Sniffing modes: Difference between revisions
Line 74: | Line 74: | ||
mirror_bind_port = 5030 | mirror_bind_port = 5030 | ||
=== NEW client/server (aka remote/central) sensor mode | === NEW client/server (aka remote/central) sensor mode === | ||
* prerequisite is GNU/GPL sniffer version > 20.x on both ends | |||
* has two type of sensors: server(central) and client(remote) | * has two type of sensors: server(central) and client(remote) | ||
* uses server_* options in voipmonitor.conf | * uses server_* options in voipmonitor.conf |
Revision as of 15:52, 31 October 2017
Linux host
You can install or compile VoIPmonitor binary directly on linux PBX or SBC/SIP server. This does not requires additional hardware and changes in network topology. The only downside is that voipmonitor consumes hardware resources - RAM, CPU and I/O workload which can affect the whole system. If it is not acceptable to share hardware for voipmonitor the second common use case is doing port mirroring.
Hardware port mirroring
Port Mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port => voipmonitor dedicated linux box. Port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN); some other vendors have other names for it, such as Roving Analysis Port (RAP) on 3Com switches or just port mirroring.
In case of hardware mirroring you often need to have additional ethernet port. Sniffer is configured to use this port (interface=eth1) and it automatically put the interface into Promiscuous mode. In case you need to mirror to more ethernet ports you can set interface=any in voipmonitor.conf which will enable mirroring on all interfaces but you need to set each ethernet interface into promiscuous mode manually
ifconfig eth1 promisc
Software packet mirroring
All in one
If the sensor is installed on the same server as MySQL and GUI you do not need to configure sensors in GUI. The GUI is reading PCAP files directly from local file system and database are connected via localhost mysql database.
Multiple remote sensors one DB/GUI server
Note: sensor = sniffer, sniffer = sensor
Sensors can be configured in two ways - mirroring all packets by the remote sensor to central sensor or the remote sensor is processing packets directly and only sends CDR to central sensor which is connected to the database (keeping pcap files on local storage located on remote sensors)
Standard remote sniffer
Remote sensor in standard mode processes all packets and stores CDR to database keeping pcap files on local disk. This setup generates minimal traffic between sensor and remote database (it sends only CDR). The GUI needs a direct access to the management ip/port (to get stats, pcaps, etc.). The sensor is NOT automatically created in the GUI.
Client/server (aka sender/receiver aka remote/central) remote sniffers
The sensors can sniff the packets on one host and process them on another host. There are two modes. The old mode (for compatibility reason, the existing users should migrate slowly to the new one) and the new mode (since version 20.0, the new users should use this one). All voipmonitor configuration examples are minimal which leaves all options to default (can be changed). Don't mix old and new modes in one environment.
OLD client/server (aka remote/central) sensor mode
- uses two type of sensors: server/central and client/remote
- uses mirror_* directives in configuration
- server and client must have the same time
client/remote sensor
- sniff data, NO processing of this data
- no local storage
- send data to server/central node
- no sql cfg needed
- management port needs to be accessible from gui
- sensor is NOT created automatically in gui/db
- gui communicates with sensor directly via management port
voipmonitor.conf:
#change this number on each remote sniffer to unique number id_sensor = 1 #change this to correct interface where you need to intercept traffic interface = eth0 #up to 2000MB more reading about ringbuffer in scaling section of a doc. ringbuffer = 200 packetbuffer_enable = yes #in MB max_buffer_mem = 2000 packetbuffer_compress = yes #enable compression packetbuffer_compress_ratio = 100 #this is address of your dedicated server (central sniffer - mirroring receiver) mirror_destination_ip = 192.168.0.1 mirror_destination_port = 5030
server/central sensor
- has direct access to the sql
- has local storage
- receives sniffed data from clients, process them, saves cdrs to the sql and stores pcaps to the local spooldir
- management port needs to be accessible from gui
- sensor is NOT created automatically in gui/db
- gui communicates with sensor directly via management port
voipmonitor.conf:
#do not forget to configure mysql* options #set here IP address of central server, which is accessible from remote sniffers. mirror_bind_ip = 0.0.0.0 mirror_bind_port = 5030
NEW client/server (aka remote/central) sensor mode
- prerequisite is GNU/GPL sniffer version > 20.x on both ends
- has two type of sensors: server(central) and client(remote)
- uses server_* options in voipmonitor.conf
- server and client must have the same time (ideally use NTP on both server/client or connection from remote will be refused)
Remote sniffers can operate in two ways:
- packets are sniffed and processed on remote sniffers which uses CPU/memory, sends CDR to central sniffer and stores pcap files on local storage.
- OR packets are sniffed and sent to central sniffer which process them (does not use much CPU/memory but uses more network throughput)
this mode is controlled by packetbuffer_sender option ("yes" will send packets to central sniffer).
- mysql configuration is set only on server(central) configuration
- Server(central) sniffer communicates with remote sniffers through TCP connection. Client is connecting to the server so it can be behind firewall/NAT etc.
- GUI communicates ONLY with the central server. If GUI wants to get pcap from remote sniffer it requests it from the central sniffer which contacts client sniffer (so there is no direct TCP connection to a client sniffers)
- Remote sensors are populated in GUI configuration automatically once remote sniffer is connected to a central sniffer.
- Connection between client/server uses strong encryption (DH key exchange / AES cypher) with compression.
client(remote) sensor configuration
# this example configuration will process packets and sends only CDR to the server. id_sensor = unique_number # must be < 65535 server_destination = serverip server_destination_port = 60024 #must be same as server_bind_port on central server server_password = somepassword #If you want to mirror all packets (so the remote sniffer will not use much CPU and memory and NO local storage) add one more option: packetbuffer_sender = yes
server(central) sensor configuration
server_bind = 0.0.0.0 #this will listen on all IPs server_bind_port = 60024 server_password = somepassword #do not forget to configure mysql* options
.