Revision as of 11:25, 6 January 2026

AudioCodes Tunneling

This guide explains how to configure VoIPmonitor to process packets that are tunneled from an AudioCodes Session Border Controller (SBC). This specific setup is for capturing data sent through the AudioCodes tunnel and differs from the standard configuration for capturing direct network traffic.

Overview

AudioCodes tunneling allows AudioCodes Session Border Controllers (SBCs) to encapsulate and forward SIP/RTP packets to VoIPmonitor, instead of using traditional network port mirroring (SPAN).

The setup involves two components:

AudioCodes SBC Configuration - Configure the AudioCodes device to forward packets to VoIPmonitor
VoIPmonitor Server Configuration - Configure VoIPmonitor to receive and process the tunneled packets

AudioCodes tunneling is particularly useful for monitoring encrypted SIP over TLS traffic that uses Perfect Forward Secrecy (PFS) cipher suites like ECDHE.

When an AudioCodes SBC terminates TLS connections, it can:

Decrypt the TLS-encrypted SIP signaling internally
Forward the decrypted (clear-text) SIP packets to VoIPmonitor using the "debug call recording" feature
Eliminate the need for SSL key logger injection or private key access

This approach is ideal when:

Your AudioCodes SBC uses modern cipher suites (TLS 1.3, ECDHE) where private key decryption is impossible
You cannot inject SSL key logger libraries into the SBC (closed appliance)
You want centralized decryption at the SBC layer rather than at the VoIPmonitor sensor

For a comprehensive guide on all TLS decryption methods, including when to use AudioCodes tunneling vs SSL Key Logger, see TLS Decryption Guide.

Step 1: Configure the AudioCodes SBC

On the AudioCodes device, you need to enable the packet forwarding feature and configure it to send packets to the VoIPmonitor server.

Required Settings (AudioCodes Device):

Access the AudioCodes SBC configuration interface (web GUI or CLI) and locate the following setting:

Debug Recording Server (or equivalent log/mirroring server setting)
Set this to the IP address of your VoIPmonitor server
The AudioCodes SBC will then encapsulate SIP/RTP packets and send them to this IP address

The exact configuration steps vary by AudioCodes model and firmware. Refer to the AudioCodes documentation for:

"Configuring the Debug Recording Server"
"Log server configuration"
"Session mirroring"

Network Ports Used by AudioCodes:

By default, AudioCodes uses the following port for forwarding packets:

UDP/TCP 925 (Default port)

You can configure a different port if needed, but ensure it matches the VoIPmonitor configuration (see Step 2).

Important: This method is preferred over traditional SPAN mirroring when:

The AudioCodes SBC and VoIPmonitor sensor are on different network segments
You need to avoid configuring switch-level SPAN ports
You want more control over which traffic is forwarded

Step 2: Configure VoIPmonitor to Receive Tunneled Data

To enable the processing of data from an AudioCodes tunnel, the following options must be enabled in the sniffer's configuration file (/etc/voipmonitor.conf):

# The main switch that activates the AudioCodes tunnel processing feature
audiocodes = yes

# Define the ports on which the sniffer will listen for incoming tunneled data
# These must match the port configured on the AudioCodes SBC
# Choose the transport protocol (UDP/TCP) used by your AudioCodes SBC
udp_port_audiocodes = 925
tcp_port_audiocodes = 925

Note: Ensure your firewall allows incoming traffic on port 925 (or your custom port).

After making changes, restart the service:

systemctl restart voipmonitor

Special Options for RTP/RTCP Handling

These options address scenarios where VoIPmonitor can see both "pure" (non-encapsulated) network packets and packets encapsulated within the AudioCodes tunnel for the same call. They allow you to specify which packets should be assigned to the final CDR, preventing data duplication.

audiocodes_rtp  = yes | no | only | only_for_audiocodes_sip
audiocodes_rtcp = yes | no | only | only_for_audiocodes_sip

Option Values:

Value	Description
`yes`	Enables processing of RTP/RTCP packets from the tunnel. Default value.
`no`	Disables processing of RTP/RTCP packets that arrive encapsulated in the AudioCodes tunnel.
`only`	Assigns only RTP/RTCP packets that are encapsulated in the AudioCodes tunnel to the call/CDR. Any pure (non-encapsulated) packets for the same call will be ignored.
`only_for_audiocodes_sip`	Tunneled RTP/RTCP packets are assigned to a CDR only if the SIP signaling for that call was also delivered through the AudioCodes tunnel. Recommended for mixed-capture scenarios.

Common Scenarios and Troubleshooting

Problem: Mixed RTP Streams

When the sniffer captures traffic where RTP is received via the AudioCodes tunnel alongside other traffic (e.g., mirrored traffic on a SPAN port), the resulting RTP streams can become mixed or incorrectly correlated. This happens because VoIPmonitor sees both the encapsulated packets from the tunnel and the pure packets on the network interface.

Solution:

To ensure RTP packets from the AudioCodes tunnel are correctly assigned only to those calls that also use AudioCodes SIP signaling, use the following configuration:

audiocodes          = yes
audiocodes_rtp      = only_for_audiocodes_sip
audiocodes_rtcp     = only_for_audiocodes_sip

This configuration ensures that:

Only RTP/RTCP packets from the AudioCodes tunnel are used for calls where the SIP signaling also came through the tunnel
Pure (non-encapsulated) packets seen on the wire are not mixed with tunnel packets
The correct association between tunnel RTP and tunnel SIP is maintained

When to Use Each Option

Option	Use Case
`yes` (default)	You only capture from the AudioCodes tunnel and no other traffic
`only`	You want to EXCLUSIVELY use tunnel RTP for ALL calls (ignore any pure packets)
`no`	You want to ignore tunnel RTP and use only pure packets
`only_for_audiocodes_sip`	You have mixed traffic (tunnel + pure) and want to ensure correct pairing between tunnel RTP and tunnel SIP. Recommended for most mixed-capture scenarios.

Known Limitations

IP Addresses Logged as 0.0.0.0

In certain scenarios with AudioCodes tunneling, you may observe that some IP addresses are logged as 0.0.0.0 in the CDR view. This occurs when RTP packets that arrive through the AudioCodes tunnel do not contain the full IP header information that VoIPmonitor expects (the IP data is stripped out by the AudioCodes encapsulation format).

Aspect	Details
Behavior	The system logs `0.0.0.0` because the necessary IP address information is not present in the RTP packet structure as received.
Root Cause	This is a technical limitation of how certain AudioCodes tunneling protocols encapsulate RTP data.
Is This Fixable?	Currently, this is expected behavior and cannot be resolved by configuration changes.
Impact	While the IP column may show `0.0.0.0`, the SIP signaling information (including correct IPs from Contact/From/To headers) and the actual call recording functionality remain intact. This is primarily a display limitation affecting the IP field for RTP streams only.

Workarounds:

Use SIP-based filtering and IP information (Contact, From, To headers) for call identification instead of relying solely on RTP IP addresses
Check the SIP History tab in the CDR view to see the actual IP addresses from signaling packets
Contact VoIPmonitor support to inquire about future development plans for this specific AudioCodes encapsulation case

Performance Impact on the SBC

When using AudioCodes tunneling, it is important to assess the performance impact on the AudioCodes SBC itself, particularly in high-traffic environments.

Monitoring SBC Performance:

To determine if tunneling affects your AudioCodes SBC performance:

Check the current baseline: Monitor SBC CPU usage and network load before enabling tunneling
Enable the tunneling feature via UDP on the SBC
Monitor the SBC's CPU and network load during normal operation

You can perform this performance test without configuring a VoIPmonitor listener to isolate the SBC's performance impact from the sensor's processing load.

Refer to the AudioCodes SBC documentation for specific instructions on enabling tunneling and monitoring performance metrics.

Verification

To verify that AudioCodes tunneling is working correctly:

On the AudioCodes SBC:

tshark -i pkt1 port 925

On the VoIPmonitor server:

tcpdump -i any port 925 -w /var/tmp/capture.pcap

AI Summary for RAG

Summary: AudioCodes tunneling allows AudioCodes SBCs to encapsulate and forward SIP/RTP packets to VoIPmonitor using the "Debug Recording Server" feature (default port UDP/TCP 925). Configuration requires: (1) SBC side - set Debug Recording Server to VoIPmonitor IP, (2) VoIPmonitor side - enable audiocodes=yes and set udp_port_audiocodes/tcp_port_audiocodes=925. For mixed capture scenarios (tunnel + SPAN), use audiocodes_rtp=only_for_audiocodes_sip to prevent stream mixing. Key TLS use case: AudioCodes SBC can decrypt TLS 1.3/ECDHE traffic internally and forward clear-text SIP, eliminating need for SSL key logger. Known limitation: RTP IP addresses may show as 0.0.0.0 due to encapsulation format (expected behavior, not fixable).

Keywords: audiocodes, tunnel, SBC, debug recording server, port 925, udp_port_audiocodes, tcp_port_audiocodes, audiocodes_rtp, only_for_audiocodes_sip, mixed streams, TLS decryption, ECDHE, PFS, TLS 1.3, encrypted SIP, 0.0.0.0 IP, SPAN alternative

Key Questions:

How to configure AudioCodes SBC to forward packets to VoIPmonitor?
What is the default port for AudioCodes tunneling (925)?
How to configure VoIPmonitor to receive AudioCodes tunneled data?
How to fix mixed RTP streams when capturing both AudioCodes tunnel and regular traffic?
What is the difference between audiocodes_rtp options (yes, no, only, only_for_audiocodes_sip)?
Can AudioCodes tunneling decrypt TLS/ECDHE encrypted SIP without SSL key logger?
Why are IP addresses logged as 0.0.0.0 with AudioCodes tunneling?