This guide covers VoIPmonitor deployment options: where to install the sensor, how to forward traffic, and distributed architectures for multi-site monitoring.

Sensor Deployment Options

On-Host Capture

Install the sensor directly on the same Linux server as your PBX/SBC.

Dedicated Sensor

A separate Linux server runs only VoIPmonitor. Recommended for production environments as it isolates monitoring from voice platform resources.

When Required:

• Windows-based PBXs
• Limited CPU/RAM/disk I/O on PBX server
• Zero monitoring impact needed
• Centralized capture from multiple sites

Traffic Forwarding Methods

When using a dedicated sensor, you must forward traffic to it using one of these methods.

Hardware Port Mirroring (SPAN/RSPAN)

Physical or virtual switches copy traffic from source port(s) to a monitoring port.

Physical Switch

Configure your switch to mirror traffic from PBX/SBC ports to the sensor's port. Consult your switch documentation for specific commands.

# /etc/voipmonitor.conf
interface = eth0
sipport = 5060
savertp = yes

VMware/ESXi Virtual Switch

For virtualized environments, VMware provides port mirroring at the virtual switch level.

Standard vSwitch:

1. In vSphere Client, navigate to ESXi host
2. Select virtual switch → Properties/Edit Settings → Enable Port Mirroring
3. Set source (SBC VM) and destination (VoIPmonitor VM) ports

Distributed vSwitch:

1. In vSphere Web Client → Networking → Select distributed switch
2. Configure tab → Port Mirroring → Create mirroring session
3. Specify source/destination ports and enable

Multiple VoIP Platforms

Monitor multiple platforms (e.g., Mitel + FreeSWITCH) with a single sensor by mirroring multiple source ports to one destination port.

GUI differentiation:

• Filter by IP address ranges
• Filter by number prefixes
• Use separate sensors with unique id_sensor values

Software-based Tunneling

When hardware mirroring is unavailable, use software tunneling to encapsulate and forward packets.

HEP (Homer Encapsulation Protocol)

Lightweight protocol for mirroring VoIP packets. Supported by Kamailio, OpenSIPS, FreeSWITCH, and many SBCs.

# /etc/voipmonitor.conf
hep = yes
hep_bind_port = 9060
hep_bind_udp = yes
# Optional: hep_kamailio_protocol_id_fix = yes

Known Limitations:

HEP Timestamp: VoIPmonitor uses the HEP timestamp field. If the source has an unsynchronized clock, call timestamps will be incorrect. There is no option to ignore HEP timestamps.

HEP3 with Port 0: Not captured by default. Add port 0 to sipport:

sipport = 0,5060

Cloud Packet Mirroring

Cloud providers offer native mirroring services using VXLAN or GRE encapsulation.

Configuration Steps:

1. Create a VoIPmonitor sensor VM in your cloud environment
2. Create mirroring policy: select source VMs/subnets, set destination to sensor VM
3. Critical: Capture traffic in BOTH directions (INGRESS and EGRESS)
4. Configure sensor:

udp_port_vxlan = 4789
interface = eth0
sipport = 5060

Best Practices:

• Filter at source to forward only SIP/RTP ports
• Monitor NIC bandwidth limits
• Account for VXLAN overhead (~50 bytes) - may need jumbo frames
• Ensure NTP sync across all VMs

Alternative: Consider Client/Server architecture with on-host sensors instead of cloud mirroring for better performance.

Pre-Deployment Verification

For complex setups (RSPAN, ERSPAN, proprietary SBCs), verify compatibility before production deployment:

1. Configure test mirroring with a subset of traffic
2. Capture test calls with tcpdump: sudo tcpdump -i eth0 -s0 port 5060 -w /tmp/test.pcap
3. Verify pcap contains SIP and RTP: tshark -r /tmp/test.pcap -Y "sip || rtp"
4. Submit pcap to VoIPmonitor support with hardware/configuration details

Distributed Architectures

For multi-site monitoring, sensors can be deployed in various configurations.

Classic Mode: Standalone Sensors

Each sensor operates independently:

• Processes packets and stores PCAPs locally
• Connects directly to central MySQL to write CDRs
• GUI needs network access to each sensor's TCP/5029 for PCAP retrieval

Alternative: NFS/SSHFS Mounting

If TCP/5029 access is blocked, mount remote spool directories on the GUI server:

# NFS mount
sudo mount -t nfs 10.224.0.101:/var/spool/voipmonitor /mnt/voipmonitor/sensor1

# SSHFS mount
sshfs voipmonitor@10.224.0.101:/var/spool/voipmonitor /mnt/voipmonitor/sensor1

Configure GUI: Settings > System Configuration > Sniffer data path: /var/spool/voipmonitor:/mnt/voipmonitor/sensor1:/mnt/voipmonitor/sensor2

Modern Mode: Client/Server (v20+) — Recommended

Secure encrypted TCP channel between remote sensors and central server. GUI communicates only with central server.

For detailed configuration, see Distributed Architecture: Client-Server Mode.

Quick Start - Remote Sensor (Local Processing):

id_sensor               = 2
server_destination      = 10.224.0.250
server_destination_port = 60024
server_password         = your_strong_password
packetbuffer_sender     = no
interface               = eth0
sipport                 = 5060
# No MySQL credentials needed - central server writes to DB

Quick Start - Central Server:

server_bind             = 0.0.0.0
server_bind_port        = 60024
server_password         = your_strong_password
mysqlhost               = 10.224.0.201
mysqldb                 = voipmonitor
mysqluser               = voipmonitor
mysqlpassword           = db_password
cdr_partition           = yes
interface               =   # Leave empty - don't sniff locally

Firewall Requirements

Configuration Notes

Critical Parameters

Time Synchronization

First Startup

On first start against empty database:

1. Start service: systemctl start voipmonitor
2. Monitor logs: journalctl -u voipmonitor -f
3. Wait for schema/partition creation to complete

If you see Table 'cdr_next_1' doesn't exist errors, check DB connectivity and privileges.

Deployment Comparison

Troubleshooting

NFS/SSHFS Connectivity

Missing data for specific time periods usually indicates storage server connectivity issues.

# Check for NFS errors
grep "nfs: server.*not responding" /var/log/syslog
grep "nfs.*timed out" /var/log/syslog

# Verify mount status
mount | grep nfs
stat /mnt/voipmonitor/sensor1

See Also

• Distributed Architecture: Client-Server Mode - Detailed client/server configuration
• Sniffer Troubleshooting - Diagnostic procedures
• AudioCodes Tunneling - AudioCodes SBC integration
• TLS/SRTP Decryption - Encrypted traffic monitoring
• Cloud Service Configuration - Cloud deployment specifics
• Scaling and Performance Tuning - Performance optimization

AI Summary for RAG

Summary: VoIPmonitor deployment guide covering sensor placement (on-host vs dedicated), traffic forwarding methods (SPAN/RSPAN, software tunneling, cloud mirroring), and distributed architectures. Key traffic forwarding options: hardware port mirroring (physical/VMware switches), software tunnels (GRE, ERSPAN, TZSP, VXLAN, HEP, AudioCodes, IPFIX), and cloud provider services (GCP Packet Mirroring, AWS Traffic Mirroring, Azure Virtual Network TAP). CRITICAL HEP LIMITATION: VoIPmonitor does NOT use HEP correlation ID (captureNodeID) - SIP and RTP from different HEP sources will NOT be correlated (feature request VS-1703, no workaround). HEP3 packets with port 0 require adding port 0 to sipport directive. Cloud mirroring requires BIDIRECTIONAL capture (ingress+egress) or CDRs will be incomplete. Distributed architectures: Classic standalone (each sensor writes to central DB, GUI connects to each sensor) vs Modern Client/Server (recommended, encrypted TCP/60024 channel, GUI connects only to central server). Client/Server modes: Local Processing (packetbuffer_sender=no, CDRs only, PCAPs remain remote) vs Packet Mirroring (packetbuffer_sender=yes, full packets sent to central). Alternative for blocked TCP/5029: mount remote spools via NFS/SSHFS, configure multiple paths in GUI Sniffer data path setting. NFS troubleshooting: check for "not responding, timed out" in logs, verify mount status, use hard,nofail,tcp mount options. Critical requirement: NTP sync across all servers.

Keywords: deployment, topology, on-host, dedicated sensor, SPAN, RSPAN, port mirroring, VMware, vSwitch, dvSwitch, tunneling, GRE, ERSPAN, TZSP, VXLAN, HEP, HEP correlation ID, captureNodeID, VS-1703, HEP port 0, sipport, AudioCodes, IPFIX, cloud mirroring, GCP, AWS, Azure, Packet Mirroring, Traffic Mirroring, ingress, egress, bidirectional, client server, packetbuffer_sender, local processing, packet mirroring, TCP 60024, TCP 5029, NFS, SSHFS, sniffer data path, NTP, time synchronization, id_sensor, cdr_partition

Key Questions:

• Should I install VoIPmonitor on my PBX or use a dedicated sensor?
• How do I configure port mirroring (SPAN) for VoIPmonitor?
• How do I configure VMware/ESXi virtual switch mirroring?
• What software tunneling protocols does VoIPmonitor support?
• How do I configure HEP (Homer Encapsulation Protocol)?
• Does VoIPmonitor use HEP correlation ID to correlate SIP and RTP?
• Why are SIP and RTP from different HEP sources not correlated?
• How do I capture HEP3 packets with port 0?
• How do I configure cloud packet mirroring (GCP/AWS/Azure)?
• Why do I get incomplete CDRs with cloud mirroring?
• What is the difference between classic and client/server deployment?
• What is the difference between local processing and packet mirroring mode?
• How do I access PCAPs if TCP/5029 is blocked?
• How do I configure NFS/SSHFS for remote spool access?
• How do I troubleshoot missing data with NFS mounts?
• What firewall ports are required for client/server mode?
• Why is NTP important for distributed VoIPmonitor?