Transcription
Homer. because sip capturing makes senseauthor: Alexandr Dubovikovco-authors: Torsten Schweizer, Heino Klier, Roland Haenel2011-06-21ClueCon 2011QSC AG KCV
QSC AGAbout QSCQSC – ICT solutions for small and mid-size enterprisesQSC AG, Cologne/Germany, is a service provider for voice and datacommunication, as well as the ICT services that build upon them.Established in 1997, the company has been focusing on small and midsize business customers.QSC is the first provider to operate an Open Access platform, which unitesa wide range of broadband technologies to offer national and internationalsite networking, including Managed Services.QSC additionally supplies its customers and distribution partners with acomprehensive product portfolio that can be modularly adapted to everyneed.QSC was the first provider in Germany to build its own Next GenerationNetwork (NGN), and therefore enjoys long years of experience inconnection with IP-based telephony solutions, in particular.QSC employs a workforce of some 700 people and has been listed on theTecDAX index since 2004.2011-06-21ClueCon 2011QSC AG KCV
Capturing tools TcpdumpNgrepSipgrepWiresharkSipspyAll these tools are able to capture in realtime!But we have to take a look into history!3
Why do we need capturing?Example scenario: A customer complains experiencing problems with reaching aspecial phone number. Usually, to discover the problem andlocate the faulty device in the network you have to do a livetrace together with the customer. But you do not want to botherhim with test calls. This is the big benefit of HOMER!With HOMER we are able to search for the faulty call and getresults retrospectively to the call flow from every involvednetwork device.4
A trace Tool with backtrace functionality is needed:HomerHomer Simpson 20th Century Fox5
A trace Tool with backtrace functionality is needed:HomerHomer Simpson 20th Century Fox6
A trace Tool with backtrace functionality is needed:HomerHomer Simpson 20th Century Fox7
A trace Tool with backtrace functionality is needed:HomerHomer Simpson 20th Century Fox8
Why HOMER? it collects data and captured messages querying, filtering and displaying of data via webstoring the collected data in DBinterface (GUI)The criteria for our system!9
Normal SIP/VoIP network components SBC (Session Border Controller) Softswitch/Gateway SIP proxy/registrar/router SIP ns10
NGN Network OverviewIntranetFreeSWITCH FarmSBCSoftXSoftXHuaweiSBCSIP Proxy FarmAcmePublicInternetSEMS Farm11PSTN GW
Centralized – Vendor independent There are many different system components in aSIP network Many vendors support IP Proto 4 (IP in IP encaps) forcapturing solutions, e.g. ACME Packet, Huawei . Our aim is to bring all SIP components together in acentralized controlling and monitoring system As a result you have the complete call flow throughall components of your VoIP network12
Homer is based on: External capturing agent (if needed) Capturing nodes Capturing database Web frontend (GUI)13
HEP - Homer Encapsulation Protocol self developed encapsulation protocol no need of root privileges or kernel changes like IPIP IPv6 and IPv4 supports many IP protocols (TCP,UDP,SCTP) can be used not only for SIP14
HEP – Homer Encapsulated Protocol IPv432 bitVersion8bitLength8bitProtocol8bitSource PortDestination PortSource IPv4 Address32 bitDestination IPv4 Address32 bitSIP Payload15Proto Family8bit
HEP – Homer Encapsulated Protocol IPv632 bitVersion8bitLength8bitProtocol8bitSource PortDestination PortSource IPv6 Address128 bitDestination IPv6 Address128 bitSIP Payload16Proto Family8bit
Capturing agent The capturing agent acts as a daemon process on operationsystems like UNIX (also possible as a Windows component) The agent duplicates all SIP traffic in HEP to the Homer node The agent is extremely small, with only 300 lines of C-code andtherefore goes easy on resources A widespread integration of the capturing agent in many otheropen source projects (Asterisk, Yate, OpenSIPS) would behelpful, since it is already implemented in FreeSWITCH andKamailio17The agent uses the pcap lib. Therefore you can set up your ownpcap filter to duplicate only needed traffic, e.g. only outgoingmessages
Homer Overviewintegrated capture agentintegrated capture agentHuaweiAcmeSIPMessagesSIPMessagesSER and FreeSWITCH with integratedcapture module and HEP(Homer Encapsulated Protocol)mirrored SIP messagesencapsulated in IP Proto 4with Homer capture agentapplicationincluding PCAP FilterSIPMessages18SEMSHomerNODEHEP(Homer EncapsulatedProtocol)SERSIPMessagesFreeSWITCH
HOMERNode 03Node 04Capture ServersFrontend GUIDBDBNode 01- MySQL- PostgreSQL- Cassandra- etc.19Node 02
HOMERFrontend GUIHomer EncapsulatedProtocol (HEP)IP Proto 4HEP SocketRAW Socket /(IPProtocol IPIP)APACHEPHPrecvfrom()Joomla / com HomerDB / MySQLSIP parsingPartitioning TablesHomer 1 14sipcapture moduleHomer 1 15INSERTDELAYEDHomer 1 16.20database moduleCapture Serverpacket extraction and parsing
Capturing nodeThe capturing node is a UNIX based server (in our case Ubuntu).The core component of the node is the capturing applicationserver which receives IP Proto 4 (IPIP) packetsreceives HEP packetsvalidates if they are SIPparses the packets andinserts the values to DBOur capture application is based on SIP-Router aka SER 3.x orkamailio 3.x, because of good core performance and effective SIPparser21
Capturing nodeWhy a SIP-Router (SER)? 22core of SER has a very good performanceSIP parser is effectivehas support for MySQL, PostgreSQL, Oracle .can be compiled on many different UNIX like systemsbig communityOpen Source
Capturing node raw socket mode for IPIP encapsulation In our case we use MySQL and INSERT DELAYED,which causes no socket IO-wait between SER andDB (insert and forget)23UDP socket for HEPparsing the elements of the SIP packetinserted into a DB through SIP capture and databasemodules.
Capturing databaseUsually you can use any relational DB (MySQL,PostgreSQL, Oracle,.) but if you want to build a reallybig capturing cluster we recommend to use key-valueDB (Cassandra, MongoDB etc).In case of key-value DB (Cassandra) all DB nodes willhave the same capturing data which guarantee highavailability24
FrontendThe Homer GUI is based on Joomla CMS which is also Open Source.Joomla has an internal user management and a good php API.Our frontend provides the following operational capabilities: 25Search on many different parameters (A-number, B-number, Date,Time, Call-ID, From Tag, To Tag, Method Type, User Agent, SourceIP, Destination IP, Port, Protocol Type etc.)combining search optionsget detailed information by selecting a single messagedisplay information with Call Flow sequence diagramfor a quick overview calls are grouped in different colorsconvert and save trace output as pcap file
GUI simple search form26
GUI advanced search form27
GUI search result28
GUI SIP message details29
GUI sip call flow30
Capturing capability Our experience has shown that DB can easily handle up to 10 mpackets per hour (depending on hardware) Currently we receive 5-6 m packets per hour (on two nodes)In case of expansion the system can be clustered just by addingnew nodes to the system.CPU Dual Core Xenon 5520, 8 G RAM – 3 m packets/hour: 8% CPU - MySQL0.2% CPU kamailio in capture modeload average: 0.25, 0.18, 0.1231
What Homer is now. 32IPv4 and IPv6 supportScalabilityGood performanceCapture agent integrated in FreeSWITCH, KamailioCan easily be used in any SIP networks
.and Homer in the future. 33support for XMPP protocolCasandra database moduleintegration in other SIP Projectsmore powerful web interfacetimestamp in HEP protocol (version 2) .
Thank youURL: http://homer.googlecode.com/E-mail/IM: alexandr.dubovikov@gmail.com34
17 Capturing agent The capturing agent acts as a daemon process on operation systems like UNIX (also possible as a Windows component) The agent duplicates all SIP traffic in HEP to the Homer node
