Sniffer distributed architecture

This guide explains how to deploy multiple VoIPmonitor sensors in a distributed architecture using the modern Client-Server mode.

Overview

VoIPmonitor v20+ uses a Client-Server architecture for distributed deployments. Remote sensors connect to a central server via encrypted TCP channel.

The mode is controlled by a single option: packetbuffer_sender

For comprehensive deployment options including on-host vs dedicated sensors, traffic forwarding methods (SPAN, GRE, TZSP, VXLAN), and NFS/SSHFS alternatives, see VoIPmonitor Deployment & Topology Guide.

Client-Server Mode

Architecture

Configuration

Remote Sensor (client):

id_sensor               = 2                    # unique per sensor
server_destination      = central.server.ip
server_destination_port = 60024
server_password         = your_strong_password

# Choose one:
packetbuffer_sender     = no     # Local Processing: analyze locally, send CDRs
# packetbuffer_sender   = yes    # Packet Mirroring: send raw packets

interface               = eth0
sipport                 = 5060
# No MySQL credentials needed on remote sensors

Central Server:

server_bind             = 0.0.0.0
server_bind_port        = 60024
server_password         = your_strong_password

mysqlhost               = localhost
mysqldb                 = voipmonitor
mysqluser               = voipmonitor
mysqlpassword           = db_password

# If receiving raw packets (packetbuffer_sender=yes on clients):
sipport                 = 5060
# ... other sniffer options

Local Processing vs Packet Mirroring

PCAP Access in Local Processing Mode

When using Local Processing, PCAPs are stored on remote sensors. The GUI retrieves them via the central server, which proxies requests to each sensor's management port (TCP/5029).

Firewall requirements:

• Central server must reach remote sensors on TCP/5029
• Remote sensors must reach central server on TCP/60024

Data Storage Summary

• CDRs: Always stored in MySQL on central server
• PCAPs:
  • Local Processing → stored on each remote sensor
  • Packet Mirroring → stored on central server

GUI Visibility

Remote sensors appear automatically when connected. To customize names or configure additional settings:

1. Go to GUI → Settings → Sensors
2. Sensors are identified by their id_sensor value

Legacy: Mirror Mode

Note: The older mirror_destination/mirror_bind options still exist but the modern Client-Server approach with packetbuffer_sender=yes is preferred as it provides encryption and simpler management.

Limitations

• All sensors must use the same server_password
• A single sniffer cannot be both server and client simultaneously
• Each sensor requires a unique id_sensor (< 65536)
• Time synchronization (NTP) is critical for correlating calls across sensors

AI Summary for RAG

Summary: VoIPmonitor v20+ uses Client-Server architecture for distributed deployments. Remote sensors connect to a central server via encrypted TCP (port 60024). Two modes are available: Local Processing (packetbuffer_sender=no) where sensors analyze packets locally and send only CDRs, or Packet Mirroring (packetbuffer_sender=yes) where sensors forward raw packets to the central server for processing. CDRs are always stored centrally; PCAPs are stored on remote sensors in Local Processing mode or centrally in Packet Mirroring mode. The legacy mirror_destination/mirror_bind approach is superseded by the modern Client-Server mode. Keywords: distributed architecture, client-server, server_destination, server_bind, packetbuffer_sender, local processing, packet mirroring, remote sensors, central server, multi-site, encrypted channel Key Questions:

• How do I connect multiple VoIPmonitor sensors to a central server?
• What is the difference between Local Processing and Packet Mirroring?
• Where are CDRs and PCAP files stored in distributed mode?
• What is packetbuffer_sender and when should I use it?
• How do I configure remote sensors to send raw packets to central server?