inactive
369
edits
Ring Buffer Configuration Guide: Difference between revisions
→Filter Rules
| Line 69: | Line 69: | ||
== Filter Rules == | == Filter Rules == | ||
Both | Both ring buffer modes support packet filtering mechanisms. Most situations require that only a subset of all packets are stored to the disk. Each ring buffer can be configured by a separate list of rules. All packet that do not match a condition are captured. The first matching condition is applied to the packets. | ||
=== Filter rule conditions === | === Filter rule conditions === | ||
| Line 77: | Line 77: | ||
* All packets → matches on all Ehternet packets | * All packets → matches on all Ehternet packets | ||
* MAC address → matches a specific L2 MAC address | * MAC address → matches a specific L2 MAC address | ||
* IP Address and IP Subnet → matches a specific IP address and | * IP Address and IP Subnet → matches a specific IP address and subnet, works for IPv4 and IPv6 | ||
* TCP/UDP Ports → matches all TCP or UDP packets with a specific source or destination port | * TCP/UDP Ports → matches all TCP or UDP packets with a specific source or destination port | ||
* L7 Protocol → matches one of the built-in L7 | * L7 Protocol → matches one of the built-in L7 protocols | ||
* Outer VLAN Tag → matches a single VLAN tag or the outer VLAN of a double-tagged VLAN frame | * Outer VLAN Tag → matches a single VLAN tag or the outer VLAN of a double-tagged VLAN frame | ||
* Interface → matches a specific network interface | * Interface → matches a specific network interface | ||
| Line 91: | Line 91: | ||
The following items are supported as actions: | The following items are supported as actions: | ||
* Snapshot Length → byte packet slicing; allows for the capture of only a certain number of bytes per packet | * Snapshot Length → byte packet slicing; allows for the capture of only a certain number of bytes per packet | ||
* Discard → do not capture this packet | * Discard → do not capture this packet | ||
* Full → capture the full packet | * Full → capture the full packet | ||
* Header+Data → capture only up to L3 or L4 or a specified | * Header+Data → capture only up to L3 or L4 or a specified quantity of L7 bytes. | ||
=== Filter rule examples === | === Filter rule examples === | ||
Filter rules can be set up below the statistics of each | Filter rules can be set up below the statistics of each ring buffer. This is a list of the most-used filter rules. Please note that you can combine these rules. | ||
==== Capture all traffic from and to a single IP ==== | ==== Capture all traffic from and to a single IP ==== | ||
This use case is valid when you need to investigate the packets of one IP but you need the statistics of the total link. This is a | This use case is valid when you need to investigate the packets of one IP but you need the statistics of the total link. This is a common use case where the link bandwidth is above the ring buffer write rate. As an example, it can occur when you monitor a heavy loaded 10G or 40G link with a single HDD as the ring buffer device. | ||
You need to set up 2 rules to capture only one single IP. The first rule matches the IP address and captures the entire payload, the second rule drops all packets. This will also drop all non-IP packets like ARP requests. | You need to set up 2 rules to capture only one single IP. The first rule matches the IP address and captures the entire payload, the second rule drops all packets. This will also drop all non-IP packets like ARP requests. | ||