404
edits
Ring Buffer Configuration Guide: Difference between revisions
Jump to navigation
Jump to search
→Filter Rules
| Line 71: | Line 71: | ||
Both ring buffer modes support packet filtering mechanisms. Most situations require that only a subset of all packets are stored to the disk. Each ring buffer can be configured by a separate list of rules. All packet that are not matching a condition are captured. The first matching condition is applied to the packets. | Both ring buffer modes support packet filtering mechanisms. Most situations require that only a subset of all packets are stored to the disk. Each ring buffer can be configured by a separate list of rules. All packet that are not matching a condition are captured. The first matching condition is applied to the packets. | ||
=== Filter rule conditions === | |||
The Allegro Network Multimeter supports packet slicing with the following conditions: | The Allegro Network Multimeter supports packet slicing with the following conditions: | ||
* all packets | * all packets → matches on all Ehternet packets | ||
* MAC address | * MAC address → matches a specific L2 Mac address | ||
* IP Address and IP Subnet | * IP Address and IP Subnet → matches a specific IP address and Subnet, works for IPv4 and IPv6 | ||
* TCP/UDP Ports | * TCP/UDP Ports → matches all TCP or UDP packets with a specific source or destination port | ||
* | * L7 Protocol → matches one of the built-in L7 Protocols | ||
* Outer VLAN Tag → matches a single VLAN tag or the outer VLAN of a double tagged VLAN frame | |||
* Interface → matches a specific network interface | |||
* SIP Phone Number → matches a specific SIP caller or callee phone number and its correlated RTP flow | |||
* Virtual Link Group → matches a virtual link group | |||
All conditions can be negated to match everything except an IP subnet and similar. | |||
=== Filter rule actions === | |||
The following items are supported as actions: | |||
* Snapshot Length → byte packet slicing, allows to capture only a certain amount of bytes per packet. | |||
* Discard → do not capture this packet | |||
* Full → capture the full packet | |||
* Header+Data → capture only up to L3 or L4 or a specified amount of L7 bytes. | |||
=== Filter rule examples === | |||
==== Capture all traffic from and to a single IP only. ==== | |||
This can be done with 2 rules. First rule matches the IP address and captures full, second rule drops all packets: | |||
[[File:Ring buffer filter one ip.png|border|600px]] | |||
== Performance == | == Performance == | ||