Packet ring buffer
Packet ring buffer
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round robin fashion. If the feature is not enabled a button titled Create ring buffer is visible. Upon clicking on it a dialog will be displayed and allows to specify the size of the ring buffer. It must be ensured that enough space is available on the external storage device. As soon as the ring buffer has been created statistics about the ring buffer will be displayed instead of the button:
- Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.
- Total size: The total size of the ring buffer on the external storage device.
- If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data.
- The raw on-disk value will be displayed next to it in parentheses.
- Used size: The currently used amount of memory in the capture buffer.
- If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.
- Overall bytes captured since start: The amount of captured bytes since system start.
- This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full.
- The history graph shows the captured traffic of the last minute or in the selected interval (if set).
- Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing.
- This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.
- Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer.
- The history graph shows discarding over time.
- Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer.
- If larger bursts of traffic need to be stored in this queue the size can be modified in the capture module settings.
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data in darkgrey background color. The time range before start of the ring buffer will be visualized in the same way. When the ring buffer is running, the behavior of the PCAP capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialog will appear asking to specify from how far back in time the capture should start. This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. The capture will also continue with live traffic. If the user interface is in back-in-time mode (a timespan from the past is selected) starting a capture will produce a dialog asking to confirm that the capture will cover exactly the timespan selected. The capture will automatically stop after the selected timespan has been processed.
Cluster ring buffer
The cluster ring buffer feature allows to use multiple whole disks in parallel for a single packet ring buffer. It also allows to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.
It is also possible to create multiple cluster packet ring buffers that run in parallel. To enable multiple cluster packet ring buffers the option `The maximum number of concurrent packet ring buffers` in the capture module options can be set to the required number.
When clicking the Create cluster ring buffer button an empty cluster ring buffer will be created and the Cluster configuration tab on the now visible packet ring buffer statistics page becomes available.
If multiple cluster packet ring buffers are used the page will show a number of buttons at the top to switch between the different clusters. Each cluster has it's own statistics and configuration.
In the Cluster configuration tab you can configure the Write redundancy level at the very top. This level controls how many redundant copies of each packet are written. no replication means, that only a single copy of each packet is written and provides no redundancy. This level gives the highest write bandwidth for a given number of disks. single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disk to half the performance of no replication. double replication and triple replication write two and three additional copies of each packet respectively. Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.
Below the Write redundancy level setting is the list of all disks available for use in the cluster. Following columns are displayed in the list:
- Disk: A description of the disk and its capacity.
- Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.
- Status: If the disk has been added to the cluster this column will display the current status as ok or failed. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.
- Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off.
In the last unlabeled column there are three buttons displayed which have the following functionality:
- Add to cluster: Add a fresh disk to the cluster.
- The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.
- Resume in cluster: If the disk was previously part of a cluster it can be resumed.
- The data on that disk is now part of the packet ring buffer.
- Remove from cluster: Remove the disk from the ring buffer.
- The data stored on that disk is not part of the packet ring buffer anymore but the data is not removed from the disk. It can be resumed in the cluster at a later time.
- If a disk is missing because it was e.g. removed from the enclosure it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.
Packet ring buffer snapshot length filter
Rules can be configured that control the snapshot length of each packet which shall be stored in the packet ring buffer. These rules can also be used to prevent certain packets from being stored in the packet ring buffer. This allows to fine tune how much packet data needs to be written to the packet ring buffer. The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a discard rule).
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).
When creating a snapshot length filter rule, a dialog is displayed and allows following options:
- Rule condition: Match all packets or a certain MAC or IP address, TCP/UDP port, a layer 7 protocol a VLAN tag or an interface.
- The input field below allows entering the corresponding value.
- Negate: Controls comparison of the rule condition to the value. If this is off, the value must match.
- If this is on, the value must not match.
- Action: What shall be done with the matching packets.
- Snapshot length: The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.
- Discard: Discard the whole packet.
- Full: The whole packet is captured.
- Header + data: Capture just certain parts of the packet. When selecting L3 header, layer 2 and layer 3 headers are stored.
- When selecting L3 + L4 header, layer 2, 3 and 4 headers are stored.
- When selecting L3 + L4 + L7 data, an input field is shown where the length of layer 7 data can be configured. In this case layer 2, 3 and 4 are stored together with the specified amount of layer 7 data.
Analyzing the packet ring buffer
When the packet ring buffer is activated it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. When the Analyze packet ring buffer button is pressed a dialog will appear which allows to choose the time range of the packet ring buffer which is to be replayed. After confirming this dialog the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.
Extracting the packet ring buffer
When the packet ring buffer is active the complete contents of it can be extracted by capturing the complete timespan that is contained within. For convenience a button labeled Extract packet ring buffer is available that opens the capture dialog with the start time and end time set to the appropriate values.