Sniffing modes: Difference between revisions
No edit summary |
|||
Line 36: | Line 36: | ||
server_destination_port = 60024 #can be any port server_password = somepassword | server_destination_port = 60024 #can be any port server_password = somepassword | ||
this example configuration will process packets and sends only CDR to the server. If you want to mirror all packets (so the remote sniffer will not use much CPU and memory) add one more option: | this example configuration will process packets and sends only CDR to the server. | ||
=== Mirroring remote sniffer === | |||
If you want to mirror all packets (so the remote sniffer will not use much CPU and memory) include options showed above (server_destination and server_destination_port) and add one more option: | |||
packetbuffer_sender = yes | packetbuffer_sender = yes | ||
Line 42: | Line 46: | ||
'''What you need to configure on server''' | '''What you need to configure on server''' | ||
edit file /etc/voipmonitor.conf | edit file /etc/voipmonitor.conf |
Revision as of 14:14, 13 June 2017
Linux host
You can install or compile VoIPmonitor binary directly on linux PBX or SBC/SIP server. This does not requires additional hardware and changes in network topology. The only downside is that voipmonitor consumes hardware resources - RAM, CPU and I/O workload which can affect the whole system. If it is not acceptable to share hardware for voipmonitor the second common use case is doing port mirroring.
Hardware port mirroring
Port Mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port => voipmonitor dedicated linux box. Port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN); some other vendors have other names for it, such as Roving Analysis Port (RAP) on 3Com switches or just port mirroring.
In case of hardware mirroring you often need to have additional ethernet port. Sniffer is configured to use this port (interface=eth1) and it automatically put the interface into Promiscuous mode. In case you need to mirror to more ethernet ports you can set interface=any in voipmonitor.conf which will enable mirroring on all interfaces but you need to set each ethernet interface into promiscuous mode manually
ifconfig eth1 promisc
Software packet mirroring
All in one
If the sensor is installed on the same server as MySQL and GUI you do not need to configure sensors in GUI. The GUI is reading PCAP files directly from local file system and database are connected via localhost mysql database.
Multiple remote sensors one DB/GUI server
Note: sensor = sniffer, sniffer = sensor
Sensors can be configured in two ways - mirroring all packets by the remote sensor to central sensor or the remote sensor is processing packets directly and only sends CDR to central sensor which is connected to the database (keeping pcap files on local storage located on remote sensors)
Standard remote sniffer
Remote sensor in standard mode processes all packets and stores CDR to database keeping pcap files on local disk. This setup generates minimal traffic between sensor and remote database (it sends only CDR)
Since version 20.0 there is new encrypted and compressed TCP protocol between sniffers. Here is minimal voipmonitor configuration which leaves all options to default (can be changed)
What you need to configure on remote sniffer:
edit file /etc/voipmonitor.conf
id_sensor = unique_number # must be < 65535 server_destination = serverip server_destination_port = 60024 #can be any port server_password = somepassword
this example configuration will process packets and sends only CDR to the server.
Mirroring remote sniffer
If you want to mirror all packets (so the remote sniffer will not use much CPU and memory) include options showed above (server_destination and server_destination_port) and add one more option:
packetbuffer_sender = yes
What you need to configure on server
edit file /etc/voipmonitor.conf
server_bind = 0.0.0.0 #this will listen on all IPs server_bind_port = 60024 server_password = somepassword #do not forget to configure mysql* options
What you should see in GUI The GUI will automatically add sensors in Main menu -> Settings -> Sensors The advantage of this new protocol is that remote sniffers can be used behind NAT - the GUI communicates with remote sniffers over the TCP protocol, the protocol is encrypted and compressed.
Moving pcap files
VoIPmonitor sniffer runs directly on asterisk PBX storing pcap files to /var/spool/voipmonitor and moved to /mnt/ssh which is mounted /var/spool/voipmonitor on central WEB GUI. You can use sshfs to mount remote directory over ssh
sshfs root@guiserverIP:/var/spool/voipmonitor /mnt/ssh
in voipmonitor.conf on asterisk PBX set
cachedir = /var/spool/voipmonitor (or /dev/shm which is ramdisk to save some I/O) spooldir = /mnt/ssh
Cloud mode
In cloud mode the voipmonitor sniffs and analyzes all packets and sends only complete CDR record (which is around 2kB for one CDR) over the encrypted https channel to the voipmonitor cloud. SIP and RTP packets are stored on local hard drive (if storing packets are enabled in the sniffer configuration) so they are not sent over network to the cloud. The cloud is downloading them from sniffer only on demand when user requests pcap file.
.