Ring Buffer Configuration Guide

From Allegro Packets Product Wiki
Jump to navigation Jump to search

This section describes the ring buffer configuration and options for the Allegro Network Multimeter.

What is the ring buffer?

Historic capture dialog.png

The ring buffer is a packet buffer. It stores raw Ethernet packets on one or many storage devices. A storage device is an internal or external HDD or SSD. If the buffer is full, it will overwrite the oldest packets in a circular manner. The ring buffer is an optional feature for the Allegro Network Multimeter. It does not store any of the statistics of the In-Memory-Database.

Allegro recommend you to take a look at the ring buffer White Paper from the Allegro Packets website.

The Webshark and the pcap extraction works with historic dates as in the screenshot here on the right. This dialogue is shown by using the pcap button in the Allegro User Interface. The Allegro Network Multimeter will search for all packets in the ring buffer if they match the criteria and extracts the packets.

If there is no ring buffer configured, the Allegro allows a pcap extraction of live traffic only.

Different ring buffer modes

The ring buffer supports 2 different modes. The single shared ring buffer can be used if you need only one ring buffer that fits into your storage device. The single shared ring buffer uses one shared storage for the ring buffer and pcap to disk. This mode is recommended if only one storage device is used since it allows a ring buffer and space for pcap files on the same storage device. Please note that using both features at the same time may lead to a performance bottleneck.

The cluster ring buffer mode allows to use multiple ring buffers where each ring buffer can have multiple disks. It allows having a separate disk for pcap files which allows fast ring buffer and fast pcap to disk writes at the same time.

Single shared ring buffer

The single shared ring buffer the default setup on all Allegro Network Multimeters that are shipped with one internal or external storage device. This mode is designed for ONE internal, external or iSCSI storage device. ( Please see the section #iSCSI ring buffer for more information ). It does not allow you to use multiple ring buffers with one Allegro Network Multimeter. You can check at GenericStorage if the Allegro Network Multimeter has detected a storage device. Here an example of ONE attached disk:

Storage no device active.png

You can activate and deactivate the storage device for pcap files here. You can also format new disks by using the format option and erase the content of a disk if required. If the disk has not been formatted before, press the Format button here. It will show the dialogue:

Format disk dialogue.png

Here you can decide whether disk encryption will be used or not, see #Encryption below. You can also decide if and how much space can be used for the packet ring buffer. Please note that you cannot save any pcap files to the external disk when you use 100 % for the ring buffer.

If the disk has been formatted, you can continue with the configuration of the ring buffer at Genericring buffer. If you have created a disk with a ring buffer, you should see the statistics of the buffer as in the screen shot here below.

Running packet ring buffer.png

The ring buffer is now running and all pcap buttons will work for historic dates. For advanced setup, please continue at the section #Filter Rules.

Cluster ring buffer

The cluster ring buffer is the default mode on all Allegro Network Multimeters that are shipped with two or more internal or external storage devices.

By default, the Allegro Network Multimeter uses One cluster ring buffer. If you need more, please open the Settings menu at the top right corner.

Settings button.png

Here you can increase the number of cluster ring buffers. We will continue this tutorial with 2 ring buffers to show the full flexibility of the Allegro. Please note that you need to restart the processing when you change the parameter. This can be done at SettingsAdministrationRestart processing.

To enable the cluster ring buffer mode, please check at Genericring buffer, if the tab cluster configuration is selected or not. If it is not, selected, delete the non-cluster ring buffer with:

Delete ring buffer button.png

Once this is done, you should see the dialogue:

Select ring buffer.png

Here you can select Create cluster ring buffer. Once this is selected, you will see all available clusters of ring buffers. By default, the first cluster is running but has no disk assigned to it. The size of the buffer is 0 Bytes and it drops all packets written into it.

Cluster ring buffer initial startup.png

As a next step, please select the configuration for the cluster.

Cluster ring buffer configuration.png

Please select here Add to cluster to format a disk and add it to the cluster. Once you have added disks to a cluster, the packets will be written to the storage device.

Cluster ring buffer with disks.png

Filter Rules

Both ring buffer modes support packet filtering mechanisms. Most situations require that only a subset of all packets are stored to the disk. Each ring buffer can be configured by a separate list of rules. All packet that do not match a condition are captured. The first matching condition is applied to the packets.

Filter rule conditions

The Allegro Network Multimeter supports packet slicing with the following conditions:

  • All packets → matches on all Ehternet packets
  • MAC address → matches a specific L2 MAC address
  • IP Address and IP Subnet → matches a specific IP address and subnet, works for IPv4 and IPv6
  • TCP/UDP Ports → matches all TCP or UDP packets with a specific source or destination port
  • L7 Protocol → matches one of the built-in L7 protocols
  • Outer VLAN Tag → matches a single VLAN tag or the outer VLAN of a double-tagged VLAN frame
  • Interface → matches a specific network interface
  • SIP Phone Number → matches a specific SIP caller or callee phone number and its correlated RTP flow
  • Virtual Link Group → matches a virtual link group
  • SSL after handshake → matches packets of SSL connections that occur after the SSL handshake

All conditions can be negated to match everything except an IP subnet and similar.

Filter rule actions

The following items are supported as actions:

  • Snapshot Length → byte packet slicing; allows for the capture of only a certain number of bytes per packet
  • Discard → do not capture this packet
  • Full → capture the full packet
  • Header+Data → capture only up to L3 or L4 or a specified quantity of L7 bytes.

Filter rule examples

Filter rules can be set up below the statistics of each ring buffer. This is a list of the most-used filter rules. Note that you can combine these rules.

Capture all traffic from and to a single IP

This use case is valid when you need to investigate the packets of one IP but you need the statistics of the total link. This is a common use case where the link bandwidth is above the ring buffer write rate. As an example, it can occur when you monitor a heavy loaded 10G or 40G link with a single HDD as the ring buffer device.

You need to set up 2 rules to capture only one single IP. The first rule matches the IP address and captures the entire payload, the second rule drops all packets. This will also drop all non-IP packets like ARP requests.

Ring buffer filter one ip.png

Capture only the handshake of SSL traffic and limit the encrypted part to L4

Also a common use case is to not capture encrypted content. This can be done by setting up a rule for SSL after handshake packets to capture only up to the L4 header for IP and TCP investigation. This can be configured with the following settings:

The configured rule will look like:

Capture full SIP, capture RTP to the first 12 bytes of the payload and drop all other packets

This is a common VoIP use case where you are allowed to capture the signaling traffic and the RTP header ( 12 bytes ) but not the RTP traffic payload. Here is the example rule setup:

Ring buffer rule sip rtp.png

Capture all packets except SIP and RTP

This use case is very common for all environments where no voice is allowed to be captured. Here is the example rule setup:

Ring buffer rule drop sip rtp.png

Performance

Disk read and write performance

Note that one disk can have one shared ring buffer or be part of one cluster ring buffer. Hard disk drives have a high constant write rate when only one write is active.

The Allegro Network Multimeter has a write first policy on the ring buffer devices. The Allegro prioritizes writes over reads for storage. A pcap read can be very slow when there is a high write rate to the ring buffer.

Concurrent ring buffer and live pcap recording

Note that HDDs are not made for 2 simultaneous write streams. The write rate will be very low if you capture a live pcap to the single shared storage device while having an active ring buffer. Please use the browser download feature, different disks with the cluster ring buffer or pause the ring buffer while capturing the live pcap.

Buffering traffic peaks or disk slowdowns

Note that most HDDs and SSDs do not have a guaranteed write rate. Especially HDDs via the USB or SATA3 protocol can have downtimes of hundreds of milliseconds between writes. Each ring buffer uses a certain amount of memory to buffer traffic peaks. This buffer can be configured at the Settings of the ring buffer

Ring buffer queue resize config.png

You can check if the queue length is large enough with the Bytes in Flight graph and the Dropped Bytes graph in the ring buffer statistics.

Ring buffer data in flight.png

iSCSI ring buffer

DISCLAIMER Whenever possible, use a direct-connected exclusive external storage device via USB. The Allegro Network Multimeter can control the USB channel far better than an iSCSI channel due to exclusivity.

The iSCSI ring buffer feature allows you to mount an iSCSI volume via the management interface. Allegro recommends to use this feature only for capture rates up to 1GBit/s. The iSCSI controller will have an exclusive low-latency connection to the Allegro Network Multimeter and the rate shall be exclusive to the Allegro Network Multimeter. Also, the management traffic between the Allegro and the iSCSI rate will not be monitored by the Allegro to prevent a write loop. If the rate is non-exclusive, other reads or writes will heavily reduce the constant write rate. Note that the iSCSI connection is not encrypted.

Advanced Options

Disk format

The Allegro Network Multimeter uses EXT4 for all formatted file systems for the ring buffer. EXT4 file systems support advanced features that are mandatory to capture with full SSD speed.

Encryption

The Allegro Network Multimeter uses an AES256 LUKS encryption container for encrypted single shared ring buffers. You can connect and mount the encrypted disk with many Linux Distributions. It will ask for your password to mount the container. The Allegro uses hardware encryption if available. The Allegro 200 does not have HW encryption support and can encrypt up to 400MBit/s in software. All other Allegro devices can encrypt with 2GB/s by using the built-in hardware encryption.

The Allegro does not store the password of the encrypted device on the disk. you need to re-enter the password if you unmount, reboot or power-off the Allegro Network Multimeter.

The encryption is not available for the cluster ring buffer.