Sniffing modes

Revision as of 17:23, 22 May 2013 by Festr (talk | contribs)
Jump to navigation Jump to search

Linux host

You can install or compile VoIPmonitor binary directly on linux PBX or SBC/SIP server. This does not requires additional hardware and changes in network topology. The only downside is that voipmonitor consumes hardware resources - RAM, CPU and I/O workload which can affect the whole system. If it is not acceptable to share hardware for voipmonitor the second common use case is doing port mirroring.

Hardware port mirroring

Port Mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port => voipmonitor dedicated linux box. Port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN); some other vendors have other names for it, such as Roving Analysis Port (RAP) on 3Com switches or just port mirroring.

In case of hardware mirroring you often need to have additional ethernet port. Sniffer is configured to use this port (interface=eth1) and it automatically put the interface into Promiscuous mode. In case you need to mirror to more ethernet ports you can set interface=any in voipmonitor.conf which will enable mirroring on all interfaces but you need to set each ethernet interface into promiscuous mode manually

ifconfig eth1 promisc

one voipmonitor instance can listen only on one or on all interfaces.

Software packet mirroring

IPTABLES mirroring

IPTABLES (since kernel version 3.X) is able to mirror traffic to another IP address. Following rules are not needed in case of hardware mirroring. Rules has to be defined on the SIP server (not on the voipmonitor sniffer).

iptables –I PREROUTING –t mangle –i eth0 –j TEE –gateway
iptables –I POSTROUTING –t mangle –j TEE –gateway 

This is generic rules which will mirror ALL incoming traffic from eth0 and all outgoing traffic from server to VoIPmonitor dedicated box on IP address It is better to mirror just UDP packets

iptables –I PREROUTING –t mangle –i eth0 -p udp –j TEE –gateway
iptables –I POSTROUTING –t mangle -p udp –j TEE –gateway 

VoIPmonitor mirroring

mirror SIP packets to specified IP address. IP is mirrored by ip in ip protocol. This is usefull in case the primary voipmonitor machine see all SIP packets but only part of RTP packets and the second voipmonitor server see only RTP packets -> in this case you can mirror SIP packets to second voipmonitor server IP. voipmonitor already supports ip in ip so no configuration is needed to accept ip in ip mirrored packets. (this mirroring supports for example acme packet SBC). mirroring can be also usefull for another general purpose - it is also parsed by wireshark/tshark etc. if you enable mirrorip you have to set mirroripsrc and mirroripdst

mirrorip = yesmirrordst is IP address (not host name) which packets are sent
mirroripdst = is source IP address of this server which is used to send packets to mirrordst. This has to be set correct otherwise mirroring would not work. If mirroripsrc is not set source IP is set to
mirroripsrc =

Moving pcap files

VoIPmonitor sniffer runs directly on asterisk PBX storing pcap files to /var/spool/voipmonitor and moved to /mnt/ssh which is mounted /var/spool/voipmonitor on central WEB GUI. You can use sshfs to mount remote directory over ssh

sshfs root@guiserverIP:/var/spool/voipmonitor /mnt/ssh

in voipmonitor.conf on asterisk PBX set

cachedir = /var/spool/voipmonitor (or /dev/shm which is ramdisk to save some I/O) 
spooldir = /mnt/ssh