Ribbon7k monitoring profiles: Difference between revisions

From VoIPmonitor.org
(Clarify HA failover handling - remove only ribbonsbc_srcip, keep dstip/port for filtering)
(Patch: replace '# Transport & framing options:...')
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Use the monitoring profile =
= Ribbon SBC Monitoring Profile for VoIPmonitor =
For getting the TLS signalling decrypted by ribbon SBC:


We will use the Monitoring Profile feature to send only TLS decoded signaling to a voipmonitor server  
This page explains how to use the Ribbon SBC '''Monitoring Profile''' to export TLS-decrypted SIP signaling to a VoIPmonitor server.


On the SBC navigate to All > Profiles > Services > Monitoring Profile. The Monitoring Profile window displays, containing the table Monitoring Profile List.
== Overview ==
 
The Ribbon SBC can decrypt TLS/SRTP traffic internally and forward clear-text SIP to VoIPmonitor, eliminating the need for SSL key loggers when dealing with TLS 1.3 or PFS cipher suites (DHE/ECDHE).
 
<kroki lang="mermaid">
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 40}}}%%
flowchart LR
    subgraph TLS["TLS Encrypted"]
        EP[Phone/Endpoint]
    end
    subgraph SBC["Ribbon SBC"]
        DEC[TLS Termination]
        MP[Monitoring Profile]
    end
    subgraph VM["VoIPmonitor"]
        SNIFF[Sensor]
    end
    EP -->|"TLS SIP"| DEC
    DEC -->|"Decrypt"| MP
    MP -->|"Clear SIP<br/>Port 9514"| SNIFF
</kroki>
{{Note|1='''Ribbon SBC''' (Ribbon Communications, formed from GENBAND + Sonus Networks merger in 2017) is a '''different vendor''' than '''Oracle SBC''' (formerly Acme Packet). They use different protocols:
* '''Ribbon SBC''' → Monitoring Profile with <code>ribbonsbc</code> parameters (this page)
* '''Oracle SBC''' → IPFIX protocol with <code>ipfix</code> parameters (see [[Sniffer_configuration#IPFIX_Support|IPFIX Support]])
}}
== Configuring the Monitoring Profile ==
 
To export TLS-decrypted signaling from the Ribbon SBC, use the Monitoring Profile feature.
 
On the SBC navigate to '''All > Profiles > Services > Monitoring Profile'''. The Monitoring Profile window displays, containing the table Monitoring Profile List.


[[File:Ribbon_tls_monitProfile.png]]
[[File:Ribbon_tls_monitProfile.png]]


Modify the monitoring profile to send only TLS signaling to the remote server:
Modify the monitoring profile to send only TLS signaling to the remote server:
Line 13: Line 40:
[[File:Ribbon_tls_ProfileEdit.png]]
[[File:Ribbon_tls_ProfileEdit.png]]


== Assigning the Monitoring Profile to a SIP Signaling Port ==
Execute the following CLI command on the Ribbon host:
<syntaxhighlight lang="bash">
set addressContext AC_INTP zone INTERNAL_IPIG sipSigPort 1 monitoringProfileName TEST_Monitoring_Profile
</syntaxhighlight>


Execute the following CLI command (on Ribbon host)
set addressContext AC_INTP zone INTERNAL_IPIG sipSigPort 1 monitoringProfileName TEST_Monitoring_Profile
The syntax:
The syntax:
set addressContext <address_context> zone <zone_name> sipSigPort 1 monitoringProfileName <monitoring_profile_name>
<syntaxhighlight lang="bash">
set addressContext <address_context> zone <zone_name> sipSigPort 1 monitoringProfileName <monitoring_profile_name>
</syntaxhighlight>
 
[[File:Ribbon_tls_assignMonitProfile.png]]
 
== Incorporating Source and Destination IPs ==


= Verify that SBC are sending data =
You may also need the source and destination IPs incorporated in the feed to the monitoring server. Under '''Header''' add the source and destination IPs to the selected monitoring profile.
Verify on the SBC that the data are traveling to the remote server:
 
tshark -i pkt1 port 9514
[[File:Ribbon_tls_incorporatingIPs.png]]
 
This gets the source and destination IPs incorporated in the SIP signaling sent to the remote server. From here the data can be ingested and processed by the far end server.
 
'''Reference:''' [https://doc.rbbn.com/display/SBXDOC121/Services+-+Monitoring+Profile Ribbon's official documentation]
 
== VoIPmonitor Configuration ==
 
VoIPmonitor supports two modes for receiving Ribbon monitoring data:
 
{| class="wikitable"
|-
! Mode !! Description !! When to Use
|-
| '''Passive Sniffing''' || Substitutes src/dst IP:port in already sniffed traffic || Traffic arrives via SPAN/mirror
|-
| '''Active Listener''' || Opens a socket to receive Ribbon feed directly || Direct TCP/UDP connection from SBC
|}
 
=== Mode 1: Passive Sniffing ===
 
Add to <code>/etc/voipmonitor.conf</code>:
 
<syntaxhighlight lang="ini">
# Enable Ribbon-style IP substitution on sniffed traffic
ribbonsbc = yes
 
# Optional filters (legacy but still supported):
# ribbonsbc_port  = 9514         # expected mirror port
# ribbonsbc_dstip = 10.0.0.1      # VoIPmonitor host IP
# ribbonsbc_srcip = 10.0.0.2      # Ribbon SBC IP
</syntaxhighlight>


=Assign the TEST_Monitoring_Profile to the Sip Signaling Port=
{{Warning|1=For '''High Availability (HA) setups''', do NOT use <code>ribbonsbc_srcip</code> - it will fail when traffic originates from a different SBC node after failover. Use only <code>ribbonsbc_port</code> and <code>ribbonsbc_dstip</code>.}}
[[File:Ribbon_tls_assignMonitProfile.png]]


= Verify on the monitoring server =
=== Mode 2: Active Listener ===
that the packets are arriving from sbc:
tcpdump -i any port 9514 -w /var/tmp/Capture_Mar26_fromRibbon_TLS_only.pcap


Add to <code>/etc/voipmonitor.conf</code>:


<syntaxhighlight lang="ini">
# Listen for Ribbon monitoring data
ribbonsbc_bind_ip  = 0.0.0.0
ribbonsbc_bind_port = 9514


# Framing options:
# ribbonsbc_size_header  = yes  # expect 2-byte size header (default)
# ribbonsbc_strict_check = no    # drop incomplete frames
# ribbonsbc_counter_log  = no    # log incoming frame counts
# Note: TCP+UDP automatically bound since 2026.1.3
</syntaxhighlight>


= Incorporating source and dest IP with monitoring profile =
After configuration, restart the service:
You may also need the source and destination IPs incorporated in the feed to the monitoring server. Under Header add the source and destination IPs to the selected monitoring profile.
<syntaxhighlight lang="bash">
systemctl restart voipmonitor
</syntaxhighlight>


[[File:Ribbon_tls_incorporatingIPs.png]]
== Verification ==


This gets the source and destination IPs incorporated in the SIP signaling sent to the remote server.    From here the data can be injested and processed by the far end server.  The packets appear as follows on the far end server.
=== Verify on the SBC ===
 


The source: Ribbon's site at https://doc.rbbn.com/display/SBXDOC121/Services+-+Monitoring+Profile
Verify on the SBC that the data are traveling to the remote server:


= VoIPmonitor.conf =
<syntaxhighlight lang="bash">
tshark -i pkt1 port 9514
</syntaxhighlight>


<pre>
=== Verify on the Monitoring Server ===
#####################################
# Ribbon SBC Mirroring / ribbonsvc  #
#####################################
# This module handles Ribbon SBC "monitoring profile" mirrored SIP/RTP data.
# It supports two modes:
#  1) Passive sniffing  – substitute src/dst IP:port in already sniffed traffic
#  2) Active listener  – accept Ribbon "monitoring profile" feed on a local socket
#
# It is similar to "Kamailio Mirroring using siptrace", but uses a minimal header set.


###########
Verify that the packets are arriving from SBC:
# MODE 1: PASSIVE SNIFFING (no socket opened)
#
# Quick enable:
#  ribbonsbc = yes
# When enabled, VoIPmonitor will try to detect and apply IP:port substitutions
# if substitution content is present in sniffed packets.
#
# Optional narrowing (legacy but still supported):
#  Use the triplet below to restrict which mirrored packets should be considered.
#  Keep using this if you need explicit filtering; otherwise just set ribbonsbc = yes.
#
# ribbonsbc_port  = 9514          # expected mirror port seen in packets (legacy filter)
# ribbonsbc_dstip = 10.0.0.1      # VoIPmonitor host IP as seen by Ribbon (legacy filter)
# ribbonsbc_srcip = 10.0.0.2      # Ribbon SBC IP (legacy filter)
#
# Note: If 'ribbonsbc' is enabled (yes/NO), substitution is attempted whenever
# substitution content is found. Same idea applies to 'kamailio' (see below).


###########
<syntaxhighlight lang="bash">
# MODE 2: ACTIVE LISTENER (open a socket and ingest feed directly)
tcpdump -i any port 9514 -w /var/tmp/capture_from_ribbon.pcap
#
</syntaxhighlight>
# Bind an explicit local IP/port to receive Ribbon monitoring data. If these are set,
# the sniffer will listen and process incoming Ribbon data on this socket.
#
# ribbonsbc_bind_ip  = 0.0.0.0  # listen address (required to enable active mode)
# ribbonsbc_bind_port = 9514     # listen port (required to enable active mode)
#
# Transport & framing:
# ribbonsbc_bind_udp    = no      # yes/NO – UDP support (default NO; TCP recommended)
# ribbonsbc_size_header = YES    # YES/no – expect 2-byte size header before each frame
# ribbonsbc_strict_check= no      # yes/NO – process only frames complete per size header
#
# Instrumentation:
# ribbonsbc_counter_log = no      # yes/NO – log counts of incoming Ribbon frames
#
# TIP: Active listener generally makes sense with TCP (default). UDP is rarely useful.


###########
# SUBSTITUTION SWITCHES (shared idea with Kamailio)
#
# These switches only control whether src/dst IP:port substitution is attempted in
# normally sniffed traffic when substitution content is present. If enabled and
# a substitution block is detected, it is applied without having to predeclare
# specific IP:ports (unlike the legacy triplet).
#
# kamailio  = no  # yes/NO – enable Kamailio-style substitution on sniffed traffic
# ribbonsbc = yes  # yes/NO – enable Ribbon-style substitution on sniffed traffic


###########
# RECOMMENDATIONS
#
# - Use MODE 1 (passive) with:  ribbonsbc = yes
#  Only add ribbonsbc_port/dstip/srcip if you need strict filtering by IP/port.
#
# - IMPORTANT FOR HIGH AVAILABILITY (HA) SETUPS:
#  In HA/failover setups where the Ribbon SBC cluster has multiple nodes that can
#  send traffic from different IP addresses, the ribbonsbc_srcip filter will fail
#  when a failover occurs and traffic originates from a different SBC node.
#
#  Recommended approach for HA: Remove ONLY ribbonsbc_srcip:
#    ribbonsbc_port  = 9514      # keeps filtering to correct destination port
#    ribbonsbc_dstip = 10.0.0.1  # keeps filtering to your monitoring server
#  # ribbonsbc_srcip = 10.0.0.2  # COMMENTED OUT - allows any source IP in HA
#
#  This narrows processing to packets sent to your monitoring server on the
#  expected port, regardless of which Ribbon node sends them. IP substitution
#  continues to work using the Monitoring Profile's embedded headers.
#
#  Alternative (broadest): Use ONLY ribbonsbc = yes with no filters - accepts all
#  mirrored packets and attempts substitution on any with Monitoring Profile content.
#
# - Use MODE 2 (active) when Ribbon sends the monitoring profile feed directly to you:
#    ribbonsbc_bind_ip  = 0.0.0.0
#    ribbonsbc_bind_port = 9514
#  Keep ribbonsbc_bind_udp = no unless you explicitly need UDP.
#
# - Leave ribbonsbc_size_header = YES unless you know Ribbon is sending raw frames.
# - Enable ribbonsbc_strict_check = yes if you want to drop any incomplete frames.
#
# DEFAULTS (implicit unless set):
#  ribbonsbc = no
#  kamailio  = no
#  ribbonsbc_bind_udp = no
#  ribbonsbc_size_header = YES
#  ribbonsbc_strict_check = no
#  ribbonsbc_counter_log = no
</pre>


== AI Summary for RAG ==
== AI Summary for RAG ==
'''Summary:''' This page explains how to use the Ribbon SBC '''Monitoring Profile''' to export '''TLS-decrypted SIP signaling''' to a VoIPmonitor server. It covers where to configure the monitoring profile in the SBC GUI, how to assign it to a specific SIP signaling port (including the required CLI syntax), and how to verify traffic both on the SBC (tshark on the capture interface) and on the monitoring server (tcpdump on port 9514). It also shows how to '''embed source and destination IPs''' into the exported feed by adding headers in the monitoring profile, so the far end (VoIPmonitor) can reliably remap/ingest the traffic. The page includes a ready-to-use voipmonitor.conf block for the '''ribbonsvc''' integration, describing two modes: (1) '''Passive sniffing''' – only IP:port substitution on already sniffed packets; and (2) '''Active listener''' – the sensor opens a socket and listens for the Ribbon feed. Advanced options include TCP/UDP selection (TCP recommended), size-header framing, strict frame completeness checks, and optional counters logging. For '''High Availability (HA) / failover setups''', the recommended approach is to comment out only ribbonsbc_srcip (to accept traffic from any Ribbon node) while keeping ribbonsbc_dstip and ribbonsbc_port for targeted packet filtering. IP substitution continues to work using the Monitoring Profile's embedded headers regardless of which physical SBC node sends the packets.


'''Keywords:''' Ribbon SBC, Monitoring Profile, TLS decryption, SIP signaling, VoIPmonitor, ribbonsvc, passive sniffing, active listener, size header, TCP, UDP, src/dst IP substitution, verification, tshark, tcpdump, port 9514, High Availability, HA, failover, redundancy, ribbonsbc_srcip, ribbonsbc_dstip, ribbonsbc_port, content-based substitution, legacy filters
'''Summary:''' Guide for configuring Ribbon SBC Monitoring Profile to export TLS-decrypted SIP signaling to VoIPmonitor. Setup requires: (1) Configure Monitoring Profile in SBC GUI (All > Profiles > Services > Monitoring Profile), (2) Assign profile to SIP port via CLI: <code>set addressContext <AC> zone <ZONE> sipSigPort 1 monitoringProfileName <PROFILE></code>, (3) Add Source/Destination IPs in Header section for proper remapping. VoIPmonitor supports two modes: Passive sniffing (<code>ribbonsbc=yes</code>) for SPAN/mirror traffic, and Active listener (<code>ribbonsbc_bind_ip/port</code>) for direct TCP connection. For HA/failover setups, omit <code>ribbonsbc_srcip</code> filter to accept traffic from any SBC node. Default port is 9514. Verification via tshark on SBC and tcpdump on monitoring server.
 
'''Keywords:''' Ribbon SBC, Monitoring Profile, TLS decryption, ribbonsbc, passive sniffing, active listener, port 9514, HA failover, IP substitution, SIP signaling


'''Key Questions:'''
'''Key Questions:'''
 
* How do I configure Ribbon SBC to export TLS-decrypted SIP to VoIPmonitor?
* How do I configure a Ribbon '''Monitoring Profile''' to export only TLS-decrypted SIP signaling?
* What is the CLI command to assign a monitoring profile to a SIP port?
* How do I '''assign''' the monitoring profile to a SIP signaling port (GUI and CLI)?
* What is the difference between passive sniffing and active listener modes?
* How can I '''verify''' that the SBC is sending the feed and that the monitoring server is receiving it?
* How do I configure VoIPmonitor for Ribbon SBC in High Availability (HA) setups?
* How do I '''include src/dst IPs''' in the exported signaling so VoIPmonitor can substitute addresses?
* Why does ribbonsbc_srcip fail in HA failover scenarios?
* When should I use '''Passive sniffing''' (substitution only) vs '''Active listener''' (open socket) in ribbonsvc?
* How do I verify traffic is being sent from Ribbon SBC to VoIPmonitor?
* Which ribbonsvc options control '''transport (TCP/UDP), framing (size header), and strict completeness checks'''?
* What is the default port for Ribbon monitoring profile (9514)?
* What are sensible '''defaults''' and recommended settings for reliable ingestion on VoIPmonitor?
* How do I configure VoIPmonitor for '''High Availability (HA) / failover''' with Ribbon SBC clusters?
* Why does ribbonsbc_srcip fail in HA setups and which filter should I remove?
* Should I remove ribbonsbc_srcip only, or all ribbonsbc filters (srcip/dstip/port) for failover scenarios?

Latest revision as of 17:38, 22 January 2026

Ribbon SBC Monitoring Profile for VoIPmonitor

This page explains how to use the Ribbon SBC Monitoring Profile to export TLS-decrypted SIP signaling to a VoIPmonitor server.

Overview

The Ribbon SBC can decrypt TLS/SRTP traffic internally and forward clear-text SIP to VoIPmonitor, eliminating the need for SSL key loggers when dealing with TLS 1.3 or PFS cipher suites (DHE/ECDHE).

ℹ️ Note: Ribbon SBC (Ribbon Communications, formed from GENBAND + Sonus Networks merger in 2017) is a different vendor than Oracle SBC (formerly Acme Packet). They use different protocols:

  • Ribbon SBC → Monitoring Profile with ribbonsbc parameters (this page)
  • Oracle SBC → IPFIX protocol with ipfix parameters (see IPFIX Support)

Configuring the Monitoring Profile

To export TLS-decrypted signaling from the Ribbon SBC, use the Monitoring Profile feature.

On the SBC navigate to All > Profiles > Services > Monitoring Profile. The Monitoring Profile window displays, containing the table Monitoring Profile List.

Modify the monitoring profile to send only TLS signaling to the remote server:

Assigning the Monitoring Profile to a SIP Signaling Port

Execute the following CLI command on the Ribbon host: 

set addressContext AC_INTP zone INTERNAL_IPIG sipSigPort 1 monitoringProfileName TEST_Monitoring_Profile

The syntax: 

set addressContext <address_context> zone <zone_name> sipSigPort 1 monitoringProfileName <monitoring_profile_name>

Incorporating Source and Destination IPs

You may also need the source and destination IPs incorporated in the feed to the monitoring server. Under Header add the source and destination IPs to the selected monitoring profile.

This gets the source and destination IPs incorporated in the SIP signaling sent to the remote server. From here the data can be ingested and processed by the far end server.

Reference: Ribbon's official documentation

VoIPmonitor Configuration

VoIPmonitor supports two modes for receiving Ribbon monitoring data:

Mode Description When to Use
Passive Sniffing Substitutes src/dst IP:port in already sniffed traffic Traffic arrives via SPAN/mirror
Active Listener Opens a socket to receive Ribbon feed directly Direct TCP/UDP connection from SBC

Mode 1: Passive Sniffing

Add to /etc/voipmonitor.conf: 

# Enable Ribbon-style IP substitution on sniffed traffic
ribbonsbc = yes

# Optional filters (legacy but still supported):
# ribbonsbc_port  = 9514          # expected mirror port
# ribbonsbc_dstip = 10.0.0.1      # VoIPmonitor host IP
# ribbonsbc_srcip = 10.0.0.2      # Ribbon SBC IP

⚠️ Warning: For High Availability (HA) setups, do NOT use ribbonsbc_srcip - it will fail when traffic originates from a different SBC node after failover. Use only ribbonsbc_port and ribbonsbc_dstip.

Mode 2: Active Listener

Add to /etc/voipmonitor.conf: 

# Listen for Ribbon monitoring data
ribbonsbc_bind_ip   = 0.0.0.0
ribbonsbc_bind_port = 9514

# Framing options:
# ribbonsbc_size_header  = yes   # expect 2-byte size header (default)
# ribbonsbc_strict_check = no    # drop incomplete frames
# ribbonsbc_counter_log  = no    # log incoming frame counts
# Note: TCP+UDP automatically bound since 2026.1.3

After configuration, restart the service: 

systemctl restart voipmonitor

Verification

Verify on the SBC

Verify on the SBC that the data are traveling to the remote server: 

tshark -i pkt1 port 9514

Verify on the Monitoring Server

Verify that the packets are arriving from SBC: 

tcpdump -i any port 9514 -w /var/tmp/capture_from_ribbon.pcap


AI Summary for RAG

Summary: Guide for configuring Ribbon SBC Monitoring Profile to export TLS-decrypted SIP signaling to VoIPmonitor. Setup requires: (1) Configure Monitoring Profile in SBC GUI (All > Profiles > Services > Monitoring Profile), (2) Assign profile to SIP port via CLI: set addressContext <AC> zone <ZONE> sipSigPort 1 monitoringProfileName <PROFILE>, (3) Add Source/Destination IPs in Header section for proper remapping. VoIPmonitor supports two modes: Passive sniffing (ribbonsbc=yes) for SPAN/mirror traffic, and Active listener (ribbonsbc_bind_ip/port) for direct TCP connection. For HA/failover setups, omit ribbonsbc_srcip filter to accept traffic from any SBC node. Default port is 9514. Verification via tshark on SBC and tcpdump on monitoring server.

Keywords: Ribbon SBC, Monitoring Profile, TLS decryption, ribbonsbc, passive sniffing, active listener, port 9514, HA failover, IP substitution, SIP signaling

Key Questions:

  • How do I configure Ribbon SBC to export TLS-decrypted SIP to VoIPmonitor?
  • What is the CLI command to assign a monitoring profile to a SIP port?
  • What is the difference between passive sniffing and active listener modes?
  • How do I configure VoIPmonitor for Ribbon SBC in High Availability (HA) setups?
  • Why does ribbonsbc_srcip fail in HA failover scenarios?
  • How do I verify traffic is being sent from Ribbon SBC to VoIPmonitor?
  • What is the default port for Ribbon monitoring profile (9514)?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Ribbon7k_monitoring_profiles&oldid=11020"