Sniffing modes: Difference between revisions

From VoIPmonitor.org
Jump to navigation Jump to search
No edit summary
Line 23: Line 23:


=== Standard remote sniffer ===
=== Standard remote sniffer ===
Remote sensor in standard mode processes all packets and stores CDR to database keeping pcap files on local disk. This setup generates minimal traffic between sensor and remote database (it sends only CDR)  
Remote sensor in standard mode processes all packets and stores CDR to database keeping pcap files on local disk. This setup generates minimal traffic between sensor and remote database (it sends only CDR). The GUI needs a direct access to the management ip/port (to get stats, pcaps, etc.). The sensor is NOT automatically created in the GUI.


Since version 20.0 there is new encrypted and compressed TCP protocol between sniffers. Here is minimal voipmonitor configuration which leaves all options to default (can be changed)  
=== Client/server (aka sender/receiver aka remote/central) remote sniffers ===
The sensors can sniff the packets on one host and process them on another host. There are two modes. The old mode (for compatibility reason, the existing users should migrate slowly to the new one) and the new mode (since version 20.0, the new users should use this one). All voipmonitor configuration examples are minimal which leaves all options to default (can be changed). Don't mix old and new modes in one environment.


'''What you need to configure on remote sniffer:'''
=== OLD client/server (aka remote/central) sensor mode ===


edit file /etc/voipmonitor.conf
* uses two type of sensors: server/central and client/remote
* uses mirror_* directives in configuration
* server and client must have the same time


'''client/remote sensor'''
* sniff data, NO processing of this data
* no local storage
* send data to server/central node
* no sql cfg needed
* management port needs to be accessible from gui
* sensor is NOT created automatically in gui/db
* gui communicates with sensor directly via management port


  id_sensor = unique_number # must be < 65535
voipmonitor.conf:
  server_destination = serverip
#change this number on each remote sniffer to unique number
  server_destination_port = 60024 #can be any port
  id_sensor                       = 1         
  server_password = somepassword
#change this to correct interface where you need to intercept traffic
interface                      = eth0       
#up to 2000MB more reading about ringbuffer in scaling section of a doc.
ringbuffer                      = 200       
packetbuffer_enable            = yes
#in MB
max_buffer_mem                  = 2000       
  packetbuffer_compress          = yes
#enable compression
  packetbuffer_compress_ratio    = 100
#this is address of your dedicated server (central sniffer - mirroring receiver)
mirror_destination_ip          = 192.168.0.1
  mirror_destination_port        = 5030


this example configuration will process packets and sends only CDR to the server.
'''server/central sensor'''
* has direct access to the sql
* has local storage
* receives sniffed data from clients, process them, saves cdrs to the sql and stores pcaps to the local spooldir
* management port needs to be accessible from gui
* sensor is NOT created automatically in gui/db
* gui communicates with sensor directly via management port


=== Mirroring remote sniffer ===
voipmonitor.conf:
#do not forget to configure mysql* options
#set here IP address of central server, which is accessible from remote sniffers.
mirror_bind_ip              = 0.0.0.0
mirror_bind_port            = 5030


If you want to mirror all packets (so the remote sniffer will not use much CPU and memory) include options showed above (server_destination and server_destination_port) and add one more option:
=== NEW client/server (aka remote/central) sensor mode (from version 20.x) ===


packetbuffer_sender = yes
* has two type of sensors: server/central and client/remote
* uses server_* directives in configuration
* server and client must have the same time


'''client/remote sensor'''
* sniff packets
* packets processing depends on packetbuffer_sender directive, no means local packet processing, yes means send packets to server sensor
* local storage depends on packetbuffer_sender directive, no means local storage, yes means send packet to server sensor
* send packets to server/central sensor depends on packetbuffer_sender directive, no means local processing, yes means send packets to server sensor
* no sql cfg needed because sql commands are sent to server sensor
* management port does NOT need to be accessible from gui
* sensor IS created automatically in gui/db (by server sensor)
* gui communicates with sensor via server sensor
* crypt and compress communication with server sensor


'''What you need to configure on server'''
voipmonitor.conf:
 
# this example configuration will process packets and sends only CDR to the server.
edit file /etc/voipmonitor.conf
id_sensor = unique_number # must be < 65535
 
server_destination = serverip
server_destination_port = 60024 #can be any port
server_password = somepassword
#If you want to mirror all packets (so the remote sniffer will not use much CPU and memory) add one more option:
# packetbuffer_sender = yes


'''server/central sensor'''
* has direct access to the sql
* has local storage
* when clients send sniffed data, process them, saves cdrs to the sql and stores pcaps to the local spooldir
* receive sql commands from clients and redirect them sql server (proxy for client's sql commands)
* management port needs to be accessible from gui
* sensor is NOT created automatically in gui/db
* gui communicates with sensor directly via management port
* serve as a proxy between gui and client sensor for management commands
* can be only one server sensor in environment for now


voipmonitor.conf:
  server_bind = 0.0.0.0 #this will listen on all IPs
  server_bind = 0.0.0.0 #this will listen on all IPs
  server_bind_port = 60024
  server_bind_port = 60024
  server_password = somepassword
  server_password = somepassword
  #do not forget to configure mysql* options  
  #do not forget to configure mysql* options  
'''What you should see in GUI'''
The GUI will automatically add sensors in Main menu -> Settings -> Sensors
The advantage of this new protocol is that remote sniffers can be used behind NAT - the GUI communicates with remote sniffers over the TCP protocol, the protocol is encrypted and compressed.






.
.

Revision as of 10:22, 14 September 2017

Linux host

You can install or compile VoIPmonitor binary directly on linux PBX or SBC/SIP server. This does not requires additional hardware and changes in network topology. The only downside is that voipmonitor consumes hardware resources - RAM, CPU and I/O workload which can affect the whole system. If it is not acceptable to share hardware for voipmonitor the second common use case is doing port mirroring.

Hardware port mirroring

Port Mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port => voipmonitor dedicated linux box. Port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN); some other vendors have other names for it, such as Roving Analysis Port (RAP) on 3Com switches or just port mirroring.

In case of hardware mirroring you often need to have additional ethernet port. Sniffer is configured to use this port (interface=eth1) and it automatically put the interface into Promiscuous mode. In case you need to mirror to more ethernet ports you can set interface=any in voipmonitor.conf which will enable mirroring on all interfaces but you need to set each ethernet interface into promiscuous mode manually

ifconfig eth1 promisc

Software packet mirroring

All in one

If the sensor is installed on the same server as MySQL and GUI you do not need to configure sensors in GUI. The GUI is reading PCAP files directly from local file system and database are connected via localhost mysql database.

Multiple remote sensors one DB/GUI server

Note: sensor = sniffer, sniffer = sensor

Sensors can be configured in two ways - mirroring all packets by the remote sensor to central sensor or the remote sensor is processing packets directly and only sends CDR to central sensor which is connected to the database (keeping pcap files on local storage located on remote sensors)

Standard remote sniffer

Remote sensor in standard mode processes all packets and stores CDR to database keeping pcap files on local disk. This setup generates minimal traffic between sensor and remote database (it sends only CDR). The GUI needs a direct access to the management ip/port (to get stats, pcaps, etc.). The sensor is NOT automatically created in the GUI.

Client/server (aka sender/receiver aka remote/central) remote sniffers

The sensors can sniff the packets on one host and process them on another host. There are two modes. The old mode (for compatibility reason, the existing users should migrate slowly to the new one) and the new mode (since version 20.0, the new users should use this one). All voipmonitor configuration examples are minimal which leaves all options to default (can be changed). Don't mix old and new modes in one environment.

OLD client/server (aka remote/central) sensor mode

  • uses two type of sensors: server/central and client/remote
  • uses mirror_* directives in configuration
  • server and client must have the same time

client/remote sensor

  • sniff data, NO processing of this data
  • no local storage
  • send data to server/central node
  • no sql cfg needed
  • management port needs to be accessible from gui
  • sensor is NOT created automatically in gui/db
  • gui communicates with sensor directly via management port

voipmonitor.conf:

#change this number on each remote sniffer to unique number
id_sensor                       = 1           
#change this to correct interface where you need to intercept traffic
interface                       = eth0        
#up to 2000MB more reading about ringbuffer in scaling section of a doc.
ringbuffer                      = 200         
packetbuffer_enable             = yes
#in MB
max_buffer_mem                  = 2000        
packetbuffer_compress           = yes
#enable compression 
packetbuffer_compress_ratio     = 100
#this is address of your dedicated server (central sniffer - mirroring receiver)
mirror_destination_ip           = 192.168.0.1
mirror_destination_port         = 5030

server/central sensor

  • has direct access to the sql
  • has local storage
  • receives sniffed data from clients, process them, saves cdrs to the sql and stores pcaps to the local spooldir
  • management port needs to be accessible from gui
  • sensor is NOT created automatically in gui/db
  • gui communicates with sensor directly via management port

voipmonitor.conf:

#do not forget to configure mysql* options
#set here IP address of central server, which is accessible from remote sniffers.
mirror_bind_ip               = 0.0.0.0
mirror_bind_port             = 5030

NEW client/server (aka remote/central) sensor mode (from version 20.x)

  • has two type of sensors: server/central and client/remote
  • uses server_* directives in configuration
  • server and client must have the same time

client/remote sensor

  • sniff packets
  • packets processing depends on packetbuffer_sender directive, no means local packet processing, yes means send packets to server sensor
  • local storage depends on packetbuffer_sender directive, no means local storage, yes means send packet to server sensor
  • send packets to server/central sensor depends on packetbuffer_sender directive, no means local processing, yes means send packets to server sensor
  • no sql cfg needed because sql commands are sent to server sensor
  • management port does NOT need to be accessible from gui
  • sensor IS created automatically in gui/db (by server sensor)
  • gui communicates with sensor via server sensor
  • crypt and compress communication with server sensor

voipmonitor.conf:

# this example configuration will process packets and sends only CDR to the server.
id_sensor = unique_number # must be < 65535
server_destination = serverip
server_destination_port = 60024 #can be any port
server_password = somepassword

#If you want to mirror all packets (so the remote sniffer will not use much CPU and memory) add one more option:

# packetbuffer_sender = yes 

server/central sensor

  • has direct access to the sql
  • has local storage
  • when clients send sniffed data, process them, saves cdrs to the sql and stores pcaps to the local spooldir
  • receive sql commands from clients and redirect them sql server (proxy for client's sql commands)
  • management port needs to be accessible from gui
  • sensor is NOT created automatically in gui/db
  • gui communicates with sensor directly via management port
  • serve as a proxy between gui and client sensor for management commands
  • can be only one server sensor in environment for now

voipmonitor.conf:

server_bind = 0.0.0.0 #this will listen on all IPs
server_bind_port = 60024
server_password = somepassword
#do not forget to configure mysql* options 


.