Sniffing modes: Difference between revisions

From VoIPmonitor.org
Jump to navigation Jump to search
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
= VoIPmonitor Deployment Guide =
{{DISPLAYTITLE:VoIPmonitor Deployment & Topology Guide}}


== Overview ==
'''This guide provides a comprehensive overview of VoIPmonitor's deployment models. It covers the fundamental choice between on-host and dedicated sensors, methods for capturing traffic, and detailed configurations for scalable, multi-site architectures.'''
VoIPmonitor can run '''on the same host''' as your PBX/SBC or on a '''dedicated sensor''' that receives mirrored traffic. 
This page lists supported deployment models, tunnelling methods, firewall rules and minimal configuration examples.


== Linux host capture ==
== Core Concept: Where to Capture Traffic ==
Running the sniffer directly on a PBX/SBC requires '''no extra hardware''' or topology changes, but adds CPU / RAM / I/O load to that host. 
The first decision in any deployment is where the VoIPmonitor sensor (sniffer) will run.
If sharing resources is unacceptable, use hardware or software mirroring instead.


== Hardware port mirroring ==
=== 1. On-Host Capture (on the PBX/SBC) ===
Port-mirroring (SPAN, RAP…) on your switch sends a copy of selected traffic to a dedicated Linux box running VoIPmonitor.
The sensor can be installed directly on the same Linux server that runs your PBX or SBC.
The sniffer interface is set to promiscuous mode automatically; to capture on multiple ports set <code>interface = any</code> and 
* '''Pros:''' Requires no extra hardware, network changes, or port mirroring. It is the simplest setup.
enable promiscuous mode on each NIC manually:
* '''Cons:''' Adds CPU, memory, and disk I/O load to your production voice server. If these resources are critical, a dedicated sensor is the recommended approach.
  ifconfig eth1 promisc


== Tunnelling options ==
=== 2. Dedicated Sensor ===
* IP-in-IP, GRE, ERSPAN – built-in 
A dedicated Linux server runs only the VoIPmonitor sensor. This is the recommended approach for production environments as it isolates monitoring resources from your voice platform. To use a dedicated sensor, you must forward a copy of the network traffic to it using one of the methods below.
* TZSP (Mikrotik) → <code>udp_port_tzsp = 37008</code> 
* L2TP → <code>udp_port_l2tp = 1701</code> 
* VXLAN (AWS) → <code>udp_port_vxlan = 4789</code> 
* [[audiocodes tunneling]] → <code>udp_port_audiocodes</code> / <code>tcp_port_audiocodes</code> 
* HEP3 → enable <code>hep*</code> options 
* IPFIX (Oracle SBC) → <code>ipfix*</code> options 


== Software packet mirroring ==
== Methods for Forwarding Traffic to a Dedicated Sensor ==
=== All-in-one ===
When the sniffer, MySQL and GUI share a host, the GUI reads PCAPs locally and connects to MySQL over <code>localhost</code>. 
No sensor records are required in the GUI.


=== Multiple remote sensors, one DB / GUI ===
=== A. Hardware Port Mirroring (SPAN/RSPAN) ===
A '''sensor''' (a.k.a. sniffer / probe) can operate in two main ways:
This is the most common and reliable method. You configure your physical network switch to copy all traffic from the switch ports connected to your PBX/SBC to the switch port connected to the VoIPmonitor sensor. This feature is commonly called '''Port Mirroring''', '''SPAN''', or '''RSPAN'''. Consult your switch's documentation for configuration details.
# '''Standard remote sniffer''' – processes packets locally, stores PCAPs locally, sends only CDRs to MySQL. GUI connects directly to each sensor’s management port.
# '''New client / server mode (v20+)''' – encrypted TCP channel between sensor and a '''central sniffer'''
  * Sensor can process packets locally and send only CDRs, '''or'''
  * mirror packets to the central sniffer for processing. 
  GUI talks only to the central sniffer; sensors can stay behind NAT.


;Summary of remote deployment modes
The VoIPmonitor sensor interface will be put into promiscuous mode automatically. To capture from multiple interfaces, set <code>interface = any</code> in <code>voipmonitor.conf</code> and enable promiscuous mode manually on each NIC (e.g., <code>ip link set dev eth1 promisc on</code>).
 
=== B. Software-based Tunnelling ===
When hardware mirroring is not an option, many network devices and PBXs can encapsulate VoIP packets and send them to the sensor's IP address using a tunnel. VoIPmonitor natively supports a wide range of protocols.
* '''Built-in Support:''' IP-in-IP, GRE, ERSPAN
* '''UDP-based Tunnels:''' Configure the corresponding port in <code>voipmonitor.conf</code>:
** <code>udp_port_tzsp = 37008</code> (for MikroTik's TZSP)
** <code>udp_port_l2tp = 1701</code>
** <code>udp_port_vxlan = 4789</code> (common in cloud environments)
* '''Proprietary & Other Protocols:'''
** [[audiocodes tunneling|AudioCodes Tunneling]] (uses <code>udp_port_audiocodes</code> or <code>tcp_port_audiocodes</code>)
** HEP (v3+) (enable <code>hep*</code> options)
** IPFIX (for Oracle SBCs) (enable <code>ipfix*</code> options)
 
== Distributed Deployment Models ==
For monitoring multiple remote offices or a large infrastructure, a distributed model is essential. This involves a central GUI/Database server collecting data from multiple remote sensors.
 
=== Classic Mode: Standalone Remote Sensors ===
In this traditional model, each remote sensor is a fully independent entity.
* '''How it works:''' The remote sensor processes packets and stores PCAPs locally. It connects directly to the central MySQL/MariaDB database to write CDRs. For PCAP retrieval the GUI typically needs network access to each sensor's management port (default <code>TCP/5029</code>).
* '''Pros:''' Simple conceptual model.
* '''Cons:''' Requires opening firewall ports to each sensor and managing database credentials on every remote machine.
 
=== Modern Mode: Client/Server Architecture (v20+) — Recommended ===
This model uses a secure, encrypted TCP channel between remote sensors (clients) and a central sensor instance (server). The GUI communicates with the central server only, which significantly simplifies networking and security.
 
This architecture supports two primary modes:
# '''Local Processing:''' Remote sensors process packets locally and send only lightweight CDR data over the encrypted channel. PCAPs remain on the remote sensor. On-demand PCAP fetch is proxied via the central server (to the sensor's <code>TCP/5029</code>).
# '''Packet Mirroring:''' Remote sensors forward the entire raw packet stream to the central server, which performs all processing and storage. Ideal for low-resource remote sites.
 
==== Architecture Diagrams (PlantUML) ====
 
<kroki lang="plantuml">
  @startuml
  skinparam shadowing false
  skinparam defaultFontName Arial
  skinparam rectangle {
    BorderColor #4A90E2
    BackgroundColor #FFFFFF
    stereotypeFontColor #333333
  }
  skinparam packageBorderColor #B0BEC5
  skinparam packageBackgroundColor #F7F9FC
 
  title Client/Server Architecture — Local Processing Mode
 
  package "Remote Site" {
    [Remote Probe/Sensor] as Remote
    database "Local Storage (PCAP)" as RemotePCAP
  }
 
  package "Central Site" {
    [Central VoIPmonitor Server] as Central
    database "Central MySQL/MariaDB" as CentralDB
    [Web GUI] as GUI
  }
 
  Remote -[#2F6CB0]-> Central : Encrypted TCP/60024\nCDRs only
  Remote --> RemotePCAP : Stores PCAP locally
  Central --> CentralDB : Writes CDRs
  GUI -[#2F6CB0]-> Central : Queries data & requests PCAPs
  Central -[#2F6CB0]-> RemotePCAP : Fetches PCAPs on demand (TCP/5029)
  @enduml
  </kroki>
 
<kroki lang="plantuml">
  @startuml
  skinparam shadowing false
  skinparam defaultFontName Arial
  skinparam rectangle {
    BorderColor #4A90E2
    BackgroundColor #FFFFFF
    stereotypeFontColor #333333
  }
  skinparam packageBorderColor #B0BEC5
  skinparam packageBackgroundColor #F7F9FC
 
  title Client/Server Architecture — Packet Mirroring Mode
 
  package "Remote Site" {
    [Remote Probe/Sensor\n(Low Resource)] as Remote
  }
 
  package "Central Site" {
    [Central VoIPmonitor Server] as Central
    database "Central MySQL/MariaDB" as CentralDB
    database "Central Storage (PCAP)" as CentralPCAP
    [Web GUI] as GUI
  }
 
  Remote -[#2F6CB0]-> Central : Encrypted TCP/60024\nRaw packet stream
  Central --> CentralDB : Writes CDRs
  Central --> CentralPCAP : Processes & stores PCAPs
  GUI -[#2F6CB0]-> Central : Queries data & downloads PCAPs
  @enduml
  </kroki>
 
==== Step-by-Step Configuration Guide ====
 
; Prerequisites
* VoIPmonitor v20+ on all sensors.
* Central database reachable from the central server instance.
* Unique <code>id_sensor</code> per sensor (< 65536).
* NTP running everywhere (see '''Time Synchronization''' below).
 
; Scenario A — Local Processing (default, low WAN usage)
<pre>
# /etc/voipmonitor.conf on the REMOTE sensor (LOCAL PROCESSING)
 
id_sensor              = 2          # unique per sensor (< 65536)
server_destination      = 10.224.0.250
server_destination_port = 60024
server_password        = your_strong_password
 
packetbuffer_sender    = no        # local analysis; sends only CDRs
interface              = eth0      # or: interface = any
sipport                = 5060      # example; add your usual sniffer options
 
# No MySQL credentials here — remote sensor does NOT write to DB directly.
</pre>
 
<pre>
# /etc/voipmonitor.conf on the CENTRAL server (LOCAL PROCESSING network)
 
server_bind            = 0.0.0.0
server_bind_port        = 60024
server_password        = your_strong_password
 
mysqlhost              = 10.224.0.201
mysqldb                = voipmonitor
mysqluser              = voipmonitor
mysqlpassword          = db_password
 
cdr_partition          = yes        # partitions for CDR tables
mysqlloadconfig        = yes        # allows DB-driven config if used
 
interface              =            # leave empty to avoid local sniffing
# The central server will proxy on-demand PCAP fetches to sensors (TCP/5029).
</pre>
 
; Scenario B — Packet Mirroring (centralized processing/storage)
<pre>
# /etc/voipmonitor.conf on the REMOTE sensor (PACKET MIRRORING)
 
id_sensor              = 3
server_destination      = 10.224.0.250
server_destination_port = 60024
server_password        = your_strong_password
 
packetbuffer_sender    = yes        # send RAW packet stream to central
interface              = eth0      # capture source; no DB settings needed
</pre>
 
<pre>
# /etc/voipmonitor.conf on the CENTRAL server (PACKET MIRRORING)
 
server_bind            = 0.0.0.0
server_bind_port        = 60024
server_password        = your_strong_password
 
mysqlhost              = 10.224.0.201
mysqldb                = voipmonitor
mysqluser              = voipmonitor
mysqlpassword          = db_password
 
cdr_partition          = yes
mysqlloadconfig        = yes
 
# As this server does all analysis, configure as if sniffing locally:
sipport                = 5060
# ... add your usual sniffer/storage options (pcap directories, limits, etc.)
</pre>
 
==== Firewall Checklist (Quick Reference) ====
* '''Modern Client/Server (v20+):'''
** '''Central Server:''' Allow inbound <code>TCP/60024</code> from remote sensors. Allow inbound <code>TCP/5029</code> from GUI (management/API to central sensor).
** '''Remote Sensors (Local Processing only):''' Allow inbound <code>TCP/5029</code> from the central server (for on-demand PCAP fetch via proxy). Outbound <code>TCP/60024</code> to the central server.
* '''Cloud Mode:'''
** '''Remote Sensors:''' Allow outbound <code>TCP/60023</code> to <code>cloud.voipmonitor.org</code>.
 
== Configuration & Checklists ==
 
=== Parameter Notes (clarifications) ===
* '''<code>id_sensor</code>''' — Mandatory in any distributed deployment (Classic or Client/Server). Must be unique per sensor (< 65536). The value is written to the database and used by the GUI to identify where a call was captured.
* '''<code>cdr_partition</code>''' — In Client/Server, enable on the central server instance that writes to the database. It can be disabled on remote "client" sensors that only mirror packets.
* '''<code>mysqlloadconfig</code>''' — When enabled, the sensor can load additional parameters dynamically from the <code>sensor_config</code> table in the database. Typically enabled on the central server sensor that writes to DB; keep disabled on remote clients which do not access DB directly.
* '''<code>interface</code>''' — Use a specific NIC (e.g., <code>eth0</code>) or <code>any</code> to capture from multiple NICs. For <code>any</code> ensure promiscuous mode on each NIC.
 
=== Initial Service Start & Database Initialization ===
After installation, the '''first startup''' against a new/empty database is critical.
# Start the service: <code>systemctl start voipmonitor</code>
# Follow logs to ensure schema/partition creation completes:
#* <code>journalctl -u voipmonitor -f</code>
#* or <code>tail -f /var/log/syslog | grep voipmonitor</code>
 
You should see creation of functions and partitions shortly after start. If you see errors like <code>Table 'cdr_next_1' doesn't exist</code>, the sensor is failing to initialize the schema — usually due to insufficient DB privileges or connectivity. Fix DB access and restart the sensor so it can finish initialization.
 
=== Time Synchronization ===
Accurate and synchronized time is '''critical''' for correlating call legs from different sensors. All servers (GUI, DB, and all Sensors) must run an NTP client (e.g., <code>chrony</code> or <code>ntpdate</code>) to keep clocks in sync.
 
== Comparison of Remote Deployment Modes ==
{| class="wikitable"
{| class="wikitable"
! Deployment
! Deployment Model
! Packet processing
! Packet Processing Location
! PCAP storage
! PCAP Storage Location
! Traffic to DB
! Network Traffic to Central Server
! GUI connectivity
! GUI Connectivity
|-
|-
| Standard remote sniffer
| Classic Standalone
| Remote
| Remote
| Remote
| Remote
| Minimal (CDR only)
| Minimal (MySQL CDRs)
| GUI&nbsp;&nbsp;sensor (management port)
| GUI ↔ each Sensor (management port)
|-
|-
| New client/server&nbsp;(v20+) – '''local processing'''
| '''Modern Client/Server (Local Processing)'''
| Remote
| Remote
| Remote
| Remote
| Encrypted&nbsp;TCP (CDR only)
| Minimal (Encrypted CDRs)
| GUI&nbsp;&nbsp;central sniffer
| '''GUI ↔ Central Server only''' (central proxies PCAP fetch)
|-
|-
| New client/server&nbsp;(v20+) '''packet mirroring'''
| '''Modern Client/Server (Packet Mirroring)'''
| Central
| '''Central'''
| Central
| '''Central'''
| Encrypted&nbsp;TCP (full packets)
| High (Encrypted full packets)
| GUI&nbsp;&nbsp;central sniffer
| '''GUI ↔ Central Server only'''
|}
|}


=== New client / server configuration ===
== FAQ & Common Pitfalls ==
''client (remote) example''
* '''Do remote sensors need DB credentials in Client/Server?''' No. Only the central server instance writes to DB.
  id_sensor              = <unique < 65536>
* '''Why is <code>id_sensor</code> required everywhere?''' The GUI uses it to tag and filter calls by capture source.
  server_destination      = <central-IP>
* '''Local Processing still fetches PCAPs from remote — who connects to whom?''' The GUI requests via the central server; the central server then connects to the remote sensor's <code>TCP/5029</code> to retrieve the PCAP.
  server_destination_port = 60024
  server_password        = somepassword
  ; uncomment next line to send full packet stream instead of local processing
  ; packetbuffer_sender  = yes
 
''server (central) example''
  server_bind            = 0.0.0.0
  server_bind_port        = 60024
  server_password        = somepassword
  ; remember to set mysql* options
 
Connection uses DH key-exchange + AES encryption and compression. 
Sensors appear automatically in '''GUI → Settings → Sensors'''.
 
== Cloud mode ==
  id_sensor             = <unique>
  cloud_token            = __your_token__
  cloud_url              = https://cloud.voipmonitor.org/reg/register.php
  packetbuffer_file_path = /var/spool/voipmonitor/packetbuffer
 
== Firewall checklist ==
* '''New client/server''' – central: 60024/TCP (probes) + 60024/TCP & 5029/TCP (GUI
* '''Old mirroring''' central: 5030/TCP (probes) + 5029/TCP (GUI) 
* '''Standalone''' – DB: 3306/TCP (sensors) 
* '''Cloud''' – probes → cloud.voipmonitor.org :60023/TCP
 
== Time synchronisation ==
All machines should run NTP with <code>minpoll 3</code> and <code>maxpoll 4</code>. Clock drift breaks call-leg correlation.
 
== Migration hints ==
You may run two instances on the same host (one with legacy <code>mirror_bind_ip</code>, one with new <code>server_bind</code>) by giving each:
* its own <code>id_sensor</code>, <code>managerport</code>, <code>spooldir</code>
* a separate init script and/or binary
 
== Why choose the new mode? ==
* Encrypted, compressed transport 
* One MySQL user on the central sniffer instead of many on each probe 
* GUI needs access only to the central sniffer, not to every probe 
* Optional off-loading of CPU/RAM from remote probes by mirroring packets 


For more details about multi-instance setups, contact support@voipmonitor.org.
== AI Summary for RAG ==
'''Summary:''' This guide covers the deployment topologies for VoIPmonitor. It contrasts running the sensor on the same host as a PBX versus on a dedicated server. For dedicated sensors, it details methods for forwarding traffic, including hardware-based port mirroring (SPAN) and various software-based tunneling protocols (IP-in-IP, GRE, TZSP, VXLAN, HEP, etc.). The core of the article explains distributed architectures for multi-site monitoring, comparing the "classic" standalone remote sensor model with the modern, recommended "client/server" model. It details the two operational modes of the client/server architecture: local processing (sending only CDRs, PCAPs remain remote with central-proxied fetch) and packet mirroring (sending full, raw packets for central processing), which is ideal for low-resource endpoints. The guide concludes with step-by-step configuration, firewall rules, critical parameter notes, and the importance of NTP plus first-start DB initialization.
'''Keywords:''' deployment, architecture, topology, on-host, dedicated sensor, port mirroring, SPAN, RSPAN, traffic mirroring, tunneling, GRE, TZSP, VXLAN, HEP, remote sensor, multi-site, client server mode, packet mirroring, local processing, firewall rules, NTP, time synchronization, cloud mode
'''Key Questions:'''
* How do I set up VoIPmonitor to monitor multiple remote locations?
* What is the difference between the classic remote sensor and the modern client/server mode?
* When should I use packet mirroring (<code>packetbuffer_sender</code>) instead of local processing?
* What are the firewall requirements for the client/server deployment model?
* Can I run the sensor on the same machine as my Asterisk/FreeSWITCH server?
* What is a SPAN port and how is it used with VoIPmonitor?
* Why is NTP important for a distributed VoIPmonitor setup?

Latest revision as of 13:52, 3 November 2025


This guide provides a comprehensive overview of VoIPmonitor's deployment models. It covers the fundamental choice between on-host and dedicated sensors, methods for capturing traffic, and detailed configurations for scalable, multi-site architectures.

Core Concept: Where to Capture Traffic

The first decision in any deployment is where the VoIPmonitor sensor (sniffer) will run.

1. On-Host Capture (on the PBX/SBC)

The sensor can be installed directly on the same Linux server that runs your PBX or SBC.

  • Pros: Requires no extra hardware, network changes, or port mirroring. It is the simplest setup.
  • Cons: Adds CPU, memory, and disk I/O load to your production voice server. If these resources are critical, a dedicated sensor is the recommended approach.

2. Dedicated Sensor

A dedicated Linux server runs only the VoIPmonitor sensor. This is the recommended approach for production environments as it isolates monitoring resources from your voice platform. To use a dedicated sensor, you must forward a copy of the network traffic to it using one of the methods below.

Methods for Forwarding Traffic to a Dedicated Sensor

A. Hardware Port Mirroring (SPAN/RSPAN)

This is the most common and reliable method. You configure your physical network switch to copy all traffic from the switch ports connected to your PBX/SBC to the switch port connected to the VoIPmonitor sensor. This feature is commonly called Port Mirroring, SPAN, or RSPAN. Consult your switch's documentation for configuration details.

The VoIPmonitor sensor interface will be put into promiscuous mode automatically. To capture from multiple interfaces, set interface = any in voipmonitor.conf and enable promiscuous mode manually on each NIC (e.g., ip link set dev eth1 promisc on).

B. Software-based Tunnelling

When hardware mirroring is not an option, many network devices and PBXs can encapsulate VoIP packets and send them to the sensor's IP address using a tunnel. VoIPmonitor natively supports a wide range of protocols.

  • Built-in Support: IP-in-IP, GRE, ERSPAN
  • UDP-based Tunnels: Configure the corresponding port in voipmonitor.conf:
    • udp_port_tzsp = 37008 (for MikroTik's TZSP)
    • udp_port_l2tp = 1701
    • udp_port_vxlan = 4789 (common in cloud environments)
  • Proprietary & Other Protocols:
    • AudioCodes Tunneling (uses udp_port_audiocodes or tcp_port_audiocodes)
    • HEP (v3+) (enable hep* options)
    • IPFIX (for Oracle SBCs) (enable ipfix* options)

Distributed Deployment Models

For monitoring multiple remote offices or a large infrastructure, a distributed model is essential. This involves a central GUI/Database server collecting data from multiple remote sensors.

Classic Mode: Standalone Remote Sensors

In this traditional model, each remote sensor is a fully independent entity.

  • How it works: The remote sensor processes packets and stores PCAPs locally. It connects directly to the central MySQL/MariaDB database to write CDRs. For PCAP retrieval the GUI typically needs network access to each sensor's management port (default TCP/5029).
  • Pros: Simple conceptual model.
  • Cons: Requires opening firewall ports to each sensor and managing database credentials on every remote machine.

Modern Mode: Client/Server Architecture (v20+) — Recommended

This model uses a secure, encrypted TCP channel between remote sensors (clients) and a central sensor instance (server). The GUI communicates with the central server only, which significantly simplifies networking and security.

This architecture supports two primary modes:

  1. Local Processing: Remote sensors process packets locally and send only lightweight CDR data over the encrypted channel. PCAPs remain on the remote sensor. On-demand PCAP fetch is proxied via the central server (to the sensor's TCP/5029).
  2. Packet Mirroring: Remote sensors forward the entire raw packet stream to the central server, which performs all processing and storage. Ideal for low-resource remote sites.

Architecture Diagrams (PlantUML)

Step-by-Step Configuration Guide

Prerequisites
  • VoIPmonitor v20+ on all sensors.
  • Central database reachable from the central server instance.
  • Unique id_sensor per sensor (< 65536).
  • NTP running everywhere (see Time Synchronization below).
Scenario A — Local Processing (default, low WAN usage)
# /etc/voipmonitor.conf on the REMOTE sensor (LOCAL PROCESSING)

id_sensor               = 2          # unique per sensor (< 65536)
server_destination      = 10.224.0.250
server_destination_port = 60024
server_password         = your_strong_password

packetbuffer_sender     = no         # local analysis; sends only CDRs
interface               = eth0       # or: interface = any
sipport                 = 5060       # example; add your usual sniffer options

# No MySQL credentials here — remote sensor does NOT write to DB directly.

# /etc/voipmonitor.conf on the CENTRAL server (LOCAL PROCESSING network)

server_bind             = 0.0.0.0
server_bind_port        = 60024
server_password         = your_strong_password

mysqlhost               = 10.224.0.201
mysqldb                 = voipmonitor
mysqluser               = voipmonitor
mysqlpassword           = db_password

cdr_partition           = yes        # partitions for CDR tables
mysqlloadconfig         = yes        # allows DB-driven config if used

interface               =            # leave empty to avoid local sniffing
# The central server will proxy on-demand PCAP fetches to sensors (TCP/5029).
Scenario B — Packet Mirroring (centralized processing/storage)
# /etc/voipmonitor.conf on the REMOTE sensor (PACKET MIRRORING)

id_sensor               = 3
server_destination      = 10.224.0.250
server_destination_port = 60024
server_password         = your_strong_password

packetbuffer_sender     = yes        # send RAW packet stream to central
interface               = eth0       # capture source; no DB settings needed

# /etc/voipmonitor.conf on the CENTRAL server (PACKET MIRRORING)

server_bind             = 0.0.0.0
server_bind_port        = 60024
server_password         = your_strong_password

mysqlhost               = 10.224.0.201
mysqldb                 = voipmonitor
mysqluser               = voipmonitor
mysqlpassword           = db_password

cdr_partition           = yes
mysqlloadconfig         = yes

# As this server does all analysis, configure as if sniffing locally:
sipport                 = 5060
# ... add your usual sniffer/storage options (pcap directories, limits, etc.)

Firewall Checklist (Quick Reference)

  • Modern Client/Server (v20+):
    • Central Server: Allow inbound TCP/60024 from remote sensors. Allow inbound TCP/5029 from GUI (management/API to central sensor).
    • Remote Sensors (Local Processing only): Allow inbound TCP/5029 from the central server (for on-demand PCAP fetch via proxy). Outbound TCP/60024 to the central server.
  • Cloud Mode:
    • Remote Sensors: Allow outbound TCP/60023 to cloud.voipmonitor.org.

Configuration & Checklists

Parameter Notes (clarifications)

  • id_sensor — Mandatory in any distributed deployment (Classic or Client/Server). Must be unique per sensor (< 65536). The value is written to the database and used by the GUI to identify where a call was captured.
  • cdr_partition — In Client/Server, enable on the central server instance that writes to the database. It can be disabled on remote "client" sensors that only mirror packets.
  • mysqlloadconfig — When enabled, the sensor can load additional parameters dynamically from the sensor_config table in the database. Typically enabled on the central server sensor that writes to DB; keep disabled on remote clients which do not access DB directly.
  • interface — Use a specific NIC (e.g., eth0) or any to capture from multiple NICs. For any ensure promiscuous mode on each NIC.

Initial Service Start & Database Initialization

After installation, the first startup against a new/empty database is critical.

  1. Start the service: systemctl start voipmonitor
  2. Follow logs to ensure schema/partition creation completes:
    • journalctl -u voipmonitor -f
    • or tail -f /var/log/syslog | grep voipmonitor

You should see creation of functions and partitions shortly after start. If you see errors like Table 'cdr_next_1' doesn't exist, the sensor is failing to initialize the schema — usually due to insufficient DB privileges or connectivity. Fix DB access and restart the sensor so it can finish initialization.

Time Synchronization

Accurate and synchronized time is critical for correlating call legs from different sensors. All servers (GUI, DB, and all Sensors) must run an NTP client (e.g., chrony or ntpdate) to keep clocks in sync.

Comparison of Remote Deployment Modes

Deployment Model Packet Processing Location PCAP Storage Location Network Traffic to Central Server GUI Connectivity
Classic Standalone Remote Remote Minimal (MySQL CDRs) GUI ↔ each Sensor (management port)
Modern Client/Server (Local Processing) Remote Remote Minimal (Encrypted CDRs) GUI ↔ Central Server only (central proxies PCAP fetch)
Modern Client/Server (Packet Mirroring) Central Central High (Encrypted full packets) GUI ↔ Central Server only

FAQ & Common Pitfalls

  • Do remote sensors need DB credentials in Client/Server? No. Only the central server instance writes to DB.
  • Why is id_sensor required everywhere? The GUI uses it to tag and filter calls by capture source.
  • Local Processing still fetches PCAPs from remote — who connects to whom? The GUI requests via the central server; the central server then connects to the remote sensor's TCP/5029 to retrieve the PCAP.

AI Summary for RAG

Summary: This guide covers the deployment topologies for VoIPmonitor. It contrasts running the sensor on the same host as a PBX versus on a dedicated server. For dedicated sensors, it details methods for forwarding traffic, including hardware-based port mirroring (SPAN) and various software-based tunneling protocols (IP-in-IP, GRE, TZSP, VXLAN, HEP, etc.). The core of the article explains distributed architectures for multi-site monitoring, comparing the "classic" standalone remote sensor model with the modern, recommended "client/server" model. It details the two operational modes of the client/server architecture: local processing (sending only CDRs, PCAPs remain remote with central-proxied fetch) and packet mirroring (sending full, raw packets for central processing), which is ideal for low-resource endpoints. The guide concludes with step-by-step configuration, firewall rules, critical parameter notes, and the importance of NTP plus first-start DB initialization. Keywords: deployment, architecture, topology, on-host, dedicated sensor, port mirroring, SPAN, RSPAN, traffic mirroring, tunneling, GRE, TZSP, VXLAN, HEP, remote sensor, multi-site, client server mode, packet mirroring, local processing, firewall rules, NTP, time synchronization, cloud mode Key Questions:

  • How do I set up VoIPmonitor to monitor multiple remote locations?
  • What is the difference between the classic remote sensor and the modern client/server mode?
  • When should I use packet mirroring (packetbuffer_sender) instead of local processing?
  • What are the firewall requirements for the client/server deployment model?
  • Can I run the sensor on the same machine as my Asterisk/FreeSWITCH server?
  • What is a SPAN port and how is it used with VoIPmonitor?
  • Why is NTP important for a distributed VoIPmonitor setup?
Retrieved from "https://www.voipmonitor.org//doc/index.php?title=Sniffing_modes&oldid=5692"