Traffic collector manual

5gVision Traffic collector is part of the 5gVision suite of products for monitoring, alerting, packet sniffing, and rate management that share a common web interface: quick, intuitive, and flexible.

Overview

5gVision Traffic collector, Introduction overview The Traffic collector is part of the 5gVision suite of products. Its main function is to gather SIP/H.323 signaling logs and media packets in real time. It then allows you to quickly view any signaling logs or Call flows from the past in an easy and convenient way, listen to the recorded media for pre-defined IP addresses and number masks, and detect intrusions to your VoIP system. A good way to start with the Traffic collector and understand its main concepts is to view this sales presentation:

5gVision Traffic Collector Modules

The 5gVision interface principles are described in a separate manual: User interface

You may download a PDF version of the manual here:

User interface

If you are new to 5gVision, we would recommend to go through at least the beginning of the Interface manual first.

The Traffic collector comprises three separate modules: that are described in further sections of this manual.

Collection methods

There are 4 main methods of getting signaling and media packets:
  • Method 1 requires setting up a mirrored port on the Ethernet switch the VoIP softswitch is connected to. This mirrored port should be linked to a NIC on a 5gVision server to let it grab signaling and media packets passing through the network.

    The main advantage is that this scheme doesn't affect the softswitch performance at all, is invisible to softswitch vendor's support team, and usually allows to collect huge amounts of traffic without drops. However, a customer has to reconfigure its Ethernet switch and add another NIC card to a 5gVision server. Not all Ethernet switches support mirroring too, and it won't work if a customer does not have physical access to the softswitch server (rented servers, VPS, etc.), or can't install just another server for 5gVision in the same LAN as the VoIP softswitch.


  • Method 2 allows collection of traffic remotely via an SSH connect to each of customer's VoIP softswitches with a user that is only allowed to run one application - tcpdump. All packets are grabbed locally on the softswitch and are sent to 5gVison via SSH.

    The benefit of this scheme is that there are no additional hardware requirements, logs can be collected from any servers without a physical access, and from geographically distributed servers. Also, this scheme doesn't affect the "Do not install the third-party software" agreement with the softswitch vendor, because ssh and tcpdump are a basic tools of every Linux system.

    Local packet sniffing consumes some extra CPU resources and memory on the softswitch, although the increase is usually negligible and is within 5-10%. HDD is not affected at all, as no packets are written to a local drive of the softswitch.


  • Method 3 can be used if you already collect .pcap files yourself. 5gVison may then upload and process these files over SFTP or other protocols. It is preferred that the files are rotated every 2-5 minutes or so, to make the collector closer to real time.


  • Method 4 requires installation of a very simple script on each node (server) of your softswitch. This script will run the tcpdump and write traffic into files. The files will rotate and will never use more space than was allocated on each HDD. We will then upload files to a 5gVision server for processing.

    This scheme will deliver unprecedented performance for large distributed systems. For instance, if you have 8 nodes (servers) in your softswitch, doing mirroring of 8 ports to just one NIC card on the 5gVsion server may result in enormous traffic (especially if media is collected) that we will not be able to read from the NIC without drops. However, if traffic is dumped into files on each of the 8 nodes, it will not be a problem to copy and process them on one or several 5gVision servers.

    There would be an extra load on CPU and HDD of each node in this case, we would need to investigate your node load and your softswitch type to make a decision to install this scheme.