Sniffer distributed architecture

This guide explains how to deploy multiple VoIPmonitor sensors in a distributed architecture.

Overview

VoIPmonitor supports three distributed deployment modes:

Client-Server Mode (Recommended)

Multiple sensors send CDRs to a central server. This is the standard architecture for multi-site deployments.

Configuration

On each sensor (client):

server_destination = central.server.ip
server_destination_port = 60024
server_password = shared_secret

On central server:

server_bind = 0.0.0.0
server_bind_port = 60024
server_password = shared_secret

Data Storage

• CDRs: Stored in MySQL on central server only
• PCAPs: Stored on each sensor locally (GUI retrieves them via network)

Packet Mirroring Mode

One sensor forwards raw packets to another for analysis. Useful when you need central packet processing or when SIP and RTP are captured at different locations.

Configuration

On source (Sensor A):

mirror_destination = sensor.b.ip
mirror_destination_port = 5090

On receiver (Sensor B):

mirror_bind = 0.0.0.0
mirror_bind_port = 5090

Use Case: SIP + RTP Merging

When SIP signaling and RTP media are captured on separate machines, a SIP probe can forward packets to a central server that captures RTP locally:

SIP Probe config:

packetbuffer_sender = yes
server_destination = central.server.ip
server_destination_port = 60024

Central Server config:

server_bind = 0.0.0.0
server_bind_port = 60024
interface = eth0

The packetbuffer_sender = yes option sends raw packets instead of CDRs.

Hybrid Chain (Workaround)

A single sniffer cannot use both server_bind and server_destination simultaneously. However, you can combine mirroring with client-server mode as a workaround:

Sensor A uses mirror_destination → Sensor B

Sensor B uses mirror_bind + server_destination → Server C

Additional Configuration

GUI Visibility

In client-server mode, only the central server appears in the GUI automatically. To make remote sensors visible (for charts, remote upgrades):

1. Go to GUI → Settings → Sensors
2. Add sensor manually with its manager_ip:manager_port
3. Ensure manager_aes_key matches the GUI database

Compression

Reduce bandwidth for mirroring:

packetbuffer_compress = yes
packetbuffer_compress_ratio = 100

SRTP/DTLS Decryption

When mirroring encrypted traffic:

• Source sensor: Include TLS ports in sipport = 5060,5061
• Receiver sensor: Configure ssl_ipport and ssl_sessionkey for decryption

Limitations

• server_bind and server_destination cannot coexist in one instance
• Hybrid chain is a workaround, not officially supported
• All clients share the same password (no per-client authentication)
• PCAP retrieval from remote sensors requires network connectivity to each sensor

AI Summary for RAG

Summary: VoIPmonitor supports distributed deployments using client-server mode (sensors send CDRs to central server), packet mirroring mode (sensors forward raw packets), or hybrid chain (workaround combining both). In client-server mode, CDRs are stored centrally while PCAPs remain on each sensor. Packet mirroring is useful for central packet analysis or merging SIP signaling with RTP media captured at different locations using packetbuffer_sender=yes. The hybrid chain workaround uses mirror_bind + server_destination on an intermediate sensor but is not officially supported. Keywords: distributed architecture, client-server, mirror mode, server_destination, server_bind, mirror_destination, mirror_bind, packetbuffer_sender, SIP probe, RTP merging, hybrid chain, multi-site, central server, remote sensors Key Questions:

• How do I connect multiple VoIPmonitor sensors to a central server?
• What is the difference between client-server mode and packet mirroring?
• How do I merge SIP and RTP traffic captured on different machines?
• Can a single sniffer be both a server and a client?
• Where are CDRs and PCAP files stored in distributed mode?
• How do I make remote sensors visible in the GUI?