Diameter Protocol: Difference between revisions

Revision as of 20:49, 15 January 2026

VoIPmonitor supports Diameter protocol capture and correlation with SIP calls, primarily for IMS (IP Multimedia Subsystem) environments where Diameter is used for authentication, authorization, and subscriber data management.

Overview

Diameter is the signaling protocol used in IMS networks for:

Authentication and Authorization - User identity verification
Subscriber Data Management - HSS (Home Subscriber Server) queries
Policy and Charging - PCRF interactions
Location Services - User location registration

VoIPmonitor passively captures Diameter traffic and correlates it with SIP calls based on subscriber identity matching.

How It Works

Capture

VoIPmonitor passively captures Diameter protocol traffic:

Default Port: TCP/UDP 3868
Transport: Supports both TCP and UDP
Capture Mode: Disabled by default, must be explicitly enabled

SIP-Diameter Correlation

The primary function is to correlate Diameter signaling messages with SIP calls based on subscriber identity matching.

Extracted Fields for Correlation:

AVP Code	Field Name	Description
601	Public Identity	User's public identity (SIP URI or TEL URI)
263	Session ID	Diameter session identifier
831	Calling Party Address	Originating party address

Correlation Logic:

VoIPmonitor extracts the public identity from Diameter messages
Matches against SIP caller/called numbers (From/To headers)
Associates Diameter signaling with the corresponding SIP call
Diameter packets visible in call detail alongside SIP messages

Matching Flexibility

Since SIP and Diameter may use different URI formats, VoIPmonitor provides flexible matching options:

Scenario	Example	Solution
Prefix mismatch	SIP: `sip:+123456789@domain` Diameter: `tel:+123456789`	Enable `diameter_ignore_prefix`
Domain mismatch	SIP: `sip:user@10.0.0.1` Diameter: `sip:user@ims.example.com`	Enable `diameter_ignore_domain`
Timing offset	Diameter authentication before SIP INVITE	Configure `diameter_time_overlap`

Configuration

Enable and configure Diameter support in /etc/voipmonitor.conf:

#####################################
# Diameter Protocol Configuration

# Enable Diameter protocol capture (default: no)
diameter = yes

# Configure capture ports (default: 3868)
diameter_tcp_ports = 3868
diameter_udp_ports = 3868

# Time window for correlation - Diameter packets can arrive
# up to N seconds before SIP sessions (default: 10)
diameter_time_overlap = 10

# Allow matching when URI prefixes differ
# Example: sip:+123456789 matches tel:+123456789 (default: no)
diameter_ignore_prefix = yes

# Allow matching when domains differ
# Example: SIP uses IP, Diameter uses FQDN (default: no)
diameter_ignore_domain = yes

Configuration Parameters Reference

Parameter	Default	Description
`diameter`	no	Enable/disable Diameter protocol capture
`diameter_tcp_ports`	3868	TCP ports to monitor for Diameter traffic
`diameter_udp_ports`	3868	UDP ports to monitor for Diameter traffic
`diameter_time_overlap`	10	Seconds before SIP session that Diameter packets are accepted for correlation
`diameter_ignore_prefix`	no	Ignore URI scheme prefix (sip: vs tel:) when matching
`diameter_ignore_domain`	no	Ignore domain part when matching identities

Multiple Ports

If Diameter traffic uses non-standard ports, specify multiple ports:

diameter_tcp_ports = 3868,3869,3870
diameter_udp_ports = 3868

GUI Configuration

Diameter can also be configured via the VoIPmonitor GUI:

Navigate to Settings > Sensors
Click the wrench icon next to your sensor
Search for diameter
Configure the parameters as needed
Save and restart the sensor

Supported Diameter Applications

VoIPmonitor processes Diameter messages generically without application-specific logic. This means it handles multiple Diameter applications uniformly:

Application	Interface	Typical Use Case
Cx	I-CSCF/S-CSCF ↔ HSS	User authentication, registration
Sh	AS ↔ HSS	Subscriber data queries
Rx	P-CSCF ↔ PCRF	Policy and charging rules
Ro/Rf	Various ↔ OCS/OFCS	Online/offline charging
Gx	PCEF ↔ PCRF	Policy control

ℹ️ Note: VoIPmonitor extracts correlation data (Public Identity, Session ID, Calling Party Address) from any Diameter application that includes these AVPs.

Viewing Diameter in CDR

When Diameter is correlated with a SIP call:

Open the call detail record (CDR)
In the SIP History section, Diameter messages appear alongside SIP messages
Messages are displayed with their Diameter command codes and relevant AVP data

Deployment Considerations

Network Tap Placement

For complete call visibility:

Place TAP/SPAN to capture both SIP and Diameter traffic
Ensure the sensor can see traffic between CSCF and HSS
Consider Diameter traffic from multiple interfaces (Cx, Sh, Rx)

Traffic Volume

Diameter generates significant signaling traffic in IMS environments:

Every SIP transaction may trigger multiple Diameter exchanges
Plan sensor capacity accordingly
Consider filtering non-essential Diameter traffic if needed

Troubleshooting

Diameter Not Captured

Check configuration:

grep -i diameter /etc/voipmonitor.conf

Verify traffic on interface:

tcpdump -i eth0 -n port 3868 -c 10

Check sensor logs:

grep -i diameter /var/log/voipmonitor.log

Correlation Not Working

Symptom	Possible Cause	Solution
Diameter captured but not linked to SIP	Identity format mismatch	Enable `diameter_ignore_prefix` and/or `diameter_ignore_domain`
Diameter missing for some calls	Timing issue	Increase `diameter_time_overlap`
Wrong calls correlated	Ambiguous identity	Verify public identity uniqueness in your network

Debug Capture

Capture traffic for analysis:

# Capture Diameter and SIP traffic
tcpdump -i eth0 -w /tmp/diameter_debug.pcap \
  "port 3868 or port 5060 or port 5061"

Provide to support:

CDR ID of affected call
PCAP file
VoIPmonitor configuration (diameter settings)
voipmonitor --version

Ribbon Diameter+

ℹ️ Note: Ribbon's proprietary "Diameter+" protocol (used between Ribbon SBCs and PSX) is not standard Diameter. Contact VoIPmonitor support for compatibility information.

AI Summary for RAG

Diameter Protocol Support in VoIPmonitor

VoIPmonitor captures and correlates Diameter protocol traffic with SIP calls in IMS (IP Multimedia Subsystem) environments. Diameter is used for authentication, authorization, subscriber data management, and policy control in telecom networks.

Key Configuration Parameters:

diameter = yes - Enable Diameter capture (disabled by default)
diameter_tcp_ports = 3868 - TCP ports for Diameter (default 3868)
diameter_udp_ports = 3868 - UDP ports for Diameter (default 3868)
diameter_time_overlap = 10 - Seconds before SIP session to accept Diameter packets
diameter_ignore_prefix = yes - Match sip: URIs with tel: URIs
diameter_ignore_domain = yes - Ignore domain mismatch between SIP and Diameter

Correlation Mechanism: VoIPmonitor extracts Public Identity (AVP 601), Session ID (AVP 263), and Calling Party Address (AVP 831) from Diameter messages and matches them against SIP From/To headers. Correlated Diameter messages appear in CDR alongside SIP signaling.

Supported Diameter Applications: Cx (authentication), Sh (subscriber data), Rx (policy/charging), Ro/Rf (charging), Gx (policy control) - all processed generically via AVP extraction.

Common Issues:

Diameter not captured → Enable diameter = yes and verify port 3868 traffic
Correlation fails → Enable diameter_ignore_prefix and diameter_ignore_domain
Missing Diameter for some calls → Increase diameter_time_overlap

Important Notes:

Ribbon "Diameter+" is proprietary, not standard Diameter
Place network TAP to capture both SIP and Diameter traffic
Diameter generates significant signaling volume in IMS environments

Keywords: Diameter, IMS, HSS, CSCF, AVP, Public Identity, Session ID, Cx, Sh, Rx, Gx, Ro, Rf, 3868, correlation, authentication, PCRF, VoLTE, telecom

@@ Line 270: / Line 270: @@
 * [[Capture_rules]] - Filtering captured traffic
 * [[Sniffer_distributed_architecture]] - Distributed capture setup
+== AI Summary for RAG ==
+'''Diameter Protocol Support in VoIPmonitor'''
+VoIPmonitor captures and correlates Diameter protocol traffic with SIP calls in IMS (IP Multimedia Subsystem) environments. Diameter is used for authentication, authorization, subscriber data management, and policy control in telecom networks.
+'''Key Configuration Parameters:'''
+* <code>diameter = yes</code> - Enable Diameter capture (disabled by default)
+* <code>diameter_tcp_ports = 3868</code> - TCP ports for Diameter (default 3868)
+* <code>diameter_udp_ports = 3868</code> - UDP ports for Diameter (default 3868)
+* <code>diameter_time_overlap = 10</code> - Seconds before SIP session to accept Diameter packets
+* <code>diameter_ignore_prefix = yes</code> - Match sip: URIs with tel: URIs
+* <code>diameter_ignore_domain = yes</code> - Ignore domain mismatch between SIP and Diameter
+'''Correlation Mechanism:'''
+VoIPmonitor extracts Public Identity (AVP 601), Session ID (AVP 263), and Calling Party Address (AVP 831) from Diameter messages and matches them against SIP From/To headers. Correlated Diameter messages appear in CDR alongside SIP signaling.
+'''Supported Diameter Applications:'''
+Cx (authentication), Sh (subscriber data), Rx (policy/charging), Ro/Rf (charging), Gx (policy control) - all processed generically via AVP extraction.
+'''Common Issues:'''
+* Diameter not captured → Enable <code>diameter = yes</code> and verify port 3868 traffic
+* Correlation fails → Enable <code>diameter_ignore_prefix</code> and <code>diameter_ignore_domain</code>
+* Missing Diameter for some calls → Increase <code>diameter_time_overlap</code>
+'''Important Notes:'''
+* Ribbon "Diameter+" is proprietary, not standard Diameter
+* Place network TAP to capture both SIP and Diameter traffic
+* Diameter generates significant signaling volume in IMS environments
+'''Keywords:''' Diameter, IMS, HSS, CSCF, AVP, Public Identity, Session ID, Cx, Sh, Rx, Gx, Ro, Rf, 3868, correlation, authentication, PCRF, VoLTE, telecom