Audiocodes tunneling: Difference between revisions

From VoIPmonitor.org
(Add TLS decryption use case and ECDHE context)
(Rewrite: konsolidace a vylepšení struktury - stručnější, přidán See Also)
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
== VoIPmonitor Configuration for Audiocodes Tunneling ==
= AudioCodes Tunneling =
This guide explains how to configure VoIPmonitor to process packets that are tunneled from an Audiocodes Session Border Controller (SBC). This specific setup is for capturing data sent through the Audiocodes tunnel and differs from the standard configuration for capturing direct network traffic.
[[Category:Configuration]]
[[Category:Sensors]]


=== Overview ===
AudioCodes tunneling allows AudioCodes SBCs to encapsulate and forward SIP/RTP packets to VoIPmonitor via the "Debug Recording Server" feature, as an alternative to traditional SPAN port mirroring.
AudioCodes tunneling allows AudioCodes Session Border Controllers (SBCs) to encapsulate and forward SIP/RTP packets to VoIPmonitor, instead of using traditional network port mirroring (SPAN).


The setup involves two components:
<kroki lang="mermaid">
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 40}}}%%
flowchart LR
    subgraph Network["VoIP Network"]
        Phone1["SIP Phone"]
        Phone2["SIP Phone"]
    end


# '''AudioCodes SBC Configuration''' - Configure the AudioCodes device to forward packets to VoIPmonitor
    subgraph SBC["AudioCodes SBC"]
# '''VoIPmonitor Server Configuration''' - Configure VoIPmonitor to receive and process the tunneled packets
        TLS["TLS Termination"]
        Debug["Debug Recording<br/>Server Feature"]
    end


=== Important Use Case: TLS Decryption ===
    subgraph VM["VoIPmonitor Server"]
        Sniffer["Sniffer<br/>Port 925"]
        DB[(Database)]
    end


AudioCodes tunneling is particularly useful for monitoring '''encrypted SIP over TLS traffic''' that uses Perfect Forward Secrecy (PFS) cipher suites like ECDHE.
    Phone1 -->|"SIP/TLS + RTP"| TLS
    Phone2 -->|"SIP/TLS + RTP"| TLS
    TLS --> Debug
    Debug -->|"Decrypted<br/>SIP/RTP<br/>UDP/TCP 925"| Sniffer
    Sniffer --> DB
</kroki>


When an AudioCodes SBC terminates TLS connections, it can:
== When to Use AudioCodes Tunneling ==
* Decrypt the TLS-encrypted SIP signaling internally
* Forward the decrypted (clear-text) SIP packets to VoIPmonitor using the "debug call recording" feature
* Eliminate the need for SSL key logger injection or private key access


This approach is ideal when:
This method is ideal for:
* Your AudioCodes SBC uses modern cipher suites (TLS 1.3, ECDHE) where private key decryption is impossible
* '''TLS 1.3 / ECDHE encrypted traffic''' - The SBC decrypts internally, no SSL key logger needed
* You cannot inject SSL key logger libraries into the SBC (closed appliance)
* '''MS Teams Direct Routing''' - SBC-to-Microsoft traffic uses PFS where private key decryption is impossible
* You want centralized decryption at the SBC layer rather than at the VoIPmonitor sensor
* '''Cross-segment monitoring''' - When SBC and VoIPmonitor are on different network segments
* '''Closed appliances''' - When you cannot inject SSL key logger libraries


For a comprehensive guide on all TLS decryption methods, including when to use AudioCodes tunneling vs SSL Key Logger, see [[Tls|TLS Decryption Guide]].
{{Note|1=For MS Teams Direct Routing, AudioCodes tunneling is often the most practical solution because it does not require access to Microsoft's private keys.}}


=== Step 1: Configure the AudioCodes SBC ===
For other TLS decryption methods, see [[Tls|TLS Decryption Guide]].


On the AudioCodes device, you need to enable the packet forwarding feature and configure it to send packets to the VoIPmonitor server.
== Configuration ==


**Required Settings (AudioCodes Device):**
=== Step 1: AudioCodes SBC ===


Access the AudioCodes SBC configuration interface (web GUI or CLI) and locate the following setting:
On the AudioCodes device:
# Locate '''Debug Recording Server''' (or "Log server" / "Session mirroring")
# Set the IP address to your '''VoIPmonitor server IP'''
# Default port: '''UDP/TCP 925'''


* '''Debug Recording Server''' (or equivalent log/mirroring server setting)
Refer to AudioCodes documentation for model-specific steps.
* Set this to the '''IP address of your VoIPmonitor server'''
* The AudioCodes SBC will then encapsulate SIP/RTP packets and send them to this IP address


The exact configuration steps vary by AudioCodes model and firmware. Refer to the AudioCodes documentation for:
=== Step 2: VoIPmonitor Server ===
* "Configuring the Debug Recording Server"
* "Log server configuration"
* "Session mirroring"


**Network Ports Used by AudioCodes:**
Edit <code>/etc/voipmonitor.conf</code>:


By default, AudioCodes uses the following port for forwarding packets:
<syntaxhighlight lang="ini">
* '''UDP/TCP 925''' (Default port)
audiocodes = yes
udp_port_audiocodes = 925
tcp_port_audiocodes = 925
</syntaxhighlight>


You can configure a different port if needed, but ensure it matches the VoIPmonitor configuration (see Step 2).
Restart the service:
<syntaxhighlight lang="bash">
systemctl restart voipmonitor
</syntaxhighlight>


'''Important:''' This method is preferred over traditional SPAN mirroring when:
{{Note|1=Ensure your firewall allows incoming traffic on port 925.}}
* The AudioCodes SBC and VoIPmonitor sensor are on different network segments
* You need to avoid configuring switch-level SPAN ports
* You want more control over which traffic is forwarded


=== Step 2: Configure VoIPmonitor to Receive Tunneled Data ===
== RTP/RTCP Handling Options ==


To enable the processing of data from an Audiocodes tunnel, the following options must be enabled in the sniffer's configuration file (<code>voipmonitor.conf</code>).
These options control how VoIPmonitor handles RTP/RTCP packets when both tunneled and pure (non-encapsulated) packets are captured:


  audiocodes          = yes
<syntaxhighlight lang="ini">
# The main switch that activates the Audiocodes tunnel processing feature.
audiocodes_rtp = yes | no | only | only_for_audiocodes_sip
audiocodes_rtcp = yes | no | only | only_for_audiocodes_sip
</syntaxhighlight>


# Next, define the ports on which the sniffer will listen for incoming tunneled data.
{| class="wikitable"
# These must match the port configured on the AudioCodes SBC.
|-
# Choose the transport protocol (UDP/TCP) used by your Audiocodes SBC and enable the corresponding option.
! Value !! Description !! Use Case
udp_port_audiocodes  = 925
|-
tcp_port_audiocodes  = 925
| <code>yes</code> || Process tunnel RTP/RTCP ('''default''') || Tunnel-only capture, no SPAN
|-
| <code>no</code> || Ignore tunnel RTP/RTCP || Use only pure packets
|-
| <code>only</code> || Use '''only''' tunnel RTP/RTCP for all calls || Exclusively use tunnel data
|-
| <code>only_for_audiocodes_sip</code> || Use tunnel RTP only if SIP was also tunneled || '''Recommended for mixed capture''' (tunnel + SPAN)
|}


# Ensure your firewall allows these ports (default: 925)
=== Mixed Traffic Configuration ===


=== Special Options for RTP/RTCP Handling ===
When capturing both AudioCodes tunnel and SPAN traffic, use:
These options address scenarios where VoIPmonitor can see both 'pure' (non-encapsulated) network packets and packets encapsulated within the Audiocodes tunnel for the same call. They allow you to specify which packets should be assigned to the final CDR, preventing data duplication.


audiocodes_rtp = no/yes/only/only_for_audiocodes_sip
<syntaxhighlight lang="ini">
audiocodes_rtcp = no/yes/only/only_for_audiocodes_sip
audiocodes          = yes
audiocodes_rtp     = only_for_audiocodes_sip
audiocodes_rtcp     = only_for_audiocodes_sip
</syntaxhighlight>


This ensures correct pairing between tunnel RTP and tunnel SIP, preventing stream mixing.


The values for these options mean:
== Verification ==
* <code>no</code> - Disables processing of RTP/RTCP packets that arrive encapsulated in the Audiocodes tunnel.
* <code>yes</code> - Enables processing of RTP/RTCP packets from the tunnel. This is the '''default''' value.
* <code>only</code> - Assigns '''only''' RTP/RTCP packets that are encapsulated in the Audiocodes tunnel to the call/CDR. Any pure (non-encapsulated) packets for the same call, if also seen by the sniffer, will be ignored.
* <code>only_for_audiocodes_sip</code> - Tunneled RTP/RTCP packets are assigned to a CDR '''only if''' the SIP signaling for that call was also delivered through the Audiocodes tunnel.


=== Common Scenarios and Troubleshooting ===
'''On the AudioCodes SBC:'''
<syntaxhighlight lang="bash">
tshark -i pkt1 port 925
</syntaxhighlight>


'''Problem: Mixed RTP Streams (RTP + SRTP)'''
'''On the VoIPmonitor server:'''
 
<syntaxhighlight lang="bash">
When the sniffer captures traffic where plain SRTP is received via the Audiocodes tunnel alongside other traffic (e.g., mirrored traffic on a SPAN port), the resulting RTP streams can become mixed or incorrectly correlated. This happens because VoIPmonitor sees both the encapsulated packets from the tunnel and the pure packets on the network interface.
tcpdump -i any port 925 -w /var/tmp/capture.pcap
 
'''Solution:'''
 
To ensure RTP packets from the Audiocodes tunnel are correctly assigned only to those calls that also use AudioCodes SIP signaling, use the following configuration in your <code>voipmonitor.conf</code>:
 
<syntaxhighlight lang="ini">
[general]
audiocodes          = yes
audiocodes_rtp      = only_for_audiocodes_sip
audiocodes_rtcp    = only_for_audiocodes_sip
</syntaxhighlight>
</syntaxhighlight>


This configuration ensures that:
== Known Limitations ==
* Only RTP/RTCP packets from the AudioCodes tunnel are used for calls where the SIP signaling also came through the tunnel
* Pure (non-encapsulated) packets seen on the wire are not mixed with tunnel packets
* The correct association between tunnel RTP and tunnel SIP is maintained


'''When to Use Each Option:'''
=== IP Addresses Logged as 0.0.0.0 ===


* Use <code>yes</code> (default) when you only capture from the AudioCodes tunnel and no other traffic
RTP packets may show <code>0.0.0.0</code> IP addresses in CDR because the AudioCodes encapsulation strips IP header information.
* Use <code>only</code> when you want to EXCLUSIVELY use tunnel RTP for ALL calls (ignore any pure packets)
* Use <code>no</code> when you want to ignore tunnel RTP and use only pure packets
* Use <code>only_for_audiocodes_sip</code> when you have mixed traffic (tunnel + pure) and want to ensure correct pairing between tunnel RTP and tunnel SIP (this is the recommended setting for most mixed-capture scenarios)


=== Performance Impact on the SBC ===
{| class="wikitable"
|-
! Aspect !! Details
|-
| '''Impact''' || Display limitation only; SIP signaling IPs and call recording remain intact
|-
| '''Workaround''' || Use SIP History tab to see actual IPs from signaling packets
|-
| '''Status''' || Expected behavior, not fixable via configuration
|}


When using AudioCodes tunneling, it is important to assess the performance impact on the AudioCodes SBC itself, particularly in high-traffic environments.
== Performance Considerations ==


'''Monitoring SBC Performance'''
Monitor SBC CPU and network load before/after enabling tunneling:


To determine if tunneling affects your AudioCodes SBC performance:
# Check baseline SBC metrics (CPU, network)
# Enable tunneling via UDP on the SBC
# Monitor metrics during normal operation


1. Check the current baseline: Monitor SBC CPU usage and network load before enabling tunneling
{{Tip|1=You can test SBC impact without configuring VoIPmonitor listener to isolate SBC performance from sensor processing.}}
2. Enable the tunneling feature via UDP on the SBC
3. Monitor the SBC's CPU and network load during normal operation


You can perform this performance test without configuring a VoIPmonitor listener to isolate the SBC's performance impact from the sensor's processing load.
== See Also ==


Refer to the AudioCodes SBC documentation for specific instructions on enabling tunneling and monitoring performance metrics.
* [[Tls|TLS Decryption Guide]] - All TLS decryption methods
* [[Sniffing_modes|Deployment & Topology Guide]] - Alternative capture methods (SPAN, GRE, HEP)
* [[Sniffer_configuration|Sniffer Configuration]] - General sensor configuration


== AI Summary for RAG ==
== AI Summary for RAG ==
'''Summary:''' This guide covers the complete setup for AudioCodes tunneling between AudioCodes Session Border Controllers (SBCs) and VoIPmonitor. It explains both sides of the configuration: (1) configuring the AudioCodes SBC's "Debug Recording Server" setting to forward packets to VoIPmonitor's IP address using UDP/TCP port 925 by default, and (2) configuring VoIPmonitor to receive and process tunneled packets by enabling audiocodes= yes and setting udp_port_audiocodes/tcp_port_audiocodes. The guide also explains handling RTP/RTCP packet assignment when both tunnel and pure traffic are available (audiocodes_rtp options: yes, no, only, only_for_audiocodes_sip) and monitoring SBC performance impact.


IMPORTANT TLS DECRYPTION USE CASE: AudioCodes tunneling is a specific solution for monitoring encrypted SIP over TLS traffic, particularly when the SBC uses Perfect Forward Secrecy (PFS) cipher suites like ECDHE where private key decryption is impossible. The AudioCodes SBC terminates TLS connections, decrypts the traffic internally, and forwards clear-text SIP packets to VoIPmonitor using the "debug call recording" feature. This eliminates the need for SSL key logger injection (LD_PRELOAD) or access to the SBC's private key. This method is ideal when you have an AudioCodes SBC, cannot inject libraries into a closed appliance, or want centralized decryption at the SBC layer. For comparison with other TLS decryption methods (Private Key, SSL Key Logger, Ribbon SBC, HEP), see the [[Tls]] documentation.
'''Summary:''' AudioCodes tunneling allows AudioCodes SBCs to encapsulate and forward SIP/RTP packets to VoIPmonitor using the "Debug Recording Server" feature (default port UDP/TCP 925). Configuration: (1) SBC - set Debug Recording Server IP to VoIPmonitor server, (2) VoIPmonitor - enable <code>audiocodes=yes</code> and set <code>udp_port_audiocodes/tcp_port_audiocodes=925</code>. For mixed capture (tunnel + SPAN), use <code>audiocodes_rtp=only_for_audiocodes_sip</code> to prevent stream mixing. Key use case: Decrypt TLS 1.3/ECDHE traffic (including MS Teams Direct Routing) without SSL key logger. Known limitation: RTP IPs may show as 0.0.0.0 due to encapsulation format.


'''Keywords:''' audiocodes, tunnel, SBC, debugging recording server, configuration, port setup, udp, tcp, rtp, rtcp, mixed streams, only_for_audiocodes_sip, encapsulation, span port, mirroring, performance impact, CPU load, network load, TLS, TLS decryption, ECDHE, perfect forward secrecy, PFS, SIP over TLS, encrypted SIP, clear-text, decrypt, SBC decryption, method 4, debug call recording, tls 1.3, ssl key logger alternative
'''Keywords:''' audiocodes, tunnel, SBC, debug recording server, port 925, udp_port_audiocodes, tcp_port_audiocodes, audiocodes_rtp, only_for_audiocodes_sip, mixed streams, TLS decryption, ECDHE, PFS, TLS 1.3, MS Teams Direct Routing, 0.0.0.0 IP, SPAN alternative


'''Key Questions:'''
'''Key Questions:'''
* How to configure AudioCodes SBC to forward packets to VoIPmonitor?
* How to configure AudioCodes SBC to forward packets to VoIPmonitor?
* Where to configure the Debug Recording Server on AudioCodes devices?
* What is the default port for AudioCodes tunneling?
* Which network ports are required for AudioCodes tunneling to VoIPmonitor?
* How to configure VoIPmonitor to receive AudioCodes tunneled data?
* How to configure VoIPmonitor to receive AudioCodes tunneled data?
* What port does AudioCodes use for packet forwarding (default)?
* How to fix mixed RTP streams when capturing both AudioCodes tunnel and SPAN traffic?
* How to fix mixed RTP streams when capturing both AudioCodes tunnel and regular traffic?
* What is the difference between audiocodes_rtp options?
* What is the difference between audiocodes_rtp options (yes, no, only, only_for_audiocodes_sip)?
* Can AudioCodes tunneling decrypt TLS/ECDHE encrypted SIP?
* When should I use audiocodes_rtp = only_for_audiocodes_sip?
* Why are IP addresses logged as 0.0.0.0 with AudioCodes tunneling?
* What is the performance impact of AudioCodes tunneling on the SBC?
* How to monitor MS Teams Direct Routing traffic?
* Can AudioCodes tunneling decrypt TLS-encrypted SIP with ECDHE ciphers?
* How to monitor encrypted SIP over TLS from an AudioCodes SBC without SSL key logger?
* What is the "debug call recording" feature on AudioCodes SBCs?
* When to use AudioCodes tunneling vs SSL Key Logger for TLS decryption?
* How does AudioCodes SBC handle Perfect Forward Secrecy (PFS) cipher suites?

Latest revision as of 16:47, 8 January 2026

AudioCodes Tunneling

AudioCodes tunneling allows AudioCodes SBCs to encapsulate and forward SIP/RTP packets to VoIPmonitor via the "Debug Recording Server" feature, as an alternative to traditional SPAN port mirroring.

When to Use AudioCodes Tunneling

This method is ideal for:

  • TLS 1.3 / ECDHE encrypted traffic - The SBC decrypts internally, no SSL key logger needed
  • MS Teams Direct Routing - SBC-to-Microsoft traffic uses PFS where private key decryption is impossible
  • Cross-segment monitoring - When SBC and VoIPmonitor are on different network segments
  • Closed appliances - When you cannot inject SSL key logger libraries

ℹ️ Note: For MS Teams Direct Routing, AudioCodes tunneling is often the most practical solution because it does not require access to Microsoft's private keys.

For other TLS decryption methods, see TLS Decryption Guide.

Configuration

Step 1: AudioCodes SBC

On the AudioCodes device:

  1. Locate Debug Recording Server (or "Log server" / "Session mirroring")
  2. Set the IP address to your VoIPmonitor server IP
  3. Default port: UDP/TCP 925

Refer to AudioCodes documentation for model-specific steps.

Step 2: VoIPmonitor Server

Edit /etc/voipmonitor.conf: 

audiocodes = yes
udp_port_audiocodes = 925
tcp_port_audiocodes = 925

Restart the service: 

systemctl restart voipmonitor

ℹ️ Note: Ensure your firewall allows incoming traffic on port 925.

RTP/RTCP Handling Options

These options control how VoIPmonitor handles RTP/RTCP packets when both tunneled and pure (non-encapsulated) packets are captured: 

audiocodes_rtp  = yes | no | only | only_for_audiocodes_sip
audiocodes_rtcp = yes | no | only | only_for_audiocodes_sip
Value Description Use Case
yes Process tunnel RTP/RTCP (default) Tunnel-only capture, no SPAN
no Ignore tunnel RTP/RTCP Use only pure packets
only Use only tunnel RTP/RTCP for all calls Exclusively use tunnel data
only_for_audiocodes_sip Use tunnel RTP only if SIP was also tunneled Recommended for mixed capture (tunnel + SPAN)

Mixed Traffic Configuration

When capturing both AudioCodes tunnel and SPAN traffic, use: 

audiocodes          = yes
audiocodes_rtp      = only_for_audiocodes_sip
audiocodes_rtcp     = only_for_audiocodes_sip

This ensures correct pairing between tunnel RTP and tunnel SIP, preventing stream mixing.

Verification

On the AudioCodes SBC: 

tshark -i pkt1 port 925

On the VoIPmonitor server: 

tcpdump -i any port 925 -w /var/tmp/capture.pcap

Known Limitations

IP Addresses Logged as 0.0.0.0

RTP packets may show 0.0.0.0 IP addresses in CDR because the AudioCodes encapsulation strips IP header information.

Aspect Details
Impact Display limitation only; SIP signaling IPs and call recording remain intact
Workaround Use SIP History tab to see actual IPs from signaling packets
Status Expected behavior, not fixable via configuration

Performance Considerations

Monitor SBC CPU and network load before/after enabling tunneling:

  1. Check baseline SBC metrics (CPU, network)
  2. Enable tunneling via UDP on the SBC
  3. Monitor metrics during normal operation

💡 Tip: You can test SBC impact without configuring VoIPmonitor listener to isolate SBC performance from sensor processing.

See Also

AI Summary for RAG

Summary: AudioCodes tunneling allows AudioCodes SBCs to encapsulate and forward SIP/RTP packets to VoIPmonitor using the "Debug Recording Server" feature (default port UDP/TCP 925). Configuration: (1) SBC - set Debug Recording Server IP to VoIPmonitor server, (2) VoIPmonitor - enable audiocodes=yes and set udp_port_audiocodes/tcp_port_audiocodes=925. For mixed capture (tunnel + SPAN), use audiocodes_rtp=only_for_audiocodes_sip to prevent stream mixing. Key use case: Decrypt TLS 1.3/ECDHE traffic (including MS Teams Direct Routing) without SSL key logger. Known limitation: RTP IPs may show as 0.0.0.0 due to encapsulation format.

Keywords: audiocodes, tunnel, SBC, debug recording server, port 925, udp_port_audiocodes, tcp_port_audiocodes, audiocodes_rtp, only_for_audiocodes_sip, mixed streams, TLS decryption, ECDHE, PFS, TLS 1.3, MS Teams Direct Routing, 0.0.0.0 IP, SPAN alternative

Key Questions:

  • How to configure AudioCodes SBC to forward packets to VoIPmonitor?
  • What is the default port for AudioCodes tunneling?
  • How to configure VoIPmonitor to receive AudioCodes tunneled data?
  • How to fix mixed RTP streams when capturing both AudioCodes tunnel and SPAN traffic?
  • What is the difference between audiocodes_rtp options?
  • Can AudioCodes tunneling decrypt TLS/ECDHE encrypted SIP?
  • Why are IP addresses logged as 0.0.0.0 with AudioCodes tunneling?
  • How to monitor MS Teams Direct Routing traffic?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Audiocodes_tunneling&oldid=10045"