inactive
369
edits
Capturing: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
| Line 3: | Line 3: | ||
== How can I get a pcap of a specific IP or MAC address? == | == How can I get a pcap of a specific IP or MAC address? == | ||
All Allegro Network Multimeter modules have a dedicated pcap button | |||
to capture | to capture most traffic types. To capture a specific IP address go to 'IP' -> 'IP' statistics, navigate to | ||
the desired IP address and click the pcap button. | the desired IP address and click the pcap button. | ||
| Line 12: | Line 12: | ||
To quickly find an IP address, you can sort the IP table by almost every column. The filter | To quickly find an IP address, you can sort the IP table by almost every column. The filter | ||
provides a quick method to reduce the table content, e.g. by typing fragments of the | |||
IP address or the DNS name in the filter input field. | IP address or the DNS name in the filter input field. | ||
Another quick way to create a pcap of a specific address is to use the simple capture. Go | Another quick way to create a pcap of a specific address is to use the simple capture. Go | ||
to 'Generic' -> 'Capture traffic', enable the MAC | to 'Generic' -> 'Capture traffic', enable the MAC switch, set an address and click the | ||
"Start capture" button. | "Start capture" button. | ||
| Line 28: | Line 28: | ||
displayed. Here you can limit the start and end time of the capture and select | displayed. Here you can limit the start and end time of the capture and select | ||
whether the created pcap file is downloaded via your browser directly to your | whether the created pcap file is downloaded via your browser directly to your | ||
computer or stored on the attached storage device | computer or stored on the Multimeter attached storage device. You can | ||
limit the captured packets to | limit the captured packets to a given length if you do not need the full packet | ||
and want a small pcap file that opens faster in Wireshark. | and just want a small pcap file that opens faster in Wireshark. | ||
{| | {| | ||
| Line 45: | Line 45: | ||
port or an internal storage device if your Allegro Network Multimeter is | port or an internal storage device if your Allegro Network Multimeter is | ||
equipped with one. A fast USB3 capable SSD is recommended. A | equipped with one. A fast USB3 capable SSD is recommended. A | ||
USB thumb drive can be used | USB thumb drive can be used also, but some burst packets may be dropped if the | ||
thumb drive is too slow. | thumb drive write speed is too slow. | ||
You can see an overview about all storage devices that can be used for the Allegro Multimeter | You can see an overview about all storage devices that can be used for the Allegro Multimeter | ||
| Line 73: | Line 73: | ||
|} | |} | ||
The size of the ring buffer | The size of the ring buffer must be specified. If no pcap is required on | ||
the storage device, the ring buffer | the storage device, the ring buffer will use 100% of the storage device capacity. | ||
{| | {| | ||
| Line 81: | Line 81: | ||
When the packet ring buffer is created and running, the "Packet ring buffer" | When the packet ring buffer is created and running, the "Packet ring buffer" | ||
statistics page | statistics page displays information about the ring buffer useage and several | ||
graphs restored or filtered traffic are displayed. A filter can be applied | graphs restored or filtered traffic are also displayed. A filter can be applied | ||
to | to determine which packets are stored in the ring buffer. Check out the chapter | ||
[[Generic_modules(Teil_3)#Packet_ring_buffer|Packet ring buffer]] for more details. | [[Generic_modules(Teil_3)#Packet_ring_buffer|Packet ring buffer]] for more details. | ||
| Line 107: | Line 107: | ||
be adjusted to the start and a hint will be displayed. | be adjusted to the start and a hint will be displayed. | ||
== Is it possible to plan a capture | == Is it possible to plan a future capture? == | ||
Yes. Simply select the desired start time in the "Choose capture settings" dialogue | Yes. Simply select the desired start time in the "Choose capture settings" dialogue | ||
| Line 141: | Line 141: | ||
The chapter [[1-_Generic_modules(Teil_1)#Capture_module|Capture module]] explains every possible filter. | The chapter [[1-_Generic_modules(Teil_1)#Capture_module|Capture module]] explains every possible filter. | ||
== Get a | == Get a pcap via command line == | ||
It is quite easy to get a | It is quite easy to get a pcap on the command line or in scripts with "curl" | ||
which is a tool available for recent versions of Windows 10, Linux and MacOS. | which is a tool available for recent versions of Windows 10, Linux and MacOS. | ||
| Line 152: | Line 152: | ||
|} | |} | ||
The user name, password and hostname have to be the same | The user name, password and hostname have to be the same as the ones used to access | ||
the web interface. Every filter expression that can be used in the web interface | the web interface. Every filter expression that can be used in the web interface | ||
can also be used here. | can also be used here. | ||
| Line 158: | Line 158: | ||
Check out the chapter [[1-_Generic_modules(Teil_1)#Capture_module|Capture module]] for further information. | Check out the chapter [[1-_Generic_modules(Teil_1)#Capture_module|Capture module]] for further information. | ||
== It takes too long to open a | == It takes too long to open a pcap file in Wireshark. What can I do? == | ||
If you are in a situation where you have a | If you are in a situation where you have a large pcap and are only | ||
interested in the traffic between two | interested in the traffic between two specific IP addresses, you can | ||
use the Allegro Network Multimeter to analyze the pcap file and | use the Allegro Network Multimeter to analyze the pcap file and | ||
extract the specific traffic for post-processing with | extract the specific traffic for post-processing with tools such as | ||
Wireshark. See [[Forensic_Pcap_Analysis|Forensic Pcap Analysis]] for details. | Wireshark. See [[Forensic_Pcap_Analysis|Forensic Pcap Analysis]] for details. | ||