Pcap Analyzer: Pcap Filter of the Allegro Network Multimeter
Pcap filter for analysing large capture files
Click here for the German blog post.
Back to Part 1: Wireshark Filter
Pre-selection of traffic with the Allegro Network Multimeter
Now that a number of important techniques have been presented on how to approach large pcap files to better master them, this second part describes how the Allegro Network Multimeter handles the task.
The Allegro Network Multimeter does not completely replace Wireshark. However, it is designed to pre-filter pcap files for deeper packet analysis with Wireshark.
The Allegro Network Multimeter measures traffic and displays all metadata in real-time; this applies to both live data and historic network traffic. What is special about the tool is the speed at which it processes the data. This benefits a user having to do pcap analysis.
Basically, the Allegro Network Multimeter provides two different functionalities. On the one hand, it enables traffic to be filtered individually and clearly as a pcap is created; on the other hand, existing pcap files can be uploaded to the appliance for pre-selection for analysis with Wireshark.
Selective pcap capture from data on the Allegro Network Multimeter
First and foremost, the function as a pre-filter is discussed here. With the Allegro Network Multimeter, thanks to extensive filter functions and data correlations, one can easily and quickly navigate to the location where unexpected traffic is seen. There, a pcap can be saved directly from the selected network traffic where the error is suspected. This greatly reduced pcap file is then available for faster analysis with Wireshark.
This capture function is integrated in all analysis modules of the Allegro Network Multimeter. Starting from the dashboard, where you get a first overview of the most important parameters of the current network traffic, you can navigate through the different layers and get closer to the problem via the timeline and graphs. On most sections on the User Interface, there is a pcap download button with which you can easily capture the displayed, selected network traffic as a browser download, regardless of whether you want to download a pcap from the MAC statistics or a pcap from the HTTP protocols, for example.
If you want solve a problem, for example, why a VoIP call was so choppy last week on Wednesday, just navigate to the SIP module, set the desired time range and sort the calls from this time range by jitter or filter them directly by telephone number. The problematic call can now be downloaded via pcap for further packet analysis with Wireshark.
Not only can traffic be pre-selected at will, troubleshooting time can be shortened by a considerable amount thanks to the Allegro Network Multimeter, the time to create a pcap is reduced to a fraction.
Moreover, apart from basic administrator knowledge, no further know-how is required to operate the appliance. Most filters are predefined and only need to be selected. In addition, operators can be combined with each other in the command line.
Upload existing pcap files to the Allegro tool for filtering
The second functionality that the Allegro Network Multimeter provides to speed up the use of Wireshark is the uploading of pcaps.
If there was no possibility to pre-select the network traffic before capturing, e.g. by receiving a pcap from a third party to be analysed, the file can be uploaded to the Allegro Network Multimeter retrospectively via USB or by drag and drop in a browser and the appliance can be used to view the data.
The Allegro Network Multimeter has a very high import speed, so files can be opened very quickly. The special feature here is that you can access the data that has already been imported. This speeds up the analysis many times over. Above all, the waiting time that normally has to be bridged is eliminated. So you can stay on topic and don't run the risk of being distracted during the waiting time.
In the Allegro Network Multimeter, a reduced-size pcap can be re-exported as described above and further analyzed in Wireshark.
Waiting until a pcap file is open and then determining important Wireshark data is a thing of the past.
This article explains several filter functions that Wireshark incorporates to reduce displayed data. Some of the more in-depth filters may require more in-depth knowledge.
The second part deals with the Allegro Network Multimeter developed by Allegro Packets, which provides an extensive range of filter functions and allows them to be controlled with just a few clicks.
Filters can be easily applied without additional syntax knowledge to make it easy to use. In addition, the Allegro Network Multimeter speeds up troubleshooting, since an error can be quickly pinpointed. A pcap recorded from the problem area can reduce further packet analysis time since the Allegro Network Multimeter can process and read pcap files very quickly. Data can be analyzed during the reading process. Often, detailed packet analysis with Wireshark is unnecessary since a problem may have already been detected with the Allegro Network Multimeter and the solutions determined.