Sniffing modes: Difference between revisions

From VoIPmonitor.org
Jump to navigation Jump to search
(Created page with "= All in one = Typical setup is to have sniffer installed along with database and GUI on the same dedicated or PBX server. Web server can access pcap/graph files directly to ...")
 
No edit summary
Line 1: Line 1:
= All in one =
= Linux host =  


Typical setup is to have sniffer installed along with database and GUI on the same dedicated or PBX server. Web server can access pcap/graph files directly to voipmonitor folder. In this case you do not need to configure id_sensor in voipmonitor.conf
You can install or compile VoIPmonitor binary directly on linux PBX or SBC/SIP server. This does not requires additional hardware and changes in network topology. The only downside is that voipmonitor consumes hardware resources - RAM, CPU and I/O workload which can affect the whole system. If it is not acceptable to share hardware for voipmonitor the second common use case is doing port mirroring.  


= Central DB Multiple remote sensors =  
= Hardware port mirroring =  


VoIPmonitor architecture allows installing sensors on various places in your network and one central WEB server and database. In this case sniffer stores pcap/graph files to local disk and send CDR to central database. Central WEB GUI is able to download pcap/graph files on demand via sniffer TCP manager which means you do not need to send pcap files to central storage.  
Port Mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port => voipmonitor dedicated linux box. Port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN); some other vendors have other names for it, such as Roving Analysis Port (RAP) on 3Com switches or just port mirroring.  


In case of hardware mirroring you often need to have additional ethernet port. Sniffer is configured to use this port (interface=eth1) and it automatically put the interface into Promiscuous mode. In case you need to mirror to more ethernet ports you can set interface=any in voipmonitor.conf which will enable mirroring on all interfaces but you need to set each ethernet interface into promiscuous mode manually


*TCP manager interface must listen not only on localhost so the GUI server can reach it. *Set mysql in voipmonitor.conf to store to remote database
ifconfig eth1 promisc
*set id_sensor to some number (this is required)
*In the GUI add the sensor in Settings#Sensors


[[File:architecture.png]]
one voipmonitor instance can listen only on one or on all interfaces.  
 
= Software packet mirroring =
 
== IPTABLES mirroring ==
 
IPTABLES (since kernel version 3.X) is able to mirror traffic to another IP address. Following rules are not needed in case of hardware mirroring. Rules has to be defined on the SIP server (not on the voipmonitor sniffer).
iptables –I PREROUTING –t mangle –i eth0 –j TEE –gateway 10.0.0.2
iptables –I POSTROUTING –t mangle –j TEE –gateway 10.0.0.2
This is generic rules which will mirror ALL incoming traffic from eth0 and all outgoing traffic from server to VoIPmonitor dedicated box on IP address 10.0.0.2. It is better to mirror just UDP packets
 
iptables –I PREROUTING –t mangle –i eth0 -p udp –j TEE –gateway 10.0.0.2
iptables –I POSTROUTING –t mangle -p udp –j TEE –gateway 10.0.0.2
 
== VoIPmonitor mirroring ==
 
mirror SIP packets to specified IP address. IP is mirrored by ip in ip protocol. This is usefull in case the primary voipmonitor machine see all SIP packets but only part of RTP packets and the second voipmonitor server see only RTP packets -> in this case you can mirror SIP packets to second voipmonitor server IP. voipmonitor already supports ip in ip so no configuration is needed to accept ip in ip mirrored packets. (this mirroring supports for example acme packet SBC). mirroring can be also usefull for another general purpose - it is also parsed by wireshark/tshark etc. if you enable mirrorip you have to set mirroripsrc and mirroripdst
mirrorip = yesmirrordst is IP address (not host name) which packets are sent
mirroripdst = 192.168.0.1mirrorsrc is source IP address of this server which is used to send packets to mirrordst. This has to be set correct otherwise mirroring would not work. If mirroripsrc is not set source IP is set to 255.255.255.255
mirroripsrc = 10.0.0.1

Revision as of 17:16, 21 May 2013

Linux host

You can install or compile VoIPmonitor binary directly on linux PBX or SBC/SIP server. This does not requires additional hardware and changes in network topology. The only downside is that voipmonitor consumes hardware resources - RAM, CPU and I/O workload which can affect the whole system. If it is not acceptable to share hardware for voipmonitor the second common use case is doing port mirroring.

Hardware port mirroring

Port Mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port => voipmonitor dedicated linux box. Port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN); some other vendors have other names for it, such as Roving Analysis Port (RAP) on 3Com switches or just port mirroring.

In case of hardware mirroring you often need to have additional ethernet port. Sniffer is configured to use this port (interface=eth1) and it automatically put the interface into Promiscuous mode. In case you need to mirror to more ethernet ports you can set interface=any in voipmonitor.conf which will enable mirroring on all interfaces but you need to set each ethernet interface into promiscuous mode manually

ifconfig eth1 promisc

one voipmonitor instance can listen only on one or on all interfaces.

Software packet mirroring

IPTABLES mirroring

IPTABLES (since kernel version 3.X) is able to mirror traffic to another IP address. Following rules are not needed in case of hardware mirroring. Rules has to be defined on the SIP server (not on the voipmonitor sniffer).

iptables –I PREROUTING –t mangle –i eth0 –j TEE –gateway 10.0.0.2
iptables –I POSTROUTING –t mangle –j TEE –gateway 10.0.0.2 

This is generic rules which will mirror ALL incoming traffic from eth0 and all outgoing traffic from server to VoIPmonitor dedicated box on IP address 10.0.0.2. It is better to mirror just UDP packets

iptables –I PREROUTING –t mangle –i eth0 -p udp –j TEE –gateway 10.0.0.2
iptables –I POSTROUTING –t mangle -p udp –j TEE –gateway 10.0.0.2 

VoIPmonitor mirroring

mirror SIP packets to specified IP address. IP is mirrored by ip in ip protocol. This is usefull in case the primary voipmonitor machine see all SIP packets but only part of RTP packets and the second voipmonitor server see only RTP packets -> in this case you can mirror SIP packets to second voipmonitor server IP. voipmonitor already supports ip in ip so no configuration is needed to accept ip in ip mirrored packets. (this mirroring supports for example acme packet SBC). mirroring can be also usefull for another general purpose - it is also parsed by wireshark/tshark etc. if you enable mirrorip you have to set mirroripsrc and mirroripdst

mirrorip = yesmirrordst is IP address (not host name) which packets are sent
mirroripdst = 192.168.0.1mirrorsrc is source IP address of this server which is used to send packets to mirrordst. This has to be set correct otherwise mirroring would not work. If mirroripsrc is not set source IP is set to 255.255.255.255
mirroripsrc = 10.0.0.1