Live sniffer: Difference between revisions

From VoIPmonitor.org
No edit summary
(Add troubleshooting section for Live Sniffer version error)
Line 1: Line 1:
Live sniffer is feature when the sniffer is sending live packets to GUI in realtime. Live sniffer has to be activated by choosing sensor and clicking on Start button. It is recommended to put IP or Number into the filter toolbar in case sniffer is sniffing a lot of SIP packets. Each calls or register messages are colored according to call-id to see which packet belongs to one call. Live sniffer does not sniff RTP packets. Each packet can be unfolded [+] which shows packet detail. Each packet can be also saved to pcap file or you can select multiple packets (either by holding ctrl-click or select first packet then hold shift and select last packet) or you can save all sniffed packets. SIP type button is not yet implemented. You can also pause sniffer which will stop refreshing web page but sniffer still continues. After you finish sniffing stop sniffer. Life sniffer can be safely used by multiple users.
{{DISPLAYTITLE:Live Sniffer}}


The Live Sniffer feature displays SIP packets in real-time as they are captured by the sensor. This is useful for debugging call flows, network issues, or configuration problems.
== Overview ==
Live Sniffer streams live SIP packets from the sensor to the GUI in real-time. To use this feature:
# Navigate to '''Live Sniffer''' in the GUI
# Select the sensor you want to monitor from the dropdown
# Click '''Start''' to begin capturing packets
# Optionally enter an IP address or phone number in the filter toolbar to limit the display
'''Note:''' It is recommended to use the filter toolbar when the sniffer is capturing a high volume of SIP traffic to improve performance.
== Features ==
* '''Call coloring:''' Each call or REGISTER message is colored according to Call-ID to visualize which packets belong to the same call
* '''Packet details:''' Click the <code>[+]</code> icon to unfold and view detailed packet contents
* '''RTP filtering:''' Live Sniffer does not display RTP packets (SIP only)
* '''PCAP export:'''
** Save individual packets to PCAP file using the save button
** Save multiple packets by holding <code>Ctrl</code> and clicking, or select a range using <code>Shift</code> + click
** Save all sniffed packets using the bulk save option
* '''Pause functionality:''' Click pause to stop the web page refresh while the sniffer continues capturing
* '''Multi-user support:''' Multiple users can safely use Live Sniffer simultaneously
== Live Sniffer Image ==


[[File:livesniffer.png]]
[[File:livesniffer.png]]
== Troubleshooting ==
=== Live Sniffer Fails with "Sniffer version(s) must be >= 21.6" Error ===
If you attempt to start Live Sniffer and receive the error <code>Sniffer version(s) must be >= 21.6</code>, this can be caused by multiple issues even when your sensor version meets or exceeds the required version.
==== Cause 1: Incorrect Manager IP Configuration (127.0.0.1) ===
'''Symptoms:'''
* Error: <code>Sniffer version(s) must be >= 21.6</code>
* Sensor version shown in Settings > Sensors meets the requirement
* One or more sensors configured with IP address <code>127.0.0.1</code>
'''Root Cause:'''
When you attempt to start Live Sniffer, the GUI checks the version of all sensors defined in '''Settings -> Sensors'''. If one or more sensors are configured with <code>127.0.0.1</code> (localhost), the GUI queries itself instead of the actual remote sensor. This can cause the version check to fail.
'''Resolution:'''
1. Navigate to '''Settings -> Sensors''' in the VoIPmonitor GUI
2. Check the '''Manager IP''' column for each sensor
3. Identify any sensor using <code>127.0.0.1</code> or duplicate IP addresses
4. Change the Manager IP to the actual unique IP address of each sensor
5. Click '''Save** to apply the changes
6. Attempt to start Live Sniffer again
For more details, see [[Sniffer_upgrade#Troubleshooting|Sniffer Upgrade: Troubleshooting]].
==== Cause 2: Encryption Key Mismatch ===
'''Symptoms:**
* Error: <code>Sniffer version(s) must be >= 21.6</code>
* All Manager IPs are correctly configured (not 127.0.0.1)
* Sensor version meets the requirement
* Sensor appears disconnected in Settings > Sensors
'''Root Cause:'''
This issue is caused by a mismatch in the <code>server_password</code> (encryption key) used for communication between the GUI and the sensors. The GUI cannot properly authenticate with the sensor to retrieve version information or start the Live Sniffer session.
'''Resolution:'''
1. Regenerate or set a new encryption key (server_password):
<syntaxhighlight lang="ini">
# On the central server
server_password = your_new_strong_password
# On each remote sensor
server_password = your_new_strong_password
</syntaxhighlight>
2. Restart the sniffer service on all affected sensors:
<syntaxhighlight lang="bash">
systemctl restart voipmonitor
</syntaxhighlight>
3. Test the Live Sniffer functionality to confirm the issue is resolved
'''Important:''' All sensors and the central server must use the same <code>server_password</code> value.
For distributed architecture details, see [[Sniffer_distributed_architecture|Distributed Architecture Documentation]].
=== Live Sniffer Shows No Packets ===
* Verify the selected sensor is capturing traffic by checking CDRs in the GUI
* Ensure the sensor is running: <code>systemctl status voipmonitor</code>
* Check network connectivity from GUI to sensor on port 5029 (Manager API)
* Verify firewall rules allow traffic on the required ports
=== Live Sniffer Cannot Start ===
* Check that the sensor is connected to the GUI (visible in '''Settings -> Sensors''')
* Verify the '''Manager IP''' and '''Manager Port''' settings are correct
* Ensure the <code>voipmonitor</code> service is running on the sensor
* Check sensor logs: <code>journalctl -u voipmonitor -f</code>
== Technical Details ==
Live Sniffer communicates with sensors over the Manager API (default TCP port 5029). When you select a sensor in the Live Snifter dropdown and click Start, the GUI:
1. Verifies the sensor meets the minimum version requirement (21.6)
2. Establishes a connection to the sensor's Manager API
3. Streams SIP packets from the sensor to the GUI in real-time
The GUI enforces the version check to ensure protocol compatibility. Errors during version verification can occur if:
* The Manager IP is misconfigured (pointing to localhost instead of the actual sensor)
* The encryption keys (<code>server_password</code>) do not match
* The sensor is not running or cannot be reached
* There are network/connectivity issues
== AI Summary for RAG ==
'''Summary:''' The Live Sniffer feature displays SIP packets in real-time from sensors to the GUI. To use: select sensor, click Start, optionally filter by IP/number. Features include call coloring by Call-ID, packet details unfold, multi-user support, pause function, no RTP display, and PCAP export options. TROUBLESHOOTING: Error "Sniffer version(s) must be >= 21.6" has two common causes: (1) Incorrect Manager IP 127.0.0.1 in Settings > Sensors - fix by changing to actual sensor IPs; (2) Encryption key mismatch (server_password) - fix by regenerating/changing password to match on all sensors and restarting services. Other issues: no packets (verify sensor capturing traffic, service running, port 5029 connectivity), cannot start (check sensor connected in Settings, Manager IP/Port correct, voipmonitor service running). Live Sniffer uses Manager API port 5029 for real-time streaming with minimum version 21.6 requirement for protocol compatibility.
'''Keywords:''' Live Sniffer, real-time SIP monitoring, packet capture, troubleshooting, version error, 21.6, Manager IP, localhost, 127.0.0.1, server_password, encryption key, authentication, sensor connection, packet filtering, pause, PCAP export, Call-ID coloring, Manager API, port 5029, distributed sensors
'''Key Questions:'''
* What is Live Sniffer and how do I use it?
* How do I start Live Sniffer in the VoIPmonitor GUI?
* Why does Live Sniffer show the error "Sniffer version(s) must be >= 21.6"?
* How do I fix Live Sniffer error when sensor version meets requirements?
* What causes Manager IP 127.0.0.1 issues in Live Sniffer?
* How do I fix encryption key mismatch between GUI and sensors?
* Does Live Sniffer display RTP packets?
* How do I filter packets in Live Sniffer?
* Why is Live Sniffer showing no packets?
* Can multiple users use Live Sniffer simultaneously?

Revision as of 10:15, 5 January 2026


The Live Sniffer feature displays SIP packets in real-time as they are captured by the sensor. This is useful for debugging call flows, network issues, or configuration problems.

Overview

Live Sniffer streams live SIP packets from the sensor to the GUI in real-time. To use this feature:

  1. Navigate to Live Sniffer in the GUI
  2. Select the sensor you want to monitor from the dropdown
  3. Click Start to begin capturing packets
  4. Optionally enter an IP address or phone number in the filter toolbar to limit the display

Note: It is recommended to use the filter toolbar when the sniffer is capturing a high volume of SIP traffic to improve performance.

Features

  • Call coloring: Each call or REGISTER message is colored according to Call-ID to visualize which packets belong to the same call
  • Packet details: Click the [+] icon to unfold and view detailed packet contents
  • RTP filtering: Live Sniffer does not display RTP packets (SIP only)
  • PCAP export:
    • Save individual packets to PCAP file using the save button
    • Save multiple packets by holding Ctrl and clicking, or select a range using Shift + click
    • Save all sniffed packets using the bulk save option
  • Pause functionality: Click pause to stop the web page refresh while the sniffer continues capturing
  • Multi-user support: Multiple users can safely use Live Sniffer simultaneously

Live Sniffer Image

Troubleshooting

Live Sniffer Fails with "Sniffer version(s) must be >= 21.6" Error

If you attempt to start Live Sniffer and receive the error Sniffer version(s) must be >= 21.6, this can be caused by multiple issues even when your sensor version meets or exceeds the required version.

= Cause 1: Incorrect Manager IP Configuration (127.0.0.1)

Symptoms:

  • Error: Sniffer version(s) must be >= 21.6
  • Sensor version shown in Settings > Sensors meets the requirement
  • One or more sensors configured with IP address 127.0.0.1

Root Cause: When you attempt to start Live Sniffer, the GUI checks the version of all sensors defined in Settings -> Sensors. If one or more sensors are configured with 127.0.0.1 (localhost), the GUI queries itself instead of the actual remote sensor. This can cause the version check to fail.

Resolution: 1. Navigate to Settings -> Sensors in the VoIPmonitor GUI 2. Check the Manager IP column for each sensor 3. Identify any sensor using 127.0.0.1 or duplicate IP addresses 4. Change the Manager IP to the actual unique IP address of each sensor 5. Click Save** to apply the changes 6. Attempt to start Live Sniffer again

For more details, see Sniffer Upgrade: Troubleshooting.

= Cause 2: Encryption Key Mismatch

Symptoms:**

  • Error: Sniffer version(s) must be >= 21.6
  • All Manager IPs are correctly configured (not 127.0.0.1)
  • Sensor version meets the requirement
  • Sensor appears disconnected in Settings > Sensors

Root Cause: This issue is caused by a mismatch in the server_password (encryption key) used for communication between the GUI and the sensors. The GUI cannot properly authenticate with the sensor to retrieve version information or start the Live Sniffer session.

Resolution: 1. Regenerate or set a new encryption key (server_password): 

# On the central server
server_password = your_new_strong_password

# On each remote sensor
server_password = your_new_strong_password

2. Restart the sniffer service on all affected sensors: 

systemctl restart voipmonitor

3. Test the Live Sniffer functionality to confirm the issue is resolved

Important: All sensors and the central server must use the same server_password value.

For distributed architecture details, see Distributed Architecture Documentation.

Live Sniffer Shows No Packets

  • Verify the selected sensor is capturing traffic by checking CDRs in the GUI
  • Ensure the sensor is running: systemctl status voipmonitor
  • Check network connectivity from GUI to sensor on port 5029 (Manager API)
  • Verify firewall rules allow traffic on the required ports

Live Sniffer Cannot Start

  • Check that the sensor is connected to the GUI (visible in Settings -> Sensors)
  • Verify the Manager IP and Manager Port settings are correct
  • Ensure the voipmonitor service is running on the sensor
  • Check sensor logs: journalctl -u voipmonitor -f

Technical Details

Live Sniffer communicates with sensors over the Manager API (default TCP port 5029). When you select a sensor in the Live Snifter dropdown and click Start, the GUI: 1. Verifies the sensor meets the minimum version requirement (21.6) 2. Establishes a connection to the sensor's Manager API 3. Streams SIP packets from the sensor to the GUI in real-time

The GUI enforces the version check to ensure protocol compatibility. Errors during version verification can occur if:

  • The Manager IP is misconfigured (pointing to localhost instead of the actual sensor)
  • The encryption keys (server_password) do not match
  • The sensor is not running or cannot be reached
  • There are network/connectivity issues

AI Summary for RAG

Summary: The Live Sniffer feature displays SIP packets in real-time from sensors to the GUI. To use: select sensor, click Start, optionally filter by IP/number. Features include call coloring by Call-ID, packet details unfold, multi-user support, pause function, no RTP display, and PCAP export options. TROUBLESHOOTING: Error "Sniffer version(s) must be >= 21.6" has two common causes: (1) Incorrect Manager IP 127.0.0.1 in Settings > Sensors - fix by changing to actual sensor IPs; (2) Encryption key mismatch (server_password) - fix by regenerating/changing password to match on all sensors and restarting services. Other issues: no packets (verify sensor capturing traffic, service running, port 5029 connectivity), cannot start (check sensor connected in Settings, Manager IP/Port correct, voipmonitor service running). Live Sniffer uses Manager API port 5029 for real-time streaming with minimum version 21.6 requirement for protocol compatibility. Keywords: Live Sniffer, real-time SIP monitoring, packet capture, troubleshooting, version error, 21.6, Manager IP, localhost, 127.0.0.1, server_password, encryption key, authentication, sensor connection, packet filtering, pause, PCAP export, Call-ID coloring, Manager API, port 5029, distributed sensors Key Questions:

  • What is Live Sniffer and how do I use it?
  • How do I start Live Sniffer in the VoIPmonitor GUI?
  • Why does Live Sniffer show the error "Sniffer version(s) must be >= 21.6"?
  • How do I fix Live Sniffer error when sensor version meets requirements?
  • What causes Manager IP 127.0.0.1 issues in Live Sniffer?
  • How do I fix encryption key mismatch between GUI and sensors?
  • Does Live Sniffer display RTP packets?
  • How do I filter packets in Live Sniffer?
  • Why is Live Sniffer showing no packets?
  • Can multiple users use Live Sniffer simultaneously?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Live_sniffer&oldid=7045"