Capture module: Difference between revisions

Jump to navigation Jump to search

Capture module (view source)

Revision as of 16:05, 9 April 2020

542 bytes added ,  9 April 2020
no edit summary
No edit summary
No edit summary
Line 1: Line 1:
==''' Packet ring buffer'''==
==Capture module ==
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round robin fashion. If the feature is not enabled a button titled ‘Create ring buffer’ is visible. Upon clicking on it a dialog will be displayed and allows to specify the size of the ring buffer. It must be ensured that enough space is available on the external storage device. As soon as the ring buffer has been created statistics about the ring buffer will be displayed instead of the button:
The Network Multimeter allows direct capturing of network traffic as a HTTP download to your computer. No
packet data is stored on the device itself. Traffic can be directly filtered for specific packets, only the relevant
packets will be captured.
In addition, it is also possible to capture network traffic to an attached storage device, see the settings section
below for details.
Capturing network traffic is usually started by clicking on a PCAP button in a certain module. These buttons allow
capturing specific traffic, for example for an certain IP address or a network protocol.
The capture module allows to configure filter for traffic that has not even started right now, for example for an IP
address that is not in use at the moment but later might be used.
The capture module page displays all currently running captures and allows starting new captures with specific
filters.


==== Current captures ====
The first part of the page displays all downloads running for the current user session, and all downloads running
for other user sessions (like when a download has been started outside the browser by directly using command
line tools such as wget or curl).
The list contains the client IP and port of the user running the download. The next three counters describe the
number of packets captured for the corresponding filter, the number of packets dropped by the capturing module,
and the number of ignored packets. Packet drops happen when more packets are captured than can be transferred
via HTTP to the client. Ignored packets do not match the given capture filter.
The following columns list the applied filter criteria.
The last column contains a button to stop the corresponding download. Downloads can also be stopped by clicking
the same capture button that started the capture in the corresponding module.
If multiple devices have been configured, the list also contains all captures from all multi-devices which can be
stopped individually.


* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.
==== Recently captured ====
This list shows the most recently performed captures for the current user. The most recent capture is displayed on
the top. Next to each capture there is a button to permanently save this capture as a favorite as well as a button
to simply start this capture again. The button “Delete list of recent captures” will delete all entries from this list.


* Total size: The total size of the ring buffer on the external storage device. If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.
==== Favourites ====
This list shows favourite capture expressions. A capture can be marked as a favorite either in the capture dialog by
clicking on the star button in the top right corner or by marking it as a favorite in the “Recently captured” list. A
description can be given and will be displayed in this list. For each favorite capture a PCAP button is available to
simply start this capture again. The “Remove favorites” button allows for cleaning the list.


* Used size: The currently used amount of memory in the capture buffer. If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.
==== Simple capture ====
* Overall bytes captured since start: The amount of captured bytes since system start. This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. The history graph shows the captured traffic of the last minute or in the selected interval (if set).
The second section of the capture page allow to select some fields to filter network traffic for. By default, only the
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.
IP field is visible, the other fields can be enabled by clicking on the corresponding toggle switch.
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. The history graph shows discarding over time.
Each line allows to enter a filter criterion for the corresponding network traffic element.
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. If larger bursts of traffic need to be stored in this queue the size can be modified in the capture module settings.
To start the capture with the entered filter criteria just click at the “Start capture” button.
For reference, the expert filter expression is shown at the end of the section so it can be used to copy and paste
the string into the expert filter section.


==== Using expert filters to start captures ====
The third part of the page allows for starting a download for any criterion combination using complex filter expressions.
A capture filter is defined in a C-style syntax and supports combination of AND/OR operators, precedence order
with parentheses and equal/not equal comparisons. If the filter expression can be evaluated to true, the packet is
captured.
If a value contains a space, the whole value must be quoted with “”.
Following operators are supported:
* ‘and’, ‘&&’: AND operator. The filter expression will match if all operands could be evaluated to true.
* ‘or’, ‘||’: OR operator. The filter expression will match if any operand can be evaluated to true.


<p> When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data in darkgrey background color. The time range before start of the ring buffer will be visualized in the same way. When the ring buffer is running, the behavior of the PCAP capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialog will appear asking to specify from how far back in time the capture should start. This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. The capture will also continue with live traffic. If the user interface is in “back-in-time” mode (a timespan from the past is selected) starting a capture will produce a dialog asking to confirm that the capture will cover exactly the timespan selected. The capture will automatically stop after the selected timespan has been processed. </p>
Following comparison operators are supported:
* ‘==’: Will evaluate expression to true if left and right operand are equal.
* ‘!=’: Will evaluate expression to true if left and right operand are not equal.
Following operands are supported:
* ‘ip’: An IP address. The packet is captured if either source or destination IP address of the packet match.
A netmask and a port can also be specified. For IPv6 addresses with a specific port, the address must be
written in brackets. Example:
{| class="wikitable sortable" 
|-          
ip == 10.0.0.1


ip == ff02::1:3


==== Cluster ring buffer ====
ip == 10.0/16
The cluster ring buffer feature allows to use multiple whole disks in parallel for a single packet ring buffer. It also allows to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.
When clicking the ‘Create cluster ring buffer’ button an empty cluster ring buffer will be created and the ‘Cluster configuration’ tab on the now visible packet ring buffer statistics page becomes available. In the ‘Cluster configuration’ tab you can configure the ‘Write redundancy level’ at the very top. This level controls
how many redundant copies of each packet are written. no replication means, that only a single copy of each packet is written and provides no redundancy. This level gives the highest write bandwidth for a given number of disks. single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disk to half the performance of no replication. double replication and triple replication write two and three additional copies of each packet respectively. Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.


ip == 10.0.0.1:1234


Below the ‘Write redundancy level’ setting is the list of all disks available for use in the cluster. Following columns
ip == [2a02:810a:1340:1292:1c6b:e58d:6ebc:6cd2]:123
are displayed in the list:
|-
* Disk: A description of the disk and its capacity.
|}
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.
* Status: If the disk has been added to the cluster this column will display the current status as ‘ok’ or ‘failed’.
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off.




In the last unlabeled column there are three buttons displayed which have the following functionality:
*‘mac’: A MAC address. The packet is captured if either source or destination MAC address of the packet
* Add to cluster: Add a fresh disk to the cluster. The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.
match. Example:
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. The data on that disk is now part of the packet ring buffer.
{| class="wikitable sortable" 
* Remove from cluster: Remove the disk from the ring buffer. The data stored on that disk is not part of the packet ring buffer anymore but the data is not removed from the disk. It can be resumed in the cluster at a later time.
|-         
|  mac == 12:34: :56:78:90:ab
|-
|}


If a disk is missing because it was e.g. removed from the enclosure it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.
* ‘port’: A TCP or UDP port. The packet is captured if either source or destination port match. Example:
{| class="wikitable sortable" 
|-         
| port == 80
|-
|}


* ‘portrange’: A TCP or UDP port range. The range can be a single number or a comma separated list of values
or value ranges. Example:
{| class="wikitable sortable" 
|-         
| portrange == 80,100-120,-10,65000-
|-
|}


==== Packet ring buffer snapshot length filter ====
* ‘serverport’: A TCP or UDP port of a server. The packet is captured if the given port is a port of the server
Rules can be configured that control the snapshot length of each packet which shall be stored in the packet ring buffer. These rules can also be used to prevent certain packets from being stored in the packet ring buffer. This allows to fine tune how much packet data needs to be written to the packet ring buffer. The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a ‘discard’ rule).  
and not of a client. Example:
{| class="wikitable sortable" 
|-         
| serverport =: = 80
|-
|}


These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.
* ‘macProtocol’: A MAC protocol such as IPv4 or IPv6. For all seen MAC protocols, please consult the MAC
Protocol Statistics module. Example:
{| class="wikitable sortable" 
|-         
| macProtocol == IPv4
macProtocol == "Non IP"
|-
|}


Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).
* ‘l4Protocol’: A layer 4 protocol such as TCP or UDP. Protocols can also be OR combined as a comma seperated list. Example:
{| class="wikitable sortable" 
|-         
| l4Protocol == ICMP,ICMPv6
|-
|}


* ‘l7Protocol’ or ‘dpiProtocol’: A layer 7 protocol. Protocols can also be OR combined as a comma seperated
list. For all seen protocols please consult the Layer 7 protocols module.
* ‘countryCode’: A country code such as US. For all seen country codes please consult the Geolocation module.
* ‘arpip’: An IP address within an ARP request or response.
* ‘vlan’: A VLAN tag of an outer or inner VLAN. May be a number or none or any.
* ‘outervlan’: A VLAN tag of an outer VLAN. May be a number or none or any.
* ‘innervlan’: A VLAN tag of an inner VLAN. May be a number or none or any.
* ‘multicastGroup’: A multicast IP address or any. The filter will match all IGMP or MLD negotiation packets
related to that multicast IP address.
* ‘rtpPayloadType’: The RTP payload type such as PCMU or MP2T. This filter will match all RTP packets with
the given payload type.
* ‘interface’: The physical interface. This can be a single number or a range. For interface ids please consult
the Interface stats page. Example:
{| class="wikitable sortable" 
|-         
| interface == 1,3-5
|-
|}


When creating a snapshot length filter rule, a dialog is displayed and allows following options:
* ‘link’: The link pair of two interfaces as stated in Interface stats. A single link number can be given.
* Rule condition: Match all packets or a certain MAC or IP address, TCP/UDP port, a layer 7 protocol a VLAN tag or an interface. The input field below allows entering the corresponding value.
* ‘ptpMsgType’: A specific PTP message type number or any for the whole PTP traffic.
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. If this is on, the value must not match.
* ‘profinetFrameId’: A specific Profinet frame ID.
* Action: What shall be done with the matching packets.
* ‘profinetCmOpnum’: A specific operation number for Profinet CM (Context Manager) requests or responses.
Can also be any for every operation number. Following values are used:


– Snapshot length: The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.
0- connect


– Discard: Discard the whole packet.
1- release


– Full: The whole packet is captured.
2- read


– Header + data: Capture just certain parts of the packet. When selecting “L3 header”, layer 2 and layer 3 headers are stored. When selecting “L3 + L4 header”, layer 2, 3 and 4 headers are stored. When selecting “L3 + L4 + L7 data”, an input field is shown where the length of layer 7 data can be configured. In this case layer 2, 3 and 4 are stored together with the specified amount of layer 7 data.
3- write


4- control


5- read implicit


==== Analyzing the packet ring buffer ====
* ‘mpls’: A label of an outer or inner MPLS. May be a number or none or any.
When the packet ring buffer is activated it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. When the Analyze packet ring buffer button is pressed a dialog will appear which allows to choose the time range of the packet ring buffer which is to be replayed. After confirming this dialog the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.
* ‘outerMpls’: A label of an outer MPLS. May be a number or none or any.
* ‘innerMpls’: A label of an inner MPLS. May be a number or none or any.
* ‘qosIpDscp’: The DSCP value in the IP header. May be a number.
* ‘qosMplsTc’: The traffic class value in the outermost MPLS label stack entry.
* ‘qosVlanPcp’: The priority code point value in the outermost VLAN tag.
* ‘group’: The name of a configured group or ‘default’. If the name contains whitespaces, the name must be
enclosed in quotes.
* ‘badCRC’: The value of this operand will be 1 for packets with a CRC error and will be 0 for good packets.
Capturing packets with bad CRC is currently only supported on 1Gb interfaces.
* ‘icmpType’: The value of a certain ICMP type (e.g. Echo request 8, Echo reply 0).
* ‘tcpFlags’: A single TCP flag or a list of TCP flags joined by the ‘+’ sign. If a list of flags is given, all flags must
be present in the packet. Supported TCP flags are syn, ack, fin, rst, psh and urg.
For a specific precedence you may use ‘(‘ or ‘)’ parentheses.
Examples:
* The expression
{| class="wikitable sortable" 
|-         
| ip == 10.0.0.1:1234 and ip == 10.1.0.1:9876
|-
|}


will match a connection from 10.0.0.1 to 10.1.0.1 or vice versa with the ports 1234 and 9876 involved.


* The expression
{| class="wikitable sortable" 
|-         
| ip == 10.0.0.1 and ip != 10.0.0.2
|-
|}
will match packets having 10.0.0.1 either as source or destination. If a communication peer of 10.0.0.1 is
10.0.0.2 the packets will not be captured.


==== Extracting the packet ring buffer ====
• The expression
When the packet ring buffer is active the complete contents of it can be extracted by capturing the complete timespan that is contained within. For convenience a button labeled Extract packet ring buffer is available that opens the capture dialog with the start time and end time set to the appropriate values.
{| class="wikitable sortable" 
|-         
| l4Protocol == ICMP,ICMPv6
|-
|}
will match packets with ICMP or ICMPv6 layer 4 protocols.
* The expression
{| class="wikitable sortable" 
|-         
| portrange == 80,443
|-
|}
will match packets to or from port 80 or 443.






The capture can be limited to any amount of time or bytes for example to capture only one minute or one megabyte
of traffic.
Below the list of filter criteria there is a button the actually start (or stop) the capture. In case the filter expression
is invalid, the button is disabled.


==''' Pcap analysis module'''==
{|
The pcap analysis module allows analyzing pcap files by sending them to the device. After analyzing the pcap, the web interface shows all the metadata as if the packets are live traffic at the time of the pcap recording.
|-
|[[File:Generic modules.png|800px|thumb|right]]
|}
 
==== Layer 7 protocol capture ====
Layer 7 protocol detection engine may need several packets to recognize the currently used protocol. For these
captures all not yet recognized packets will be skipped. As soon as the protocol recognition is finished, all packets
matching the protocol filter will be captured.




==== Configuration settings ====
By clicking on the gear button on the top right of the Capture web page, you can access the configuration section.
* Split PCAP file after this size
This option can be used to limit the size of the PCAP file when storing to an attached device. Once the
captured traffic would exceed this threshold, a new PCAP file with the current time stamp is created and
the traffic is written to the new file. If the time stamp is still the same, an index is attached to the filename.
When set to 0, no splitting will be done.
* Split PCAP file after this duration
This option can be used to limit the duration of the PCAP file when storing to an attached device. The
duration starts counting with the start of the capture. Once the captured traffic would exceed the duration,
a new PCAP file with the current time stamp is created and the traffic is written to the new file.
When set to 0, no splitting will be done.
Both split parameters can be combined. The PCAP file will be split as soon as one threshold has been
reached.
* The size in MB for the queue of the packet ring buffer
This option allows to configure the size of the queue that holds processed packets before they are written to
the packet ring buffer. Increasing the size of this queue may help if the disk used for the packet ring buffer
cannot keep up with bursts of traffic so that packet drops occur in the packet ring buffer.
Be aware that memory allocated to this queue is not available for storing statistics and metadata so that
choosing a large value for this queue reduces the overall data storage time.
Most users will not need to change this value from the default value.
A reboot of the device or a restart of the processing is needed for a change to this option to take effect.
* The maximum size in MB for the packet reorder buffer when capturing from the packet ring buffer
This setting allows to choose the maximum size that the packet reorder buffer may grow to. For performance
reasons the packet ring buffer does not ensure a total order of packets when storing them on disk. The packet
reorder buffer is used to restore the correct order of packets in a capture when capturing from the packet
ring buffer. A larger packet reorder buffer makes it more likely that the packet order can be restored for all
packets. The actual amount of memory used for the packet reorder buffer depends on this setting but also
on the amount of free memory in the system so that the effectively used amount of memory may be less
than this setting indicates.


====Notes====
Starting pcap analyze will stop the network ports and thus the normal packet processing and forwarding is disabled. The network connections of the devices connected to the Multimeter will stop working.




==== Capture settings dialog ====
This dialog appears after a capture button has been clicked. Following settings are possible:
* Start time and end time
By clicking on the input field or on the calendar icon you can choose the start and end time of the capture.
The input field is also editable with keyboard and allows entering a time on a second basis.
If the start time is in the past, the complete capture is performed on the stored data of the capture ring buffer.
When the capture reaches the newest packets it still continues to read from the capture ring buffer. The
dialog will limit the start time input to the earliest data of the capture ring buffer. Be aware, that a possible
capture ring buffer filter was applied on the past data and is also applied on future data in this mode.
The start time may also be in the future. The capture is scheduled and starts as soon as a packet is received
with a time later than the start time.
If the whole time input field is marked and deleted, the start or end time will reset back to the default value.
The default value for start time is “now”, the capture will start with pushing the “Start capturing” button. The
default value of the end time is “unlimited”, the capture will not stop unless stopped manually by clicking on
the stop button.
Eight buttons offer quick selection of often used time settings.
* Capture type
This dropdown menu allows to choose the method how packets are captured. The last successful setting is
persistently stored per user. Following methods are available:


==== Start new Upload====
<br>
To select a file to analyze, simply drag a file from your file manager to the drop zone. The second option is to click into the drop zone. After a click, a file selection dialog will open.
After selecting a file, the name and the size of the pcap will be displayed in the drop zone box.


To proceed, press the “Upload and analyze pcap” button. A modal dialog will open.
'''– HTTP download'''


* A warning will be shown if the device is in bridge mode, since no more packets will be forwarded when startin pcap analyze mode.
This is the default method. The capture will start a HTTP download of a PCAP file directly in the browser.
* If a packet ring buffer is configured, it is possible to write packets to it. This allows simple extraction of packets as in live packet processing.


The pcap file itself will not be stored on the storage of the Multimeter (except in the packet ring buffer, if activated in the upload modal dialog).


       
''' – Disk'''


This method is only visible if a storage device is active and has some amount of free storage space.
The capture will create a PCAP file on the storage device.


==== PCAP analysis statistics====
After the upload started, a progress section will be displayed. This includes a progress bar and the time of the last
processed packet. When viewing the progress bar on a different tab or on a different browser, the progress bar
will not show the correct value.


''' – Interface'''


This mode will transmit the captured packets on a physical network interface. It is not available when the system is analyzing a PCAP file or is analyzing the packet ring buffer.




==== Viewing the pcap metadata====
''' – ERSPAN '''
During and after the upload of the file, all modules will show the metadata produced by analyzing the packets in the pcap file.


This mode will transmit the captured packets encapsulated in a GRE + ERSPAN header on the management interface to a given target IP address. On the target system the  traffic can be  selectively captured using the filter “ip proto 0x2f” when using an application like Wireshark or tcpdump.




* Interface to transmit on
This dropdown menu is only shown when Capture type is Interface. Here the physical interface on which to
transmit captured packets can be selected.
* ERSPAN target address
This section is only shown when Capture type is ERSPAN. Here the target IP address or hostname for the
ERSPAN encapsulated packets must be specified.
* Transmit speed
This dropdown menu is only shown when the Capture type is either Interface or ERSPAN and the start time
is in the past so that packets are captured from the packet ring buffer. Here the limiting mode can be chosen
which controls how fast captured packets are transmitted. Following modes are available:


==== Resuming normal operation====
After finishing the analysis, the processing can be set back to live mode by clicking the “Resume normal operation” button at the bottom of the page.


'''– none'''


==''' Incidents module'''==
No limit will be applied and the packets are transmitted as fast as the network interface and the packet
The Incidents module allows for notifications to be created when certain network incidents are detected. These notifications can be viewed in the web GUI and may also be delivered by email. Repeating incidents are counted as such and the time of the first and last occurrence of an incident is remembered. What makes an incident unique depends on the type of incident.
ring buffer allow.
Incidents can be configured with three levels of severity: low, medium and high. The first occurrence of a medium or high severity incident will trigger a status notification which is visible at the top right of the web GUI. Up to 1000 incidents will be remembered by the system and if this limit is exceeded the oldest incidents will be discarded.


{|
|-
| [[File:Incidents module.png|1000px|thumb|right]]
|}


==== Types of incidents ====
'''– limit to bandwidth'''
The following list shows which types of incidents can currently be detected and how they are triggered.
[[File:Incidents module1.png|800px|frame|right]]


==== MAC incidents ====
A bandwidth limit will be applied so that the given bandwidth in Mbps is not exceeded. The bandwidth
* '''new MAC''' : report an incident when a unicast Ethernet MAC address is seen for the first time.
can be given as a decimal so that e.g. 500kbps can be configured with a value of 0.5.
* '''new DPI protocol for MAC''': report an incident when a layer 7 protocol is first detected for a unicast Ethernet MAC address.
* '''broadcast packet rate exceeded threshold''': report an incident when the number of broadcast packets within  the duration of one second exceeds the configurable threshold


'''– realtime factor'''


==== ARP incidents ====
Packets will be transmitted based on their recorded timing information. This means that with a realtime
* '''ARP responses with different MACs for the same IP within 60 seconds''': report an incident when within the duration of 60 seconds two different unicast Ethernet MAC addresses respond as having the same IP address through ARP (address resolution protocol) messages. This may point to a configuration issue as two devices try to use the same IP address.
factor of 1.0 packets will be transmitted approximately with the same timing as they were originally
received. Using for example a realtime factor of 2.0 would transmit the packets with twice the speed
than they were received.




==== IP incidents ====
* Transmit bandwidth in Mbps
* '''new local IP address''': report an incident when an IPv4 address belonging to a private network address range is seen for the first time.
This is only shown when limit to bandwidth has been selected in the Transmit speed dropdown menu. The
* '''new DPI protocol for local IP''': report an incident when a layer 7 protocol is first detected for an IPv4 address belonging to a private network address range.
meaning of this value is explained in the Transmit speed section.
* '''local IP address on multiple Ethernet MACs''': report an incident when an IPv4 address belonging to a private network address range is seen with multiple Ethernet MAC addresses. This may point to a configuration issue as two devices try to use the same IP address.
* Transmit realtime factor
* '''TCP handshake time exceeded threshold''': report an incident when the time needed for the completion of a TCP handshake by a server exceeds the configurable threshold. If the TCP handshake time suddenly rises this may point e.g. to an overload of the server.
This is only shown when realtime factor has been selected in the Transmit speed dropdown menu. The
* '''TCP zero window packet''': report an incident when a TCP zero window packet is seen. This means that the receive buffer for the connection at the IP sending the TCP zero window packet is full.
meaning of this value is explained in the Transmit speed section.
* Truncate packet length:
This dropdown menu is only shown when the Capture type is either HTTP or disk. You can truncate captured
packets with this setting. All packets will be captured, but truncated to the given length if they are longer
than this setting. The length setting is applied on layer 2 without frame check sequence.
Possible values are:


'''– Full length '''


==== DNS incidents ====
'''– 64 Bytes '''
* '''DNS server stopped responding''': report an incident if more than 3 requests to the DNS server went unanswered for a period of more than 5 seconds.


'''– 1500 Bytes '''


==== Global incidents ====
'''– Custom length with an input field for inserting any length between 64 and 15378 Bytes '''
* '''interface link status changed''': Report an incident if the Ethernet link status of the network interface changed. This incident is always reported as a new incident even for the same network interface.
* '''Interface link speed changed''': Report an incident if the link speed of the network interface changed.
* '''Interface pair link speed and duplex mismatch''': Report an incident if the link speed or the duplex mode of two corresponding mutual interfaces in bridge mode are different.
* '''Bandwidth below lower threshol'''d: Report an incident when the measured bandwidth falls below a certain threshold. The threshold is configured in Mbit/s. The incident is active until the bandwidth is above the threshold again.
* '''Bandwidth above upper threshold''': Report an incident when the measured bandwidth exceeds a certain threshold. The threshold is configured in Mbit/s. The incident is active until the bandwidth falls below the threshold again.
* '''Packet rate below lower threshold''': Report an incident when the measured packet rate falls below a certain threshold. The threshold is configured in packets/s. The incident is active until the packet rate is above the threshold again.
* '''Packet rate above upper threshold''': Report an incident when the measured packet rate exceeds a certain threshold. The threshold is configured in packets/s. The incident is active until the packet rate falls below the threshold again.
* '''Timeout for finishing an active bandwith incident''': Defines the time for how long the bandwidth or packet rate has to be above the lower (or below the upper) threshold again to end the incident. By using this setting, e.g. a traffic burst that is constantly moving around the threshold within this configured range can be reduced to just one incident.




==== Interface throughput ====
* PCAP compatibility:
Interface throughput incidents are generated by the throughput measurement module as soon as a configurablethreshold exceeds. The incident contains a graph of traffic for that interface with some data points before and after the threshold has been exceeded depending on the measurement interval. A PCAP link for capturing from the packet ring buffer is shown. For further investigation of that incident, the button Use as global time range can be used to set the global range to the start and end of the incident graph (at least 5 seconds) so that all modules of the Allegro Network Multimeter show that time span. The incident generation can be configured as follows:
This section is only shown when the Capture type is either HTTP or disk.
* '''throughput threshold exceeded''': report an incident if the throughput of any network interface exceeded.
* '''Throughput threshold (Mbit/s)''': The threshold is configured in Mbit/s.
* '''How long throughput must be above threshold to generate incident (in milliseconds)''': The throughput must exceed the threshold for this duration in order to generate the incident. If set to zero (defualt) the incident is generated immediately after the threshold has been exceede.
* '''Throughput cool-down period between two incidents in milliseconds''': Defines the time after an incident where no new incident is generated even if the threshold is exceeded. If this period is passed, throughput incidents could be generated again.


'''– Omit interface ID:''' Enabling this option will generate a PCAP file that only contains a single interface
and treats all packets as if they arrived on that interface. This may improve compatibility with third
party software that cannot handle PCAPs with multiple interfaces IDs.
After pushing the “Start capture” button, the capture starts.


==== Incident settings ====


'''Configuring incidents'''


The configuration of incidents is done in the Incidents tab on the settings page located under Settings → Incident settings. An incident detection is enabled by setting the reporting severity to a value different from disabled. Some incidents also have further configuration options like e.g. a threshold value. These options are located below the incident’s reporting severity setting. When finished configuring the incidents the Save Settings button on the bottom of the Incidents settings page will commit the changes.
==== Webshark ====
The Allegro Nework Multimeter has a preview mode to see the first Megabyte of captured packets directly in
the browser. By clicking the Webshark preview button in the capture dialog, the first Megabyte of the requested
packets will be extracted. If this is extraction is finished, a modal dialog will open showing the captured packets
similar to Wireshark. The capture can be moved from the modal dialog to a separate window by pressing the
button in the upper right corner next to the close button.




==== Incident email notifications ====
Email notifications for incidents can be configured in the Notification settings tab on the settings page located under Settings → Incident settings:
* '''Enable email incident notifications''': turns the feature on or off.
* '''Severity threshold''': defines the minimum severity an incident must have to trigger an email notification.


==== Capture URL ====
It is possible to use an external tool like “curl” for creating and storing a PCAP.
{| class="wikitable sortable" 
|-         
| curl -k -u USER:PASSWORD 'https://allegro-mm-XXXX/API/data/modules/capture? startTime=1517306266000000&endTime=1517309267000000&expression=l7Protocol==HTTP& snapPacketLength=65535&fromCaptureBuffer=true' > path_to/capture.pcap
|-
|}
The user name, password and hostname similar to the access of the web interface have to be used.
Following parameters are possible:


==== Viewing and deleting incidents in the web GUI ====
* startTime: The start time of the capture. The first packet with exactly this or a later time will start the
Incidents that have occurred can be viewed and deleted on the page located under Generic → Incidents. Here it is possible to filter incidents by their severity using the colored buttons on the top of the page. In the incidents table the incidents can also be filtered by searching for a text in their subject message as well as sorted by their severity or time of last occurrence. The Delete button at the end of each line will discard a single incident and the Delete all incidents button at the top of the page will discard all incidents. If an incident was discarded and is reported again it will be treated as a new incident and e.g. an email notification will be generated again. When the subject of an incident is clicked the detail page for the incident will be displayed. This page contains some more detailed information about the incident as well as links to statistics that may be relevant for investigating the incident.
capture. The time format must be microseconds after January, 1st 1970 UTC (Unix time, epoch). If the start
time is in the past, make sure you set fromCaptureBuffer parameter accordingly.
* endTime: The end time of the capture. The first packet with exactly this or a later time will stop the capture.
The time format must be microseconds after January, 1st 1970 UTC (Unix time, epoch).
* expression: The filter expression. There are no whitespaces allowed. You may use ‘%20’ instead.
* snapPacketLength: The max size of a packet applied on layer 2 without frame check sequence. If a packet
is larger than this value, it is truncated. Use 65535 for unlimited size.
* fromCaptureBuffer: Whether to extract data from the packet ring buffer or just live traffic.
* captureToMedia: Whether to store PCAP on external storage device or download with your browser on your
computer.
* useSingleInterface: Whether to store only a single interface in the PCAP and treat all packets as if they
arrived on that interface. This may improve compatibility with third party software that cannot handle PCAPs
with multiple interfaces IDs.
Soumar
1,775

edits

Retrieved from "https://allegro-packets.com/wiki/Special:MobileDiff/1395"

Navigation menu