Difference between revisions of "Sniffing modes"
| Line 26: | Line 26: | ||
== VoIPmonitor mirroring == | == VoIPmonitor mirroring == | ||
| + | |||
| + | === New mirroring (since >= 8) === | ||
| + | |||
| + | Sniffer can run in mirror mode which sniffs all packets and sends them over TCP stream to another voipmonitor sniffer which reads this stream like it sits directly on the source. This has advantage that the TCP stream does not sends short packets but it packs it to continuos tcp stream which can be also compressed. | ||
| + | |||
| + | ==== Sender configuration (10.0.0.1) ==== | ||
| + | |||
| + | mirror_destination_ip = 10.0.0.2 mirror_destination_port = 5030 | ||
| + | |||
| + | ==== Receiver configuration (10.0.0.2) ==== | ||
| + | |||
| + | mirror_bind_ip = 10.0.0.2 | ||
| + | mirror_bind_port = 5030 mirror_bind_dlt = 1 // DLT_EN10MB Ethernet (10Mb) | ||
| + | Currently the receiver voipmonitor can receive stream only from one sender. This will be enhanced sometime in future. | ||
| + | |||
| + | === OLD (deprecated) === | ||
mirror SIP packets to specified IP address. IP is mirrored by ip in ip protocol. This is usefull in case the primary voipmonitor machine see all SIP packets but only part of RTP packets and the second voipmonitor server see only RTP packets -> in this case you can mirror SIP packets to second voipmonitor server IP. voipmonitor already supports ip in ip so no configuration is needed to accept ip in ip mirrored packets. (this mirroring supports for example acme packet SBC). mirroring can be also usefull for another general purpose - it is also parsed by wireshark/tshark etc. if you enable mirrorip you have to set mirroripsrc and mirroripdst | mirror SIP packets to specified IP address. IP is mirrored by ip in ip protocol. This is usefull in case the primary voipmonitor machine see all SIP packets but only part of RTP packets and the second voipmonitor server see only RTP packets -> in this case you can mirror SIP packets to second voipmonitor server IP. voipmonitor already supports ip in ip so no configuration is needed to accept ip in ip mirrored packets. (this mirroring supports for example acme packet SBC). mirroring can be also usefull for another general purpose - it is also parsed by wireshark/tshark etc. if you enable mirrorip you have to set mirroripsrc and mirroripdst | ||
Revision as of 09:52, 4 October 2013
Linux host
You can install or compile VoIPmonitor binary directly on linux PBX or SBC/SIP server. This does not requires additional hardware and changes in network topology. The only downside is that voipmonitor consumes hardware resources - RAM, CPU and I/O workload which can affect the whole system. If it is not acceptable to share hardware for voipmonitor the second common use case is doing port mirroring.
Hardware port mirroring
Port Mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port => voipmonitor dedicated linux box. Port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN); some other vendors have other names for it, such as Roving Analysis Port (RAP) on 3Com switches or just port mirroring.
In case of hardware mirroring you often need to have additional ethernet port. Sniffer is configured to use this port (interface=eth1) and it automatically put the interface into Promiscuous mode. In case you need to mirror to more ethernet ports you can set interface=any in voipmonitor.conf which will enable mirroring on all interfaces but you need to set each ethernet interface into promiscuous mode manually
ifconfig eth1 promisc
one voipmonitor instance can listen only on one or on all interfaces.
Software packet mirroring
IPTABLES mirroring
IPTABLES (since kernel version 3.X) is able to mirror traffic to another IP address. Following rules are not needed in case of hardware mirroring. Rules has to be defined on the SIP server (not on the voipmonitor sniffer).
iptables –I PREROUTING –t mangle –i eth0 –j TEE –gateway 10.0.0.2 iptables –I POSTROUTING –t mangle –j TEE –gateway 10.0.0.2
This is generic rules which will mirror ALL incoming traffic from eth0 and all outgoing traffic from server to VoIPmonitor dedicated box on IP address 10.0.0.2. It is better to mirror just UDP packets
iptables –I PREROUTING –t mangle –i eth0 -p udp –j TEE –gateway 10.0.0.2 iptables –I POSTROUTING –t mangle -p udp –j TEE –gateway 10.0.0.2
VoIPmonitor mirroring
New mirroring (since >= 8)
Sniffer can run in mirror mode which sniffs all packets and sends them over TCP stream to another voipmonitor sniffer which reads this stream like it sits directly on the source. This has advantage that the TCP stream does not sends short packets but it packs it to continuos tcp stream which can be also compressed.
Sender configuration (10.0.0.1)
mirror_destination_ip = 10.0.0.2 mirror_destination_port = 5030
Receiver configuration (10.0.0.2)
mirror_bind_ip = 10.0.0.2 mirror_bind_port = 5030 mirror_bind_dlt = 1 // DLT_EN10MB Ethernet (10Mb)
Currently the receiver voipmonitor can receive stream only from one sender. This will be enhanced sometime in future.
OLD (deprecated)
mirror SIP packets to specified IP address. IP is mirrored by ip in ip protocol. This is usefull in case the primary voipmonitor machine see all SIP packets but only part of RTP packets and the second voipmonitor server see only RTP packets -> in this case you can mirror SIP packets to second voipmonitor server IP. voipmonitor already supports ip in ip so no configuration is needed to accept ip in ip mirrored packets. (this mirroring supports for example acme packet SBC). mirroring can be also usefull for another general purpose - it is also parsed by wireshark/tshark etc. if you enable mirrorip you have to set mirroripsrc and mirroripdst
mirrorip = yesmirrordst is IP address (not host name) which packets are sent mirroripdst = 192.168.0.1mirrorsrc is source IP address of this server which is used to send packets to mirrordst. This has to be set correct otherwise mirroring would not work. If mirroripsrc is not set source IP is set to 255.255.255.255 mirroripsrc = 10.0.0.1
Moving pcap files
VoIPmonitor sniffer runs directly on asterisk PBX storing pcap files to /var/spool/voipmonitor and moved to /mnt/ssh which is mounted /var/spool/voipmonitor on central WEB GUI. You can use sshfs to mount remote directory over ssh
sshfs root@guiserverIP:/var/spool/voipmonitor /mnt/ssh
in voipmonitor.conf on asterisk PBX set
cachedir = /var/spool/voipmonitor (or /dev/shm which is ramdisk to save some I/O) spooldir = /mnt/ssh