Sniffer distributed architecture
This guide explains how to deploy multiple VoIPmonitor sensors in a distributed architecture.
Overview
VoIPmonitor supports three distributed deployment modes:
| Mode | What is sent | Use case |
|---|---|---|
| Client-Server | CDRs (call records) | Multiple sites → central database |
| Packet Mirroring | Raw packets | Central analysis, SIP+RTP merging |
| Hybrid Chain | CDRs or packets | Multi-tier (workaround, not recommended) |
Client-Server Mode (Recommended)
Multiple sensors send CDRs to a central server. This is the standard architecture for multi-site deployments.
Configuration
On each sensor (client):
server_destination = central.server.ip
server_destination_port = 60024
server_password = shared_secret
On central server:
server_bind = 0.0.0.0
server_bind_port = 60024
server_password = shared_secret
Data Storage
- CDRs: Stored in MySQL on central server only
- PCAPs: Stored on each sensor locally (GUI retrieves them via network)
Note: All instances must use the same server_password.
Packet Mirroring Mode
One sensor forwards raw packets to another for analysis. Useful when you need central packet processing or when SIP and RTP are captured at different locations.
Configuration
On source (Sensor A):
mirror_destination = sensor.b.ip
mirror_destination_port = 5090
On receiver (Sensor B):
mirror_bind = 0.0.0.0
mirror_bind_port = 5090
Use Case: SIP + RTP Merging
When SIP signaling and RTP media are captured on separate machines, a SIP probe can forward packets to a central server that captures RTP locally:
SIP Probe config:
packetbuffer_sender = yes
server_destination = central.server.ip
server_destination_port = 60024
Central Server config:
server_bind = 0.0.0.0
server_bind_port = 60024
interface = eth0
The packetbuffer_sender = yes option sends raw packets instead of CDRs.
Hybrid Chain (Workaround)
Warning: This configuration is not officially supported and may break in future releases. Use standard client-server mode when possible.
A single sniffer cannot use both server_bind and server_destination simultaneously. However, you can combine mirroring with client-server mode as a workaround:
Sensor A uses mirror_destination → Sensor B
Sensor B uses mirror_bind + server_destination → Server C
| Sensor B setting | Result |
|---|---|
packetbuffer_sender = no |
B analyzes packets, sends CDRs to C |
packetbuffer_sender = yes |
B forwards raw packets to C |
Additional Configuration
GUI Visibility
In client-server mode, only the central server appears in the GUI automatically. To make remote sensors visible (for charts, remote upgrades):
- Go to GUI → Settings → Sensors
- Add sensor manually with its
manager_ip:manager_port - Ensure
manager_aes_keymatches the GUI database
Compression
Reduce bandwidth for mirroring:
packetbuffer_compress = yes
packetbuffer_compress_ratio = 100
SRTP/DTLS Decryption
When mirroring encrypted traffic:
- Source sensor: Include TLS ports in
sipport = 5060,5061 - Receiver sensor: Configure
ssl_ipportandssl_sessionkeyfor decryption
Limitations
server_bindandserver_destinationcannot coexist in one instance- Hybrid chain is a workaround, not officially supported
- All clients share the same password (no per-client authentication)
- PCAP retrieval from remote sensors requires network connectivity to each sensor
AI Summary for RAG
Summary: VoIPmonitor supports distributed deployments using client-server mode (sensors send CDRs to central server), packet mirroring mode (sensors forward raw packets), or hybrid chain (workaround combining both). In client-server mode, CDRs are stored centrally while PCAPs remain on each sensor. Packet mirroring is useful for central packet analysis or merging SIP signaling with RTP media captured at different locations using packetbuffer_sender=yes. The hybrid chain workaround uses mirror_bind + server_destination on an intermediate sensor but is not officially supported.
Keywords: distributed architecture, client-server, mirror mode, server_destination, server_bind, mirror_destination, mirror_bind, packetbuffer_sender, SIP probe, RTP merging, hybrid chain, multi-site, central server, remote sensors
Key Questions:
- How do I connect multiple VoIPmonitor sensors to a central server?
- What is the difference between client-server mode and packet mirroring?
- How do I merge SIP and RTP traffic captured on different machines?
- Can a single sniffer be both a server and a client?
- Where are CDRs and PCAP files stored in distributed mode?
- How do I make remote sensors visible in the GUI?