Capturing

From Allegro Packets Product Wiki
Jump to navigation Jump to search

With the Allegro Network Multimeter it is possible to create a capture in pcap format which can be opened with tools such as Wireshark.

How can I create a pcap of a specific IP or MAC address?

All Allegro Network Multimeter modules have a dedicated pcap button to capture most traffic types. To capture a specific IP address go to 'IP' -> 'IP' statistics, navigate to the desired IP address and click the pcap button.

Ap-mm-capture-ip-statistics.png

To quickly find an IP address, you can sort the IP table via almost every column. The filter provides a quick method to reduce the table content, e.g. by typing fragments of the IP address or the DNS name in the filter input field.

Another quick way to create a pcap of a specific address is to use the simple capture. Go to 'Generic' -> 'Capture traffic', enable the MAC switch, set an address and click the "Start capture" button.

Ap-mm-capture-capture-simple.png

Which settings should I choose?

After clicking on the capture button, the dialogue "Choose capture settings" will be displayed. Here you can limit the start and end time of the capture and select whether to download the pcap file directly to your computer or store it on the Multimeter attached storage device. You can limit the captured packets to a given length if you do not need the full packet and just want a small pcap file that opens faster in Wireshark.

Ap-mm-capture-choose-capture-settings.png

Clicking "Start capture" begins the capture.

How can I extract traffic from the past?

With the Allegro Network Multimeter packet ring buffer, it is possible to extract traffic from the past to create a pcap. The packet ring buffer is stored on the external storage device attached to the USB port or an internal storage device if your Allegro Network Multimeter is equipped with one. A fast USB3 capable SSD is recommended. A USB thumb drive can be used also, but some burst packets may be dropped if the thumb drive write speed is too slow.

You can see an overview about all storage devices that can be used for the Allegro Multimeter under 'Generic' -> 'Storage'.

Ap-mm-capture-storage.png

An external SSD is attached to the USB port and is not yet activated. Click the "Activate" button so the device can be used. If the filesystem of the disk is not suitable for the ring buffer a warning will pop up prompting you to format the disk. After formatting or activating, the storage page will display information on disk useage and an overview of all files on the disk.

Ap-mm-capture-storage-active.png

Now that the storage is active, the ring buffer has to be created if not already prepared during formatting. This can be achieved in 'Generic' -> 'Packet ring buffer'. Click the "Create ring buffer" button.

Ap-mm-capture-create-ring-buffer.png

The size of the ring buffer must be specified. If no pcap is required on the storage device, the ring buffer will use 100% of the storage device capacity.

Ap-mm-capture-ring-buffer-size.png

When the packet ring buffer is created and running, the "Packet ring buffer" statistics page displays information about the ring buffer useage and several graphs restored or filtered traffic are also displayed. A filter can be applied to determine which packets are stored in the ring buffer. Check out the chapter Packet ring buffer for more details.

Ap-mm-capture-ring-buffer-statistics.png

When the packet ring buffer is up and running, any capture may be utilized to extract traffic from the past. Select a timespan in any graph of the user interface by left-clicking with the mouse and then click a pcap button. The selected timespan will be displayed in the start and end time fields of the "Choose capture settings" dialogue.

Ap-mm-capture-choose-capture-settings-2.png

Start and end times can be changed by using the date and time popup window when selecting the time fields or clicking the dedicated buttons for commonly used times. If the start time is earlier than the start of the packet ring buffer, it will be adjusted to the start and a hint will be displayed.

Is it possible to plan a future capture?

Yes. Simply select the desired start time in the "Choose capture settings" dialogue and the capture will start with the first packet at that time.

Create complex captures with several criteria

Captures can be stared with complex filter expressions for a specific capture of e.g. an IP address or a Layer 7 protocol.

To see a basic overview, start a capture from any module. You can see all running active captures at the capture button at the top bar of the web interface.

Ap-mm-capture-filter-expression.png

On the "Start simple capture" page, all frequently used filter expressions are easily accessible. The resulting expression is displayed below.

Ap-mm-capture-capture-simple-2.png

This expression can be used and edited in the expert filter field. All filters can be combined with "and" / "&&" or "or" / "||". Parentheses may be used to clarify precedence.

The chapter Capture module explains every possible filter.

Generate a pcap via the command line

It is easy to generate a pcap via the command line or in scripts with "curl" which is a tool available for recent versions of Windows 10, Linux and MacOS.

Just type:

curl -k -u USER:PASSWORD https://allegro-mm-XXXX/API/data/modules/capture?expression=ip==10.1.2.3 > path_to/capture.pcap

The user name, password and hostname have to be the same as the ones used to access the web interface. Every filter expression that can be used in the web interface can also be used here.

Check out the chapter Capture module for further information.

It takes too long to open a pcap file in Wireshark. What can I do?

If you are in a situation where you have a large pcap and are only interested in the traffic between two specific IP addresses, you can use the Allegro Network Multimeter to analyze the pcap file and extract the specific traffic for post-processing with tools such as Wireshark. See Forensic Pcap Analysis for details.