[Freeswitch-users] Q931 decoding Update
helmut.kuper at ewetel.de
Fri Jan 30 05:49:42 PST 2009
today I uploaded the Q931-To-Pcap patch into openzap's trunk (r628). So
you can test it.
How to start Q931 to pcap ?
In FS just enter "oz q931_pcap <span_id> on [pcapfilename without
suffix]" to start logging q931 packets to pcap. It opens a file called
"q931.pcap" or "<yourname>.pcap". It is saved in FS's log directory.
<span_id> has currently not really an affect to the command. It is only
used to make sure that you have at least one valid span configured.
Further it is put into 802.1q vlan tag id which is displayed in
wireshrak and tshark. Unfortunately I couldn't test it yet (On my side
it's always zero).
How to stop Q931 pcap?
Simply enter "oz q931_pcap <span_id> off" into FS console. <span_id>
must be valid, but has no affect. Second way is to unload openzap module
or shutdown FS.
How are the packets saved?
All Q931 packets send or received by any span are saved into one file.
To see from where to where the packets was send, the FreeSWITCH's side
is always marked with ethernet address "02:00:01:AA:AA:AA" and IP
Remote side is always marked with ethernet address "02:00:01:BB:BB:BB"
and IP adresss "188.8.131.52"
Span ID is intended to be put into VLAN ID, but this is currently not
sure. Maybe it's spanid-1 or always zero - I don't know.
The pcap timestamp starts with 0 and is increased by each q931 packet.
(Maybe a real timestamp is better here)
After each saved q931 packet data is flushed into pcap file. This is
needed for the small perl script below.
How to decode it with wireshark?
Get the pcap file from FS log dir and send it via email, ftp or scp to
where you have wireshark running. Open it in wireshark. Current
wireshark decode the stuff by default as "TPKT - Unknown TPDU type
(0x0)". Of course we have a TPKT packet, but wireshark is not able to
detect the Q931 packet by default. So just do a right click on such a
packet list entry, choose "decode as ..." and click on "do not decode".
You can also click on "Decode" and then choose AIM or CFLOW protocol.
Yes, AIM is not really Q931 or TPKT, but it works... After applying the
packets are decoded as wanted. The black color in the packet list marks
some little bugs in the TCP packet generated by this patch. E.g. tcp
checksum is zero, but should be vaild. I have code to calculate it, but
in my eyes it is an unescessary load for FS.
How to decode it with tshark?
tshark allows us to decode pcap files right on cli. To do so just enter
tshark -d tcp.port==102,aim -Rq931 -Ttext -V -r <pcap file>
aim is the protocol as what tshark should decode the tcp payload. Some
other protocols are working to to get tcp's payload decoded as TPKT with
q931 (she so called "Q931 over IP").
Unfortunately it decodes not just q931 but the whole overhead
(ethernet,ip,tcp,tpkt) so I build a perl script, which extracts only
Q931 packets. For this script I have to flush each Q931 packet into the
pcap file, cause this allows to have some kind of real time decoding.
You have to start Q931ToPcap logging in FS first, then start the script.
You need to have tshark installed for this. The script has the pcap
filename incl. path as an optional argument. If not given, it uses the
default filename defined within the script. To stop the script press
Here is the script:
$cmd="tail -n +0 -f ".$filename." | tshark -d tcp.port==102,aim -Rq931
-Ttext -V -i - 2>1|";
if($line=~/^Frame ([0-9]+) \(/)
elsif($line=~/802.1Q Virtual LAN, PRI: 7, CFI: 0, ID: ([0-9]+)/i)
elsif($line eq "Q.931")
if($display == 1)
printf("-- $mode Packet number: %05i --- SpanID:
%i ----------------\n", $number, $spanid);
More information about the FreeSWITCH-users