Packet ring buffer
Packet ring buffer
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. If the feature is not enabled, a button titled Create ring buffer is visible. Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. It must be ensured that enough space is available on the external storage device. As soon as the ring buffer has been created, statistics about the ring buffer will be displayed instead of the button:
- Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.
- Total size: The total size of the ring buffer on the external storage device.
- If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than zero replication, an adjusted value is displayed to reflect the redundant copies of packet data.
- The raw on-disk value will be displayed next to it in parentheses.
- Used size: The currently used amount of memory in the capture buffer.
- If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than zero replication, an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.
- Overall bytes captured since start: The amount of captured bytes since system start.
- This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full.
- The history graph shows the captured traffic of the last minute or in the selected interval (if set).
- Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing.
- This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.
- Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer.
- The history graph shows discarding over time.
- Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer.
- If larger bursts of traffic need to be stored in this queue, the size can be modified in the capture module settings.
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data with a dark grey background colour. The time range before start of the ring buffer will be visualized in the same way. When the ring buffer is running, the behaviour of the pcap capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialogue will appear asking you to specify from how far back in time the capture should start. This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. The capture will also continue with live traffic. If the user interface is in back-in-time mode (a timespan from the past is selected) starting a capture will produce a dialogue asking to confirm that the capture will cover exactly the timespan selected. The capture will automatically stop after the selected timespan has been processed.
Cluster ring buffer
The cluster ring buffer feature allows you to use multiple whole disks in parallel for a single packet ring buffer. It also allows you to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.
It is also possible to create multiple cluster packet ring buffers that run in parallel. To enable multiple cluster packet ring buffers, the option `The maximum number of concurrent packet ring buffers` in the capture module options can be set to the required number.
When clicking the Create cluster ring buffer button, an empty cluster ring buffer will be created and the Cluster configuration tab on the now visible packet ring buffer statistics page becomes available.
If multiple cluster packet ring buffers are used, the page will show a number of buttons at the top to switch between the different clusters. Each cluster has its own statistics and configuration.
In the Cluster configuration tab you can configure the Write redundancy level at the very top. This level controls how many redundant copies of each packet are written. No replication means that only a single copy of each packet is written and provides no redundancy. This level gives the highest write bandwidth for a given number of disks; single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disks to half the performance of no replication. Double replication and triple replication writes two and three additional copies of each packet respectively. Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.
Below the Write redundancy level setting is the list of all disks available for use in the cluster. The following columns are displayed in the list:
- Disk: A description of the disk and its capacity.
- Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.
- Status: If the disk has been added to the cluster this column will display the current status as ok or failed. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.
- Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off.
In the last unlabelled column, three buttons are displayed which have the following functionality:
- Add to cluster: Add a fresh disk to the cluster.
- The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.
- Resume in cluster: If the disk was previously part of a cluster it can be resumed.
- The data on that disk is now part of the packet ring buffer.
- Remove from cluster: Remove the disk from the ring buffer.
- The data stored on that disk is no longer part of the packet ring buffer but the data is not removed from the disk. It can be resumed in the cluster at a later time.
- If a disk is missing because it was e.g. removed from the enclosure, it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.
Packet ring buffer snapshot length filter
Rules can be configured to control the snapshot length of each packet which will be stored in the packet ring buffer. These rules can also be used to prevent certain packets from being stored in the packet ring buffer. This allows you to fine tune how much packet data needs to be written to the packet ring buffer. The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a discard rule).
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).
When creating a snapshot length filter rule, a dialogue is displayed and allows the following options:
- Rule condition: Specify which packets to match.
- The input field below allows entering the corresponding value.
Rule condition description All packets everything MAC address source or destination MAC address IP address source or destination IP address or subnet TCP port the source or destination TCP port UDP port the source or destination UDP port Layer 7 protocol the selected Layer 7 protocol outer VLAN tag the most outer VLAN tag (directly after Ethernet header) interface the ingress interface the packet originated from SIP phone number
The number matches part of the 'From:', 'To:', 'Request-URI', 'Contact', 'P-Asserted-Identity' or 'P-Preferred-Identity' entry in a SIP INVITE packet.
- only the part between '<' and '>' of the From/To line is tested.
- value '234' will match 'From: "Caller1" <sip:234>', but also 'From: "Caller2" <sip:12345@test>'
- to match from the start, use 'sip:234'
Correlating SIP packets for the same Call-ID will match.
The RTP and RTCP packets correlated to this SIP call will also match.
Calls between SIP phone number A and B Match SIP, RTP and RTCP packets related to SIP phone calls between both numbers virtual link group the virtual link group the packet belongs to SSL after handshake SSL packets that occur after the SSL handshake (the encrypted part of the SSL communication)
- Negate: Controls comparison of the rule condition to the value. If this is off, the value must match.
- If this is on, the value must not match.
- Action: What shall be done with the matching packets.
Action Description Snapshot length The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded. Discard Discard the whole packet. Full The entire packet is captured. Header + data
Capture just certain parts of the packet.
When selecting L3 header, Layer 2 and Layer 3 headers are stored.
When selecting L3 + L4 header, Layer 2, 3 and 4 headers are stored.
When selecting L3 + L4 + L7 data, an input field is shown where the length of Layer 7 data can be configured. In this case Layers 2, 3 and 4 are stored together with the specified amount of Layer 7 data.
Analyzing the packet ring buffer
When the packet ring buffer is activated, it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. When the Analyze packet ring buffer button is pressed, a dialogue will appear which allows you to choose the time range of the packet ring buffer which is to be replayed. After confirming this dialogue, the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.
Extracting the packet ring buffer
When the packet ring buffer is active, the entire contents can be extracted by capturing the complete timespan that is contained within. For convenience, a button labelled Extract packet ring buffer is available that opens the capture dialogue with the start time and end time set to the appropriate values.