Ribbon7k monitoring profiles: Difference between revisions

From VoIPmonitor.org
(Review: opravy formátování, struktury nadpisů, <pre> -> <syntaxhighlight>, lepší organizace sekcí)
(Review: přidán overview diagram, reorganizace sekcí, zkrácen AI Summary, opraveno formátování config bloků)
Line 2: Line 2:


This page explains how to use the Ribbon SBC '''Monitoring Profile''' to export TLS-decrypted SIP signaling to a VoIPmonitor server.
This page explains how to use the Ribbon SBC '''Monitoring Profile''' to export TLS-decrypted SIP signaling to a VoIPmonitor server.
== Overview ==
The Ribbon SBC can decrypt TLS/SRTP traffic internally and forward clear-text SIP to VoIPmonitor, eliminating the need for SSL key loggers when dealing with TLS 1.3 or PFS cipher suites (DHE/ECDHE).
<kroki lang="mermaid">
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 40}}}%%
flowchart LR
    subgraph TLS["TLS Encrypted"]
        EP[Phone/Endpoint]
    end
    subgraph SBC["Ribbon SBC"]
        DEC[TLS Termination]
        MP[Monitoring Profile]
    end
    subgraph VM["VoIPmonitor"]
        SNIFF[Sensor]
    end
    EP -->|"TLS SIP"| DEC
    DEC -->|"Decrypt"| MP
    MP -->|"Clear SIP<br/>Port 9514"| SNIFF
</kroki>


== Configuring the Monitoring Profile ==
== Configuring the Monitoring Profile ==


For getting the TLS signalling decrypted by Ribbon SBC, we will use the Monitoring Profile feature to send only TLS decoded signaling to a VoIPmonitor server.
To export TLS-decrypted signaling from the Ribbon SBC, use the Monitoring Profile feature.


On the SBC navigate to '''All > Profiles > Services > Monitoring Profile'''. The Monitoring Profile window displays, containing the table Monitoring Profile List.
On the SBC navigate to '''All > Profiles > Services > Monitoring Profile'''. The Monitoring Profile window displays, containing the table Monitoring Profile List.
Line 30: Line 52:
[[File:Ribbon_tls_assignMonitProfile.png]]
[[File:Ribbon_tls_assignMonitProfile.png]]


== Verification ==
== Incorporating Source and Destination IPs ==
 
You may also need the source and destination IPs incorporated in the feed to the monitoring server. Under '''Header''' add the source and destination IPs to the selected monitoring profile.
 
[[File:Ribbon_tls_incorporatingIPs.png]]
 
This gets the source and destination IPs incorporated in the SIP signaling sent to the remote server. From here the data can be ingested and processed by the far end server.
 
'''Reference:''' [https://doc.rbbn.com/display/SBXDOC121/Services+-+Monitoring+Profile Ribbon's official documentation]
 
== VoIPmonitor Configuration ==
 
VoIPmonitor supports two modes for receiving Ribbon monitoring data:
 
{| class="wikitable"
|-
! Mode !! Description !! When to Use
|-
| '''Passive Sniffing''' || Substitutes src/dst IP:port in already sniffed traffic || Traffic arrives via SPAN/mirror
|-
| '''Active Listener''' || Opens a socket to receive Ribbon feed directly || Direct TCP/UDP connection from SBC
|}
 
=== Mode 1: Passive Sniffing ===


=== Verify on the SBC ===
Add to <code>/etc/voipmonitor.conf</code>:


Verify on the SBC that the data are traveling to the remote server:
<syntaxhighlight lang="ini">
# Enable Ribbon-style IP substitution on sniffed traffic
ribbonsbc = yes


<syntaxhighlight lang="bash">
# Optional filters (legacy but still supported):
tshark -i pkt1 port 9514
# ribbonsbc_port  = 9514          # expected mirror port
# ribbonsbc_dstip = 10.0.0.1      # VoIPmonitor host IP
# ribbonsbc_srcip = 10.0.0.2      # Ribbon SBC IP
</syntaxhighlight>
</syntaxhighlight>


=== Verify on the Monitoring Server ===
{{Warning|1=For '''High Availability (HA) setups''', do NOT use <code>ribbonsbc_srcip</code> - it will fail when traffic originates from a different SBC node after failover. Use only <code>ribbonsbc_port</code> and <code>ribbonsbc_dstip</code>.}}


Verify that the packets are arriving from SBC:
=== Mode 2: Active Listener ===


<syntaxhighlight lang="bash">
Add to <code>/etc/voipmonitor.conf</code>:
tcpdump -i any port 9514 -w /var/tmp/capture_from_ribbon.pcap
</syntaxhighlight>


== Incorporating Source and Destination IPs ==
<syntaxhighlight lang="ini">
# Listen for Ribbon monitoring data
ribbonsbc_bind_ip  = 0.0.0.0
ribbonsbc_bind_port = 9514


You may also need the source and destination IPs incorporated in the feed to the monitoring server. Under '''Header''' add the source and destination IPs to the selected monitoring profile.
# Transport & framing options:
# ribbonsbc_bind_udp    = no    # TCP recommended (default)
# ribbonsbc_size_header  = yes  # expect 2-byte size header (default)
# ribbonsbc_strict_check = no    # drop incomplete frames
# ribbonsbc_counter_log  = no    # log incoming frame counts
</syntaxhighlight>


[[File:Ribbon_tls_incorporatingIPs.png]]
After configuration, restart the service:
<syntaxhighlight lang="bash">
systemctl restart voipmonitor
</syntaxhighlight>


This gets the source and destination IPs incorporated in the SIP signaling sent to the remote server. From here the data can be ingested and processed by the far end server.
== Verification ==


'''Reference:''' [https://doc.rbbn.com/display/SBXDOC121/Services+-+Monitoring+Profile Ribbon's official documentation]
=== Verify on the SBC ===


== VoIPmonitor Configuration ==
Verify on the SBC that the data are traveling to the remote server:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
#####################################
tshark -i pkt1 port 9514
# Ribbon SBC Mirroring / ribbonsvc  #
</syntaxhighlight>
#####################################
# This module handles Ribbon SBC "monitoring profile" mirrored packet data.
# The primary use case is receiving TLS-decrypted SIP signaling from the SBC.
# RTP media support status is currently unconfirmed; packet captures may be
# required to verify if RTP is exported and analyzed correctly by the monitoring profile.
# It supports two modes:
#  1) Passive sniffing  – substitute src/dst IP:port in already sniffed traffic
#  2) Active listener  – accept Ribbon "monitoring profile" feed on a local socket
#
# It is similar to "Kamailio Mirroring using siptrace", but uses a minimal header set.


###########
=== Verify on the Monitoring Server ===
# MODE 1: PASSIVE SNIFFING (no socket opened)
#
# Quick enable:
#  ribbonsbc = yes
# When enabled, VoIPmonitor will try to detect and apply IP:port substitutions
# if substitution content is present in sniffed packets.
#
# Optional narrowing (legacy but still supported):
#  Use the triplet below to restrict which mirrored packets should be considered.
#  Keep using this if you need explicit filtering; otherwise just set ribbonsbc = yes.
#
# ribbonsbc_port  = 9514          # expected mirror port seen in packets (legacy filter)
# ribbonsbc_dstip = 10.0.0.1      # VoIPmonitor host IP as seen by Ribbon (legacy filter)
# ribbonsbc_srcip = 10.0.0.2      # Ribbon SBC IP (legacy filter)
#
# Note: If 'ribbonsbc' is enabled (yes/NO), substitution is attempted whenever
# substitution content is found. Same idea applies to 'kamailio' (see below).


###########
Verify that the packets are arriving from SBC:
# MODE 2: ACTIVE LISTENER (open a socket and ingest feed directly)
#
# Bind an explicit local IP/port to receive Ribbon monitoring data. If these are set,
# the sniffer will listen and process incoming Ribbon data on this socket.
#
# ribbonsbc_bind_ip  = 0.0.0.0  # listen address (required to enable active mode)
# ribbonsbc_bind_port = 9514      # listen port (required to enable active mode)
#
# Transport & framing:
# ribbonsbc_bind_udp    = no      # yes/NO – UDP support (default NO; TCP recommended)
# ribbonsbc_size_header = YES    # YES/no – expect 2-byte size header before each frame
# ribbonsbc_strict_check= no      # yes/NO – process only frames complete per size header
#
# Instrumentation:
# ribbonsbc_counter_log = no      # yes/NO – log counts of incoming Ribbon frames
#
# TIP: Active listener generally makes sense with TCP (default). UDP is rarely useful.


###########
<syntaxhighlight lang="bash">
# SUBSTITUTION SWITCHES (shared idea with Kamailio)
tcpdump -i any port 9514 -w /var/tmp/capture_from_ribbon.pcap
#
# These switches only control whether src/dst IP:port substitution is attempted in
# normally sniffed traffic when substitution content is present. If enabled and
# a substitution block is detected, it is applied without having to predeclare
# specific IP:ports (unlike the legacy triplet).
#
# kamailio  = no  # yes/NO – enable Kamailio-style substitution on sniffed traffic
# ribbonsbc = yes  # yes/NO – enable Ribbon-style substitution on sniffed traffic
 
###########
# RECOMMENDATIONS
#
# - Use MODE 1 (passive) with:  ribbonsbc = yes
#  Only add ribbonsbc_port/dstip/srcip if you need strict filtering by IP/port.
#
# - IMPORTANT FOR HIGH AVAILABILITY (HA) SETUPS:
#  In HA/failover setups where the Ribbon SBC cluster has multiple nodes that can
#  send traffic from different IP addresses, the ribbonsbc_srcip filter will fail
#  when a failover occurs and traffic originates from a different SBC node.
#
#  Recommended approach for HA: Remove ONLY ribbonsbc_srcip:
#    ribbonsbc_port  = 9514      # keeps filtering to correct destination port
#    ribbonsbc_dstip = 10.0.0.1  # keeps filtering to your monitoring server
#  # ribbonsbc_srcip = 10.0.0.2  # COMMENTED OUT - allows any source IP in HA
#
#  This narrows processing to packets sent to your monitoring server on the
#  expected port, regardless of which Ribbon node sends them. IP substitution
#  continues to work using the Monitoring Profile's embedded headers.
#
#  Alternative (broadest): Use ONLY ribbonsbc = yes with no filters - accepts all
#  mirrored packets and attempts substitution on any with Monitoring Profile content.
#
# - Use MODE 2 (active) when Ribbon sends the monitoring profile feed directly to you:
#    ribbonsbc_bind_ip  = 0.0.0.0
#    ribbonsbc_bind_port = 9514
#  Keep ribbonsbc_bind_udp = no unless you explicitly need UDP.
#
# - Leave ribbonsbc_size_header = YES unless you know Ribbon is sending raw frames.
# - Enable ribbonsbc_strict_check = yes if you want to drop any incomplete frames.
#
# DEFAULTS (implicit unless set):
#  ribbonsbc = no
#  kamailio  = no
#  ribbonsbc_bind_udp = no
#  ribbonsbc_size_header = YES
#  ribbonsbc_strict_check = no
#  ribbonsbc_counter_log = no
</syntaxhighlight>
</syntaxhighlight>


== AI Summary for RAG ==
== AI Summary for RAG ==


'''Summary:''' This page explains how to use the Ribbon SBC '''Monitoring Profile''' to export '''TLS-decrypted SIP signaling''' to a VoIPmonitor server. It covers where to configure the monitoring profile in the SBC GUI, how to assign it to a specific SIP signaling port (including the required CLI syntax), and how to verify traffic both on the SBC (tshark on the capture interface) and on the monitoring server (tcpdump on port 9514). It also shows how to '''embed source and destination IPs''' into the exported feed by adding headers in the monitoring profile, so the far end (VoIPmonitor) can reliably remap/ingest the traffic. The page includes a ready-to-use voipmonitor.conf block for the '''ribbonsvc''' integration, describing two modes: (1) '''Passive sniffing''' – only IP:port substitution on already sniffed packets; and (2) '''Active listener''' – the sensor opens a socket and listens for the Ribbon feed. Advanced options include TCP/UDP selection (TCP recommended), size-header framing, strict frame completeness checks, and optional counters logging. For '''High Availability (HA) / failover setups''', the recommended approach is to comment out only ribbonsbc_srcip (to accept traffic from any Ribbon node) while keeping ribbonsbc_dstip and ribbonsbc_port for targeted packet filtering. IP substitution continues to work using the Monitoring Profile's embedded headers regardless of which physical SBC node sends the packets.
'''Summary:''' Guide for configuring Ribbon SBC Monitoring Profile to export TLS-decrypted SIP signaling to VoIPmonitor. Setup requires: (1) Configure Monitoring Profile in SBC GUI (All > Profiles > Services > Monitoring Profile), (2) Assign profile to SIP port via CLI: <code>set addressContext <AC> zone <ZONE> sipSigPort 1 monitoringProfileName <PROFILE></code>, (3) Add Source/Destination IPs in Header section for proper remapping. VoIPmonitor supports two modes: Passive sniffing (<code>ribbonsbc=yes</code>) for SPAN/mirror traffic, and Active listener (<code>ribbonsbc_bind_ip/port</code>) for direct TCP connection. For HA/failover setups, omit <code>ribbonsbc_srcip</code> filter to accept traffic from any SBC node. Default port is 9514. Verification via tshark on SBC and tcpdump on monitoring server.


'''Keywords:''' Ribbon SBC, Monitoring Profile, TLS decryption, SIP signaling, VoIPmonitor, ribbonsvc, passive sniffing, active listener, size header, TCP, UDP, src/dst IP substitution, verification, tshark, tcpdump, port 9514, High Availability, HA, failover, redundancy, ribbonsbc_srcip, ribbonsbc_dstip, ribbonsbc_port, content-based substitution, legacy filters
'''Keywords:''' Ribbon SBC, Monitoring Profile, TLS decryption, ribbonsbc, passive sniffing, active listener, port 9514, HA failover, IP substitution, SIP signaling


'''Key Questions:'''
'''Key Questions:'''
* How do I configure a Ribbon Monitoring Profile to export only TLS-decrypted SIP signaling?
* How do I configure Ribbon SBC to export TLS-decrypted SIP to VoIPmonitor?
* How do I assign the monitoring profile to a SIP signaling port (GUI and CLI)?
* What is the CLI command to assign a monitoring profile to a SIP port?
* How can I verify that the SBC is sending the feed and that the monitoring server is receiving it?
* What is the difference between passive sniffing and active listener modes?
* How do I include src/dst IPs in the exported signaling so VoIPmonitor can substitute addresses?
* How do I configure VoIPmonitor for Ribbon SBC in High Availability (HA) setups?
* When should I use Passive sniffing (substitution only) vs Active listener (open socket) in ribbonsvc?
* Why does ribbonsbc_srcip fail in HA failover scenarios?
* Which ribbonsvc options control transport (TCP/UDP), framing (size header), and strict completeness checks?
* How do I verify traffic is being sent from Ribbon SBC to VoIPmonitor?
* What are sensible defaults and recommended settings for reliable ingestion on VoIPmonitor?
* What is the default port for Ribbon monitoring profile (9514)?
* How do I configure VoIPmonitor for High Availability (HA) / failover with Ribbon SBC clusters?
* Why does ribbonsbc_srcip fail in HA setups and which filter should I remove?

Revision as of 18:00, 6 January 2026

Ribbon SBC Monitoring Profile for VoIPmonitor

This page explains how to use the Ribbon SBC Monitoring Profile to export TLS-decrypted SIP signaling to a VoIPmonitor server.

Overview

The Ribbon SBC can decrypt TLS/SRTP traffic internally and forward clear-text SIP to VoIPmonitor, eliminating the need for SSL key loggers when dealing with TLS 1.3 or PFS cipher suites (DHE/ECDHE).

Configuring the Monitoring Profile

To export TLS-decrypted signaling from the Ribbon SBC, use the Monitoring Profile feature.

On the SBC navigate to All > Profiles > Services > Monitoring Profile. The Monitoring Profile window displays, containing the table Monitoring Profile List.

Modify the monitoring profile to send only TLS signaling to the remote server:

Assigning the Monitoring Profile to a SIP Signaling Port

Execute the following CLI command on the Ribbon host: 

set addressContext AC_INTP zone INTERNAL_IPIG sipSigPort 1 monitoringProfileName TEST_Monitoring_Profile

The syntax: 

set addressContext <address_context> zone <zone_name> sipSigPort 1 monitoringProfileName <monitoring_profile_name>

Incorporating Source and Destination IPs

You may also need the source and destination IPs incorporated in the feed to the monitoring server. Under Header add the source and destination IPs to the selected monitoring profile.

This gets the source and destination IPs incorporated in the SIP signaling sent to the remote server. From here the data can be ingested and processed by the far end server.

Reference: Ribbon's official documentation

VoIPmonitor Configuration

VoIPmonitor supports two modes for receiving Ribbon monitoring data:

Mode Description When to Use
Passive Sniffing Substitutes src/dst IP:port in already sniffed traffic Traffic arrives via SPAN/mirror
Active Listener Opens a socket to receive Ribbon feed directly Direct TCP/UDP connection from SBC

Mode 1: Passive Sniffing

Add to /etc/voipmonitor.conf: 

# Enable Ribbon-style IP substitution on sniffed traffic
ribbonsbc = yes

# Optional filters (legacy but still supported):
# ribbonsbc_port  = 9514          # expected mirror port
# ribbonsbc_dstip = 10.0.0.1      # VoIPmonitor host IP
# ribbonsbc_srcip = 10.0.0.2      # Ribbon SBC IP

⚠️ Warning: For High Availability (HA) setups, do NOT use ribbonsbc_srcip - it will fail when traffic originates from a different SBC node after failover. Use only ribbonsbc_port and ribbonsbc_dstip.

Mode 2: Active Listener

Add to /etc/voipmonitor.conf: 

# Listen for Ribbon monitoring data
ribbonsbc_bind_ip   = 0.0.0.0
ribbonsbc_bind_port = 9514

# Transport & framing options:
# ribbonsbc_bind_udp     = no    # TCP recommended (default)
# ribbonsbc_size_header  = yes   # expect 2-byte size header (default)
# ribbonsbc_strict_check = no    # drop incomplete frames
# ribbonsbc_counter_log  = no    # log incoming frame counts

After configuration, restart the service: 

systemctl restart voipmonitor

Verification

Verify on the SBC

Verify on the SBC that the data are traveling to the remote server: 

tshark -i pkt1 port 9514

Verify on the Monitoring Server

Verify that the packets are arriving from SBC: 

tcpdump -i any port 9514 -w /var/tmp/capture_from_ribbon.pcap

AI Summary for RAG

Summary: Guide for configuring Ribbon SBC Monitoring Profile to export TLS-decrypted SIP signaling to VoIPmonitor. Setup requires: (1) Configure Monitoring Profile in SBC GUI (All > Profiles > Services > Monitoring Profile), (2) Assign profile to SIP port via CLI: set addressContext <AC> zone <ZONE> sipSigPort 1 monitoringProfileName <PROFILE>, (3) Add Source/Destination IPs in Header section for proper remapping. VoIPmonitor supports two modes: Passive sniffing (ribbonsbc=yes) for SPAN/mirror traffic, and Active listener (ribbonsbc_bind_ip/port) for direct TCP connection. For HA/failover setups, omit ribbonsbc_srcip filter to accept traffic from any SBC node. Default port is 9514. Verification via tshark on SBC and tcpdump on monitoring server.

Keywords: Ribbon SBC, Monitoring Profile, TLS decryption, ribbonsbc, passive sniffing, active listener, port 9514, HA failover, IP substitution, SIP signaling

Key Questions:

  • How do I configure Ribbon SBC to export TLS-decrypted SIP to VoIPmonitor?
  • What is the CLI command to assign a monitoring profile to a SIP port?
  • What is the difference between passive sniffing and active listener modes?
  • How do I configure VoIPmonitor for Ribbon SBC in High Availability (HA) setups?
  • Why does ribbonsbc_srcip fail in HA failover scenarios?
  • How do I verify traffic is being sent from Ribbon SBC to VoIPmonitor?
  • What is the default port for Ribbon monitoring profile (9514)?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Ribbon7k_monitoring_profiles&oldid=9043"