_128_HMAC_SHA1_32
#AES_CM_128_HMAC_SHA1_80

# by default sniffer is decrypting only RTCP. RTP is stored as is and can be decrypted later by the GUI if user requests audio with If you want to store decrypted RTP in pcaps enable srtp_rtp = yes
#srtp_rtp = no
#srtp_rtcp = yes
####################################

# If remotepartyid is set to yes the SIP Remote-Party-ID is used to get caller name/number from the first INVITE only
# If callerid is anonymous and Remote-Party-ID is present the number is always taken from Remote-Party-ID if present regardless on the remotepartyid option.
#remotepartyid = no


# update caller or called number from Remote-Party-ID tag with tag party=STRING (which is normally remoteparty_caller = calling and remoteparty_called = called)
# Multiple parameters can be added where the first provided has the priority (delimited by , or ;) 
# (example remoteparty_called=x-cisco-original,called)
# Remote-Party-ID tag will be updated with every SIP packet, not only the first INVITE 
# default - not set 
#remoteparty_caller = calling
#remoteparty_called = called


# If passertedidentity is set to yes the SIP P-Asserted-Identity is used to get caller name/number
# If callerid is anonymous and P-Asserted-Identity is present the number is taken from P-Asserted-Identity only if this option is enabled
#passertedidentity = no

# parse only the number and ignore everything after ";". Example -  P-Asserted-Identity: <sip: +0001234545;cpc=ordinary@domain;user=phone>
# default is yes.
#callernum_numberonly = yes

# If ppreferredidentity is set to yes the SIP P-Preferred-Identity is used to get caller name/number
# If callerid is anonymous and P-Preferred-Identity is present the number is taken from P-Preferred-Identity  only if this option is enabled.
#ppreferredidentity = no

# If remotepartypriority is set and SIP contains Remote-Party-ID it is used instead of passertedidentity or ppreferredidentity
#remotepartypriority = no

# take number from INVITE URI or To: SIP header. If destination_number_mode = 1 It will always save number from To: header.
# if destination_number_mode = 2 it will take number from INVITE URI.
# default: destination_number_mode = 1
#destination_number_mode = 1

# end call after N seconds (default is 4 hours = 4 * 3600). This prevents creating giant pcap files and memory growing for
# calls where RTP stream stucked indefinitely .
# if call is ended due to this itmeout in the cdr.bye will be number 102
absolute_timeout = 14400

# end call after N seconds (default is 20 minutes = 20 * 60) after receiving SIP BYE message no matter how many RTP packets
# arrives after SIP BYE.
destroy_call_at_bye = 1200

# end call after N seconds after BYE (regardless if it is confirmed or not) even if RTP packets are still flowing (which are extending the call)
# default 1200 seconds (20 minutes)
#bye_timeout = 1200

# end call after N seconds after confirmed BYE even if RTP packets are still flowing (which are extending the call)
# default 600 seconds
#bye_confirmed_timeout = 600

# do not process any RTP packets after BYE
# default no
#ignore_rtp_after_bye_confirmed = no

# do not process any RTP packets after CANCEL
# default no
#ignore_rtp_after_cancel_confirmed = no

# by default get Q.850 Reason: header from all packets but once set from BYE or CANCEL it will be not overwriten by other packets. To get Reason: header from all packets set it to no.
#get_reason_from_bye_cancel = yes

# if enabled (default disabled) mark CDR in case there is BYE within dialog with "transaction does not exists" reply
#detect_alone_bye = no

# onewaytimeout ends sip call after set seconds which does not receive any reply from the other side.
# technically it takes sip source ip address from first invite/register and if there is no other sip source ip different
# from the first source ip the call will be terminated after onowaytimeout seconds.
# if a call is terminated due to this timeout in cdr.bye column will be 101.
# purpose of this timeout is to release memory as soon as possible in case there is some flood INVITE which does not
# have any reply. Another reason is when mirroring is set incorrectly and the sniffer sees only one side of a SIP
# signalization.
# if onowaytimeout is not set default is 15.
onewaytimeout = 15

# sipwithoutrtptimout is used when the SIP call does not have any asoociated RTP to prevent zombie sip calls like
# when BYE or CANCEL is missing so the call has to timeout at some point. Default value is 1 hour (3600 seconds)
# if you have longer calls in your network you need to increase this value. Previosly rtptimeout parameter was
# used.
#sipwithoutrtptimeout = 3600

# rtptimeout will close call only if the call register any RTP packet and there is no SIP or RTP/RTCP packet activity
# within the rtptimeout. (if the call has no RTP packet this timeout is not applied, lok for sipwithoutrtptimeout).
# the rtptimeout is to prevent zombie calls in voipmonitor memory. Recommended value is 5 minutes (300 seconds).
#rtptimeout = 300

# ringbuffer is circular memory queue directly in kernel memory space. libpcap is reading from this queue and
# delivers packets to voipmonitor. If the network rate is > 100 Mbit we recommend to set ringbuffer to at least 500
# maximum value is 2000 MB.
# default 50 MB
ringbuffer = 50

# packetbuffer is used to cache packets after it is read from kernel ringbuffer. From this cache packets are going
# to process unit which can be blocked either by CPU spikes or if all write caches are full. Since version 11 there
# is no reason to make it big since write cache is in async buffer now (see further).

packetbuffer_enable             = yes
packetbuffer_compress           = no
# in case CPU is bottleneck you can lower compress ratio (100 is full compression)
packetbuffer_compress_ratio	= 100

# maximum memory used for buffering packets when I/O blocks or CPU blocks processing them.
# default is 2000 MB
# from version 11 it replaces packet_buffer_total_maxheap and pcap_dump_asyncwrite_maxsize
max_buffer_mem			= 2000

# how frequently should be memory freed (default 30)
#memory_purge_interval = 30

# release memory only if memory to release is greter than N MB (default 500MB) (or 10% memory) 
#memory_purge_if_release_gt = 500

# number of threads to process RTP packets. If not specified which is default option it will equal to the number of available CPUs.
# If set to 0 threding is turned off.
#rtpthreads = 0


# number of RTP threads when sniffer starts (it will still lower if there is no traffic). Change this only if you will run synthetic tests
# default = 1
#rtpthreads_start = 1


# jitter buffer simulator variants. By default voipmonitor uses three types of jitterbuffer simulator to compute MOS score.
# First variant is saved into cdr.[ab]_f1 and represents MOS score for devices which has only fixed 50ms jitterbuffer.
# Second variant is same as first but for fixed 200ms and is saved to cdr.[ab]_f2
# Third varinat is adaptive jitterbuffer simulator up to 500ms
# Jitterbuffer simulator is the most CPU intensive task which is voipmonitor doing. If you are hitting CPU 100% turn
# off some of the jitterbuffer simulator. I'm recomending to use only fixed 200ms if you need to save some CPU cycles.
#jitterbuffer_f1 = no
#jitterbuffer_f2 = yes
#jitterbuffer_adapt = no

# Ignore rtcp jitter value higher then this number for a counting of the avg/max jitter values for cdr.
# It can help on some DSL/cable modems where jitter in first rtcp packet is mangled/bad calculated.
# Into pcap are stored original values.
# Default value is zero, which means disabled.
#ignorertcpjitter = 0

# Packet loss concealment (PLC) is a technique to mask the effects of packet loss in VoIP communications.
# Because the voice signal is sent as packets on a VoIP network, they may travel different routes to get to destination.
# At the receiver a packet might arrive very late, corrupted or simply might not arrive.
# One of the cases in which the last situation could happen is where a packet is rejected by a server which has a full buffer
# and cannot accept any more data.
# default no.
#plcdisable = no

# callslimit will limit maximum numbers of calls processed by voipmonitor at the same time. If calls are over limit
# it will be ignored (INVITE)
#callslimit = 0

# in case SIP session travels accross several proxies (and Call-ID header DOES not change) and you would like to track
# all sip proxies and make them searchable in GUI / database.  If disabled cdr will store to destination sip
# column destination IP from the first INVITE (or it will overwrite another INVITE with the same source IP).
# If enabled there will be destination IP from the latest invite and all proxy ip will be stored in cdr_proxy table.
# default enabled
cdrproxy = yes

# this option allows to skip storing cdr.a_ua and cdr.b_ua - this is workaround for those who has extreme cdr rate and
# number of user agents in database is over 1000 and CPU is not powerfull enough to store cdr in real time. In future
# this option will be removed once we optimize this rutine.
#cdr_ua_enable = yes

# remove string from useragent before storing to the database. This is useful in case you want to remove unique string
# from it so the table cdr_ua will not grow too much
# you can set multiple cdr_ua_reg_remove.
#cdr_ua_reg_remove = \([0-9a-z\-]+\)$
#cdr_ua_reg_remove = -RMR[0-9a-z\-]+$

# only names matching regexp will be stored to the database. The cdr_ua_reg_whitelist is evaluated after cdr_ua_reg_remove (if enabled).
# it is disabled by default
#cdr_ua_reg_whitelist = ^Cisco
#cdr_ua_reg_whitelist = C610

# SSRC in RTP headers must not equal zero according to RFC so voipmonitor is ignoring such RTP by default.
# If you still need to parse such packets enable it
# default = no
#allow-zerossrc = yes


# duplicate check do md5 sum for each packet and if md5 is same as previous packet it will discard it
# WARNING: md5 is expensive function (slows voipmonitor 3 times) so use it only if you have enough CPU or
# for pcap conversion only . Default is no.
#deduplicate = yes


# deduplicate feature ignores value in TTL IP header. If you want to disable deduplication for packets with various TTL disable it
#deduplicate_ipheader_ignore_ttl = yes


# enable this option in case you want to deduplicate or defragment packets from all sources when sniffing on multiple interfaces or if there are
# multiple sniffer receivers (when mirroring packets).
#auto_enable_use_blocks = yes


# prior verison 8.0.1 deduplicate was comparing only data without ip header and udp header so duplicate packets
# was matched also in case the IP addresses differes. This was good for some cases but it leads to completely
# ignore RTP streams in other cases. Now default option is to check duplicates based on not only data but ip headers
# too. To change this set deduplicate_ipheader = no
# default = yes
#deduplicate_ipheader = yes


# enable/disable updating called number from To: header from each caller INVITE. Default is enabled so it supports overlap dialing (RFC 3578)
# if you want to disable this behaviour and see always number only from the first INVITE set sipoverlap = no
#sipoverlap = yes

# The same as sipoverlap but ignores the source ip address of an invite packet.
# If the source ip is matching with first invite, sipoverlap option updates called number from last invite.
# When last_dest_number option is enabled it will take a dst number from the last invite always.
# Default is no.
#last_dest_number = yes

# create own large UDP packet in case of decapsulation from IP in IP
#default no
#virtualudppacket = yes

# analyze sip REGISTER messages
sip-register = no

# analyze sip OPTION/SUBSCRIBE/NOTIFY  messages which can be stored to PCAP (individually), or seen in SIP Opt. Active or also stored to the Database 
#(for each message type there is sip-options/sip-subscribe/sip-notify options)
# default is NO. Options are:
# yes - active and database (and pcap according to save-sip-options option) 
# nodb - only active (no database records)(and pcap according to save-sip-options option). 
# no - active, no DB, no pcap (regardless on save-sip-options option)
# this parameters enable processing engine, so if you want to use the capture rules you need to enable it (yes/nodb)
sip-options = no
# store OPTIONS to disk (in extreme traffic it might overload file system), default NO
save-sip-options = no

sip-subscribe =  no
# store SUBSCRIBE to disk (in extreme traffic it might overload file system), default NO
save-sip-subscribe = no

sip-notify = no
# store NOTIFY to disk (in extreme traffic it might overload file system), default NO
save-sip-notify = no

#group SIP OPTIONS/NOTIFY/SUBSCRIBE by vlan id. Enable this when you need to restrict users by vlan id which requires to have response packet in same vlan like the request packet. default NO
sip-msg-compare-vlan = no

# the SIP OPTIONS/NOTIFY/SUBSCRIBE messages are considered the same if many conditions are fulfilled. One of them is the same source ip address.
# with this option you can disable this condition. Default is yes
#sip-msg-compare-ip-src = no

# the SIP OPTIONS/NOTIFY/SUBSCRIBE messages are considered the same if many conditions are fulfilled. One of them is the same destination ip address.
# with this option you can disable this condition. Default is yes
#sip-msg-compare-ip-dst = no

# the SIP OPTIONS/NOTIFY/SUBSCRIBE messages are considered the same if many conditions are fulfilled. One of them is the same source port.
# with this option you can disable this condition. Default is yes
#sip-msg-compare-port-src = no

# the SIP OPTIONS/NOTIFY/SUBSCRIBE messages are considered the same if many conditions are fulfilled. One of them is the same destination port.
# with this option you can disable this condition. Default is yes
#sip-msg-compare-port-dst = no

# the SIP OPTIONS/NOTIFY/SUBSCRIBE messages are considered the same if many conditions are fulfilled. One of them is the same source number.
# with this option you can disable this condition. Default is yes
#sip-msg-compare-number-src = no

# the SIP OPTIONS/NOTIFY/SUBSCRIBE messages are considered the same if many conditions are fulfilled. One of them is the same destination number.
# with this option you can disable this condition. Default is yes
#sip-msg-compare-number-dst = no

# the SIP OPTIONS/NOTIFY/SUBSCRIBE messages are considered the same if many conditions are fulfilled. One of them is the same source domain.
# with this option you can disable this condition. Default is yes
#sip-msg-compare-domain-src = no

# the SIP OPTIONS/NOTIFY/SUBSCRIBE messages are considered the same if many conditions are fulfilled. One of them is the same destination domain.
# with this option you can disable this condition. Default is yes
#sip-msg-compare-domain-dst = no

# wait only N seconds for reply on first register then remove from memory. (default is 5 seconds)
sip-register-timeout = 5

# option to not to save failed registration on timeout (default no (which means by default failed registratinos are stored when timeout))
#sip-register-timeout-disable_save_failed = yes

# if mysql binlog is enabled, skip binlog inserts into active table (which is MEMORY type)
# if you still want to replicate this too (huge I/O impact) set it to = no
sip-register-active-nologbin = yes

# ignore failed registrations which ends with 401 response code (default no)
#sip-register-ignore-res401 = no

# ignore failed registrations which ends with 401 and nonce has changed response code (default no)
#sip-register-ignore-res401-nonce-has-changed = no

#Registers From IP:  Register packets for same user from different IP. Decide to compare also source SIP IP in register packet when matching/evaluating. (default no)
#sip-register-compare-sipcallerip = yes

#Registers From Port:  Register packets for same user from different port. Decide to compare also source SIP port in register packet when matching/evaluating. (default no)
#sip-register-compare-sipcallerport = yes

#Registers To IP:  Register packets for same user. Decide to compare also destination SIP IP in register packet when matching/evaluating. (default no)
#sip-register-compare-sipcalledip = yes

#Registers To Port:  Register packets for same user. Decide to compare also destination SIP port in register packet when matching/evaluating. (default no)
#sip-register-compare-sipcalledport = yes

#Registers To Domain:  Register packets for same user. Decide to compare also domain part of SIP header to in register packet when matching/evaluating. (default yes)
#sip-register-compare-to_domain = yes

#Registers From Domain :  Register packets for same user. Decide to compare also domain part of SIP header from in register packet when matching/evaluating. (default no)
#sip-register-state-compare-from_domain =  yes

#Registers Auth Realm:  Register packets for same user. Decide to compare also SIP Authentication Realm in register packet when matching/evaluating. (default no)
#sip-register-state-compare-digest_realm = yes

#distinct SIP REGISTER by number in Contact header (default yes)
#sip-register-state-compare-contact_num = yes

#distinct SIP REGISTER by domain in Contact header (default yes)
#sip-register-state-compare-contact_domain = yes

# Maximal count of the request packets with the same callid without appropriate response.
# If this limit is reached then the current register session is terminated and the new session is created.
# The default is 4
#sip-register-max-registers = 4

# Maximal count of the packets (requests, responses) with the same callid without appropriate evaluation.
# If this limit is reached then the current register session is terminated and the new session is created.
# The default is 20
#sip-register-max-messages = 20

# ignore cdr with list of last SIP response codes like 302 etc. Parameters are list of response codes delimited by colon. If response code
# is one number it is wildcard for all response codes starting with that number
# other parameters are: name=abc number=.*123.* ip=1.2.3.0/24 lsr=Unavailable
#cdr_ignore_response = 302,303,4
#cdr_ignore_response = 503 lsr=Call\sThrottled, 403 name=abc ip=1.2.3.4, 404 number=%123%, 405 number=.*123.* ip=1.2.3.0/24

# Limit sip response text when it contains tel. numbers. Example '503 No Service for 123456789' will be stripped to ' '503 No Service for 180'
# default disabld
# cdr_sip_response_number_max_length = 3

# remove string from sip response text before storing to the database. This is useful in case you want to remove unique string
# from it so the table cdr_ua will not grow too much
# you can set multiple cdr_ua_reg_remove.

#cdr_sip_response_reg_remove = \([0-9a-z\-]+\)$


# if yes, voipmonitor will not save CDR to MySQL
nocdr = no

# if yes, all SIP calls will be ignored unless capture rules set skip flag based on IP or Tel. numbers (mysql.filter_*)
#skipdefault = yes

# do not store CDR if content-type in INVITE is csta+xml 
# default no
#enable_content_type_application_csta_xml = no

# write CDR to database only if call was answered
# default = no
#cdronlyanswered = yes

# when storing CDR check if there is the same CDR with the same sip.Call-ID and replace it if the new one contains RTP and the old one not
# this option is intended for case where you need to mirror SIP signalling to RTP media nodes and every RTP voipmonitor node sends CDR based
# on the same SIP thus diplicating CDR and only one CDR have RTP associated.
# default is off
# for client server mode set this option to "lock"
#cdr_check_exists_callid = yes

# check unique call-id only with certain id_sensors 
# list of sensors id (use NULL if it should be checked for sensors with no id_sensor set) 
#cdr_check_unique_callid_in_sensors = 1,3,NULL,5

# write CDR to database only if call has RTP
# default = no
#cdronlyrtp = yes


# filter RTP packets by VLAN tag from first SIP packet. This solves situation when sniffing with one sniffer on multiple VLAN (tagged)
# with the same IP for different PBXs but same IP addresses. Without this configuration RTP packets are mixed togather.
#vlan_siprtpsame = no

###############################################################################
# cisco skinny protocol (SCCP)                                                #
###############################################################################

# disabled by default (when enabled default port is TCP port 2000)
#skinny = yes

# Multiple skinny ports is allowed
#skinny_port = 2000
#skinny_port = 12000

# some cisco call manager is configured to receive call always on the same UDP port which results in one-way recordings or mixed recordings. In this case
# set this option to IP address of the cisco call manager. This also assumes that cisco phones uses the same UPD port for receiving and sending RTP
# (symmetric RTP)
#skinny_ignore_rtpip = 10.1.1.1


###############################################################################
# MGCP protocol                                                               #
###############################################################################

# mgcp protocol is disabled by default
#mgcp = yes

# default MGCP ports (change it only if it differs)
#tcp_port_mgcp_gateway = 2427
#udp_port_mgcp_gateway = 2427
#tcp_port_mgcp_callagent = 2727
#udp_port_mgcp_callagent = 2727


###############################################################################
#       storing packets into pcap files                                       #
###############################################################################

# limit pcap file size (in MB) after the lmit the sniffer will stop recording packets to that file but will still analyze it for loss/jitter etc.
# default disabled.
#maxpcapsize = 500

# directory where all files (pcap|wav|graph) are stored
spooldir = /var/spool/voipmonitor

# alternatively you can specify different directories for RTP / .graph and audio files. In this case you MUST set in GUI to download pcaps from sniffer
#spooldir_rtp =
#spooldir_graph =
#spooldir_audio =

# optional secondary storage (GUI->capture rules -> store pcaps to second spool - this allows to store some calls to another storage with different autoclean setup
#spooldir_2  = /var/spool/voipmonitor2

# spooldir permissions
#spooldir_file_permission = 0666
#spooldir_dir_permission = 0777
#spooldir_owner = root
#spooldir_group = root

# enables writing pcap files to separate folders per sensor id or sensor name. Enable this feature only if you are not using database.
# spooldir_by_sensorname = yes
# name_sensor = sensor1

# pcap_dump_bufflength sets buffer (bytes) for every file (pcap, graph). It helps to prevent randowm write for each SIP / RTP packet.
# Optimal and default value are 8184 Bytes.
pcap_dump_bufflength = 8184

# compress pcap file (SIP and RTP). It enables pcap_dump_zip_sip and pcap_dump_zip_rtp see below
# default is yes
pcap_dump_zip = yes

# compress only SIP pcap file (lzo, gzip, no)
#pcap_dump_zip_sip = gzip
# SIP zip level compression is 6 by default.
pcap_dump_ziplevel_sip = 6

# compress only RTP pcap file  (lzo, gzip, no)
# lzo is the fastest method with slight less compress ratio then gzip level 1. Voipmonitor internal LZO is not compatible with standard LZO tools
# so you have to decompress it with voipmonitor -kc --unlzo-gui='input.pcap output.pcap'
# before you can decompress the pcap, you need to untar it with tar --wildcards -xOf tar.tar 'E1E3555E@192.168.88.101.pcap*' > merged_rtp.pcap
# if path to file is not absolute (/...) it is relative to the spooldir directory
# (GUI decompress it on the fly and serve it as gzip)
pcap_dump_zip_rtp = lzo
# RTP zip level compression is 1 by default (very fast) to increase compression ratio increase this number (9 is maximum, very slow and memory hungry)
#pcap_dump_ziplevel_rtp = 1

# compress only graph file (lzo, gzip, no)
#pcap_dump_zip_graph = lzo
# GRAPH level compression is 1 by default (very fast) to increase compression ratio increase this number (9 is maximum, very slow and memory hungry)
#pcap_dump_ziplevel_graph = 1

# level of zip compression where default is number 6. The fastest compression is 1 the highest (and the slowest) is 9.
# this option will set pcap_dump_ziplevel_sip = pcap_dump_ziplevel_rtp = pcap_dump_ziplevel_graph
#pcap_dump_ziplevel = 1

# number of initial threads used for compressing pcap_dump_zip if enabled. Default is 1. Number of threads automatically grows once threads consumes >95% CPU
pcap_dump_writethreads = 1
# number of maximum threads for pcap_dump_zip compression. The value is limited by this formula: MIN(number of available CPU, pcap_dump_writethreads_max, 32)
pcap_dump_writethreads_max = 32

# pcap_dump_asyncwrite copy packets into asyncbuffer before it is written to disk. This will ensure that processing
# packets are not suspended in case of blocks from I/O layer. Keep this always enabled
pcap_dump_asyncwrite = yes


##############################################################################
# TAR format
#
# default configuration is not recommended to change unless you exactly know what you are doing. If any of those options are missing it uses its default options
#
# instead of writing each call to its own pcap file write it it into tar archive. Name of the tar file is derived from
# start of the call - year-mon-day/hour/minute/sip.tar
# for each sip rtp and graph is created separate tar file (prefixed with sip rtp or graph).
# this is new default method since sniffer 11.0. For 2000 concurrent calls IOPS lowered from 200 to 40 storing RTP+SIP+GRAPH. For 40 000 concurrent
# calls IOPS drops from 4000 to 10 sniffing only SIP.
tar = yes
# default number of maximum compression threads is 8. Usage of those threads can be watched in syslog tarCPU[A|B|C|D...]
tar_maxthreads = 8

# available compression for tar_compress_[sip|rtp|graph] is - no, gzip and lzma. gzip is default for sip and graph rtp are not compressed because it is
# better to compress each RTP pcap individually and concatenate them to uncompressed rtp.tar file. Lzma compression has better compression ratio (about 40%)
# but it is 10x slower and uses much more memory. It also takes more time to flush all data from sip pcap so user have to wait longer time for download
# pcap after call ends.# If compression is disabled sniffer stores offset for each file into database thus extracting pcap file from tar file requires
# minimal I/O seeks and it is instant. If you enable compression of RTP tar file you will loose that possibility and GUI will extract file for long time
# (minutes) on huge traffic using lot of I/O resouces. if compression for SIP/RTP or GRAPH is enabled it automatically disables options pcap_dump_zip
# pcap_dump_zip_sip pcap_dump_zip_rtp pcap_dump_zip_graph which means that inside tar file is uncompressed pcap files.

# internal memory organization stores packets to memory until 150kb is reached then the file is flushed to tar file. to save
# some memory default internal compression of data are compressed with fast snappy compression algorithm which you can disable

# default sip tar compression is gzip with level compression 6 (default gzip compression).
tar_compress_sip = gzip
tar_sip_level = 6

# default rtp tar compression is disabled.
tar_compress_rtp = no
# if you have plenty CPU cores and many calls you can increase it to level 6.  Difference between level 1 and 6 is 7% in size and 63% faster.
tar_rtp_level = 1

# default graph tar compression is gzip with compression level 1
tar_compress_graph = gzip
tar_graph_level = 1

# end tar format configuration #############################


# store pcap and graph file to <cache/dir> and move it after call ends to spool directory. Moving all files are guaranteed to be serialized which
# helps with slow random write I/O on spin or other media. Typical cache directory is /dev/shm/voipmonitor which is in RAM or /mnt/ssd/voipmonitor
# which is mounted to SSD disk or some very fast SAS/SATA disk where spool can be network storage or raid5 etc.
#cachedir = /dev/shm/voipmonitor

# openfile_max overrides default max open files which is 65535
#openfile_max = 300000

# list characters that should be converted to underscore (_) in filenames
# if you want to include space, put it between other characters, like ': :' (will convert ':' and ' ' to '_')
# default is none
#
# example - avoid ':' when Call-Id contains port number
#convertchar = :

# name of the pcap file is derived from the SIP.Call-ID header unless you override it with fbasenameheader which is name of custom header with file name
#fbasenameheader = X-custom-filename

# save SIP packets to pcap file
savesip = yes

# save_sip_history stores SIP request / responses into the database cdr_siphistory (without body) which can be used to search database for calls with
# specific response / requests during dialog. By default even if this option is disabled sip responses are always stored and only BYE request.
# this option allows to enable storing all SIP requests and also all ressponses which have additional timestamp. You would need to enable
# this option only in case you need to search database / calls based on specific SIP REQUEST messages.

#save_sip_history = requests,responses
#save_sip_history = all

# save_sip_response option enables storing all sip responses into cdr_sipresp table. Enabling this feature can overload mysql database on high sip throughput
# which is reason why it is disabled by default
#save_sip_responses = no

# enable storing SIP messages in DB with millisecond precision (by default off)
#time_precision_in_ms = yes

# save RTP packets to pcap file. savertp = yes automatically saves RTCP packets
# you can also save only RTP header without AUDIO: savertp = header
# if save RTP is enabled it will also save UDPTL packets (used for T.38)
# you can also set savertp = no and control what calls will record RTP in mysql table filter_ip or filter_tel
# which is controled in GUI -> Capture rules. Sending reload command will reload configuration from filter_*
# table. You can also set savertp = yes but denies recording RTP based on rules in filter_* table.
savertp = yes
#savertp = header

# replace all data in RTP packets with zero
# when enabled, no option can override it and listening to calls is impossible no matter on other settings
# when enabled, DSP processor will not work as it will get zeroed data (DTMF, silence detection, silence MOS, etc.) 
# normally, you do not need this option as you can control what RTP should be recorded to pcap in capture rule
#null_rtppayload = NO 

# store video RTP packets to pcap or only to cdr (default disabled = no) 
#savertp_video = no/yes/header/cdr_only

# voipmonitor by default splits SIP and RTP packets to individual files (in case spooldiroldschema = no) which are
# located in SIP and RTP directories. This feature allows instance cleaning RTP streams differently then SIP packets
# to join two pcap files SIP+RTP use mergecap command line utility which is included in wireshark package
# default = yes | spooldiroldschema must be set to no
# disabling this disables tar function
#pcapsplit = yes

# save UDPTL packets (FAX T.38). If savertp = yes the UDPTL packets are saved automatically. If savertp = no and you want
# to save only udptl packets enable saveudptl = yes and savertp = no
#saveudptl = yes

# enable FAX T.30 detection by analyzing voice frames for 1100 and 2100 HZ (CNG CED tones). It currently works only for G.711 ulaw/alaw and it consumes more CPU.
#faxdetect = no

# save RTCP packets to pcap file
savertcp = yes

# save RTP payload to audio file. Choose 'wav' for WAV PCM or 'ogg' for OGG 25kbps format.
# please note that this has great impact on I/O and can overload your storage leading to lose packets. Better way is to store only sip+rtp and
# convert wav files on demand.
#saveaudio = wav

# store audio only after call was answered, default is no
#saveaudio_afterconnect = no

# save audio only for connected calls, default no (this option will be deprecated in favor of saveaudio_afterconnect)
#saveaudio_answeronly = no

# generate silence audio from the first invite even if there are no RTP packets yet so the audio length matches sip signalization lenght.
#saveaudio_from_first_invite = yes

# save caller in left channel and called in right channel. Default enabled. If disabled caller and called are mixed into mono.
saveaudio_stereo = yes

# by default wav file is stereo where left channel is caller and right channel is called. if you want to swap left right enable saveaudio_reversestereo
# default is no
#saveaudio_reversestereo = no

# ogg quality - from -0.1 to 1.0 (low to best) - this affect size of the OGG
ogg_quality = 0.4


# number of threads dynamically increases to maximum of CPU or to maximum of 10 threads which you can override
#audioqueue_threads_max = 10

# this will not allow decoding packets which have the same RTP SEQ number. Default is disabled
#saveaudio_dedup_seq = no

# enable or disable liveaudio feature - realtime listening to calls
# default yes
#liveaudio = yes


# default path to WEB GUI used to construct path to key check for codecs
# default paths:
#keycheck = /var/www/voipmonitor/php/lib/keycheck.php
#keycheck = /var/www/html/voipmonitor/php/lib/keycheck.php

# in case you are not saving RTP at all but you still want to save DTMF carried over RTP packets (RFC2833)
# you can enable this option. This feature slows down a bit processing RTP packets in main read thread
# in casse voipmonitor runs in threads.
# default = 0
#saverfc2833 = 0

# Enable storing DTMF (SIP INFO or RFC2833 or inband if enabled see inbanddtmf) to cdr_dtmf database. It will store DTMF time and key
# then it will be shown in SIP history in the GUI
# default is no
#dtmf2db = no

# The default is to save the SIP INFO packets and the RTP DTMF packets into appropriate pcaps. You can disable it with this option.
#dtmf2pcap = yes

# enable DTMF inband detection for codec G711a/u. Default is disabled. If you want to store it to the database you need to enable dtmf2db = yes
# enabling this to yes will cause slight CPU load because of decoding G711 to slinear and doing DTMF detection.
# you need to enable dtmf2db = yes
#inbanddtmf = no

# silence detection activates decoding audio for G.711ulaw/alaw only and based on audio energy stores silence vs. noise percentage ratio.
# CDR will have caller and called silence percent ratio which is useful for searching calls where silence is high (>80% etc.)
# another two values will be added into database which indicates how many seconds from the end of caller/called was silence detected which
# might indcate that caller or called suddenly get silence.
# default is no (enabling this activates DSP detector and G711 decoding which adds some CPU)
# 
# It also detects absolute silence frames which is treated as dropped packets providing MOS min/avg 
#silencedetect = yes

# silence threshold sets sensitivity of silence detection. Higher values increase sensitivity, lower values decrease sensitivity od silence detection.
# The number is between 1-32767
# default: 512
#silencethreshold = 512

# clipping detection counts number of G.711 alaw/ulaw clipped frames and stores number in milliseconds into cdr.caller_clipping_mul100
# and cdr.called_clipping_mult100. The number represents number of 8000hz frames with value 32124 for ULAW and value 32256 for ALAW delimited
# by number 100. Columns are tinyint with maximum value of 255 which represents 25500 or more clipped frames.
# Clipped frames are percieved by human as distortion.
# Enabling this have some performance impact decoding audio frames from ALAW/ULAW to SLIENAR. Default option is disabled.
#clippingdetect = no

# FAS (False Answer Supervision) detection. It detects the ring tones after call's connection. Enabling this have some performance impact.
# Default is no.
#fasdetect = no

# save-energylevels option will store average 16bit energy levels for every received RTP packet (data are gzipped). Values are stored into the cdr_rtp_energylevels table which will be automatically created.
# optionally if energylevelheader is set only calls with this header set will be stored to rtp_energylevel
# if save-energylevels is enabled G711 decoder has to be activated using more CPU 
# works only for G711 codec 
# example sql query to get result: 
# 	select
#	cdr_rtp_energylevels.*,
#	cdr_rtp.*,
#	if(cdr_rtp.flags & (1<<2), "caller", if(cdr_rtp.flags & (1<<3), "called", "unknown")) as direction
#	from cdr_rtp_energylevels
#	left join cdr_rtp on (cdr_rtp.cdr_id = cdr_rtp_energylevels.cdr_id and cdr_rtp.index = cdr_rtp_energylevels.index)
#	where cdr_rtp_energylevels.cdr_id = 2177862
#save-energylevels = yes 
#energylevelheader = X-energlvl
# energy levels are calculated using jitter buffer by default - empty frames counts as 0. If all jitterbuffers are disabled, energy levels are calculated without jitterbuffer and silence are not counted as zero. 
#save-energylevels-via-jb = no

# SIP-ALG detection. It may be used for the detection of the usage SIP-ALG on the routers/firewalls. (If the SIP client doesn't use public ip address.)
# Default is no.
#sipalg_detect = no


# save graph data for web GUI.
savegraph = yes

# if any of SIP message during the call contains header X-VoipMonitor-norecord call will be not converted to wav and pcap file will be deleted.
#norecord-header = yes

# if any of SIP message during the call contains DTMF INFO sequence "*0" call will be not converted to wav and pcap file will be deleted.
# default: disabled
#norecord-dtmf = yes

# enable pausing RTP/WAV recording if DTMF sequence detected.
# default: disabled
#pauserecordingdtmf = *9

# setting possible timeout between DTMFs for pauserecordingdtmf option default is 4 sec.
#pauserecordingdtmf_timeout = 4

# pause / unpause recording when SIP message "182 Queued avaya-cm-data" is received (disabled by default)
#182queuedpauserecording = no


# pause / unpause audio recording based on value of defined header (disabled by default)
# for pausing audio it is required value 'pause' inside defined header like (MyCustomPauseHeader: pause) inside any SIP packet
# any other value in this header will unpause recording (example - MyCustomPauseHeader: unpause)
#pauserecordingheader = MyCustomPauseHeader


# in case you need to have ethernet encapsulation and you are sniffing on interface = any set this to = yes.
# this is needed only in case you need to merge pcap files with different encapsulations. default is no
# convert_dlt_sll2en10 = no

# dump all packets to SPOOL/dump-[interface]-[UNIX_TIMESTAMP].pcap
#dumpallpackets = yes

# new spooldir schema stores all files to year-mon-day/hour/minute/[ALL|SIP|RTP|AUDIO] directories
# if you need to have the old schema year-mon-day/* enable spooldiroldschema = yes.
# enabling this feature disables cleanspool function and tar option
# default = no
#spooldiroldschema = no

########### cleaning spool directory  ####################

#cleanspool = yes

# since version 8 sniffer uses different cleaning mechanism which was developed to minimize I/O operations and it also finally brings more features
# each created file is indexed in SPOOLDIR/filesindex/ in hours interval and the file size is added to aggregation mysql table files. Cleaning
# procedure iterates through index files and unlink files without need to scan directories.

# cleaning procedure runs every 5 minutes and checks size or days according to following options. Rules are executed in this
# order. If you set maxpoolsize it will wipe out the oldest data every hour until the size is reached. maxpooldays keeps
# maximum number of data to set days. The same is for sip rtp and graph so you can keep sip pcaps longer than rtp pcaps.
# all options can be activated at once

# cleaning files can cause huge I/O from the mysql server. It is recommended to keep this default cleaning only between 1am - 5am (it is 24hour format)
# default is the whole day (0-24)
#cleanspool_enable_fromto = 1-5

# it is good to always have maxpoolsize = N where the N is maximum disk space you are willing to use by sniffer
# all size are in MB

#set default maxpoolsize to 100 GB (102400 MB)

maxpoolsize		= 102400
#maxpooldays		= 30

#maxpoolsipsize		=
#maxpoolsipdays		=

#maxpoolrtpsize		=
#maxpoolrtpdays		=

#maxpoolgraphsize	=
#maxpoolgraphdays	=

#maxpoolaudiosize	=
#maxpoolaudiodays	=


# cleaning secondary storage
maxpoolsize_2		= 102400
#maxpooldays_2		= 30

#maxpoolsipsize_2	=
#maxpoolsipdays_2	=

#maxpoolrtpsize_2	=
#maxpoolrtpdays_2	=

#maxpoolgraphsize_2	=
#maxpoolgraphdays_2	=

#maxpoolaudiosize_2	=
#maxpoolaudiodays_2	=

# clean files which are not indexed
# default is no
#maxpool_clean_obsolete = yes

#
# in case the space is below 1% and below 5GB (which is default threshold) reindexfiles procedure will be executed and cleaning will be restarted.
# in case this will not help the new maxpoolsize will be set to size of current spool directory and will keep free space MIN(1% freespace, 5GB)
# default is autoclean enabled, 1% free space or 5GB free space
#
autocleanspoolminpercent = 1
autocleanmingb = 5

#useful command to clean all RTP files older 7 days - this is not configuration option.
# find /var/spool/voipmonitor -maxdepth 1 -type d -mtime +7 -name '20*' | (while read d; do rm -rf $d/*/*/RTP; done)

########### end storing packets into pcap files ###############

# enable MOS score for G.729 codec. If enabled, all cdr with 0 packet loss and stable delays will have maximum MOS of 3.92
# and for loss and unstable delay MOS will be calculated according to ITU-T objective PESQ method for G.729 codec.
# if you want to use MOS as good search value which corellates loss and delay into single value leave it disabled (which is
# by default). If set to no, all calls will be calculated like it is G.711.
mos_g729 = no

# ITU-T P.862 PESQ
# mos_lqo feature tests prerecorded audio with the reference audio (mos_lqo_ref) - the audio should not be longer than specified by ITU-T (around 20-25 seconds) 
# it can NOT test real live calls 
# you need pesq binary with proper license (we do not provide the license for it, though it can be downloaded from ITU-T) 
mos_lqo = no
mos_lqo_bin = pesq
mos_lqo_ref = /usr/local/share/voipmonitor/audio/mos_lqe_original.wav
mos_lqo_ref16 = /usr/local/share/voipmonitor/audio/mos_lqe_original_16khz.wav


# enable saving dscp to cdr.dscp which is 32bit number. The first 8 bits are dscp (6bits) from SIP packets from caller. Next 8 bits
# are from SIP packets from called. Next 8 bits are from caller RTP and last 8 bits are from called RTP. If you enable this
# feature it will auto upgrade cdr table which can take long time depending on ammount of CDR in tables and I/O speed.
# default is disabled
dscp = yes

# if you want to update destination number when callee answer for case where multiple phones (hunt group) are called within the same
# SIP Call-ID enable this option which matches it based on 200 OK and SIP branch.
#update_dstnum_onanswer = no

# by default custom header (GUI -> settings -> CDR custom headers) is overwritten by last occurrence. if you need to keep the first occurence set this to no:
#custom_headers_last_value = yes

# enable saving content of custom header (typicaly in-reply-to) to cdr_next.match_header
# this header is used in related CDR GUI for matching legs to onen call
#matchheader = in-reply-to

# enable merging calls based on matching call-id. The idea is that the second leg with different call-id has in the first INVITE
# special header which has the call-id of the parent SIP call. The configuration option specifies name of that header
# if you want to not expose this header you can encrypt it with secret (XOR) and encode with base64encode. If callidmerge_secret
# is specified the header will be decoded with base64decode and XORed with this secret string
#callidmerge_header = Parent-Call-ID
#callidmerge_secret = yourSecretString


# enable merging calls based on alternative unique identificators. This feature was developed specifically for 
# Cisco CUCM but it can be applied to any other headers. 
# call_id_alternative configuration option is a list of SIP headers. Content of those headers are stripped by the ";" delimiter (if present) 
# example for Cisco CUCM (11.5) 
#call_id_alternative = Session-ID,Join


# save also port in domain user@domain:port default is to only save domain without port
# default is = no
#domainport = yes

# pcapcommand will run command after pcap file is closed (after call ends). %pcap% is substitution for real pcap file name.
# execution is guaranteed to run in serialized way.
# WARNING - pcapcommand is implemented by forking program which is very expensive and is causing TLB shootouts on multicore
# system which can generate 500 000 interrupts / sec causing system to drop packets. Watch the performance carefuly
# (with "vmstat 1" column "in").
#
#pcapcommand = echo %pcap% >> /tmp/list

# filtercommand will run command after each call which matches script == 1 in filter_ip or filter_telnum (capture rules in GUI)
# WARNING - filtercommand is implemented by forking program which is very expensive and is causing TLB shootouts on multicore system which can generate 500 000 interrupts / sec
# causing system to drop packets. Watch the performance carefuly (with "vmstat 1" column "in").
#
# all non alphanum characters except '/' '#' ' ' '+' ':' '-' '.' and '@' in callid, dirname, caller, called and calldate are substituted to '_'
#
#filtercommand = myscript '%callid%' '%dirname%' '%caller%' '%called%' '%calldate%'

# load capture rules from csv file - this file will be loaded first before mysql capture rules. First line has to contain columns name.
#capture_rules_telnum_file = capturerules.csv

# load capture rules of sip headers from csv file - this file will be loaded first before mysql capture rules. First line has to contain columns name.
#capture_rules_sip_header_file = capturerules_sip_header.csv

# if enabled CDRID:num will be printed to stdout on every CDR insert
#printinsertid = yes

# enable monitoring IP traffic
#ipaccount = no
#ipaccountport = 22
#ipaccountport = 80
#ipaccountport = 443

# if https failes when upgrading the sniffer try also http
#upgrade_try_http_if_https_fail = yes

# set http proxy in case you want to use upgrades initiated from the GUI
# curlproxy = http://192.168.0.1:8080

#-rpbsN:{file} for read packet in real speed (Read via Packet Buffer with speed N; N >= 1; 1 for real speed, 2 for speed x2 ...)

# if you want to disable activechecks for sniffer in a cloud mode set following option to 0 (default is 60 seconds)
#cloud_activecheck_period=60

##############################
### Tunneling port options ###
##############################
# set ports for tunneling protocols. Default ports are set so tunnel protocols are processed by default.
# You can disable this processing by setting port to zero value.

# set port for TZSP (TaZmen Sniffer Protocol used by Mikrotik). Default is 37008 (0x9090).
# udp_port_tzsp = 37008

# set port for Layer 2 Tunneling Protocol. Default is 1701.
# udp_port_l2tp = 1701

# set port for VXLAN. Default is 4789.
# udp_port_vxlan = 4789

# icmp_process_data enables the searching of the SIP data in the ICMP type 3
# default is no
# icmp_process_data = yes

# audiocodes mirroring support (disabled by default)
#audiocodes = yes
#udp_port_audiocodes = 925
#tcp_port_audiocodes = 925

#store IP from IPinIP / GRE to the database (default no) 
#save_ip_from_encaps_ipheader: yes/no
#save_ip_from_encaps_ipheader_only_gre: yes/no

#####################################
# kamailio mirroring using siptrace #
#####################################
#add this to the kamailio.cfg: 
#loadmodule "siptrace.so"
#modparam("siptrace", "trace_on", 1)
#modparam("siptrace", "duplicate_uri", "sip:10.0.0.1:5888")
#modparam("siptrace", "trace_to_database", 0)
#modparam("siptrace", "trace_mode", 4)
#modparam("siptrace", "xheaders_write", 1)
# then put  sip_trace(); in request_route and other routes in kamailio.cfg 

#this will send SIP packets with added X-Siptrace-Fromip, X-Siptrace-Toip, X-Siptrace-Time, X-Siptrace-Method, X-Siptrace-Dir to the specified IP and port 
#voipmonitor will remove those extra headers and will use it for constructing virtual UDP packet with the SIP data 
#this way you can send encrypted SIP packets within Kamailio 

# to enable receiving packets from kamailo siptrace module: 
# kamailio_dstip is the IP of the voipmonitor host, kamailio_srcip is IP of the kamailio server (not mandatory) 
#kamailio_port = 5888
#kamailio_dstip = 10.0.0.1
#kamailio_srcip = 10.0.0.2

###########################################
#database backup special mode

#database_backup_from_date = 2013-09-10
# if database_backup_to_date is not set then max id is taken
#database_backup_to_date = 2013-09-20
#database_backup_from_mysqlhost = 127.0.0.1
#database_backup_from_mysqldb = voipmonitor
#database_backup_from_mysqlusername = root
#database_backup_from_mysqlpassword = rootpwd
#database_backup_pause = 3
#database_backup_insert_threads = 3

# SSL/TLS settings
#database_backup_from_mysqlsslkey =
#database_backup_from_mysqlsslcert =
#database_backup_from_mysqlsslcacert =
#database_backup_from_mysqlsslcapath =
#database_backup_from_mysqlsslciphers =

#set maximum rows per backup cycle - default 10000
#database_backup_pass_rows = 10000

#sync cdr from the newest CDR id to the lowest. Default no (default is from the oldest)
#database_backup_desc_dir = no

#enable / disable register* tables backup - default no
#database_backup_skip_register = no

###########################################
# ss7

#ss7 = yes
#ss7_rudp_port = 7000