https://allegro-packets.com/wiki/api.php?action=feedcontributions&feedformat=atom&user=David.GriffithsAllegro Network Multimeter Manual - User contributions [en]2026-04-04T12:21:08ZUser contributionsMediaWiki 1.39.13https://allegro-packets.com/wiki/index.php?title=Burst_analysis_on_a_Mirror_or_Packet_Broker_input&diff=3073Burst analysis on a Mirror or Packet Broker input2020-10-14T14:38:54Z<p>David.Griffiths: /* MAC Burst Measurement */</p>
<hr />
<div>== Problem ==<br />
<br />
The Allegro Network Multimeter is connected to a Mirror or Packet Broker port. By default, this makes it difficult to analyse a specific link for bursts since the packets are aggregated on the Mirror or Packet Broker port.<br />
<br />
Please note that this guide is based on the manual [[Burst analysis]] and on the use case guide [[Network Burst Analysis]].<br />
<br />
== Link Burst Measurement ==<br />
<br />
By default, the Allegro Network Multimeter measures the bursts per interface at '''L2 Ethernet''' → ''' Burst Analysis'''<br />
<br />
[[File:Burst link measurement.png|500px]]<br />
<br />
Here you can configure the speed per link as the maximum speed. The percent values displayed are based on that maximum speed.<br />
<br />
== MAC Burst Measurement ==<br />
<br />
To analyse a specific link, you can use the MAC burst analysis. This is shown in the second tab '''MACs''' in the burst analysis module. It allows you to set a specific receive and send bandwidth for a chosen MAC address. Up to five MAC addresses can be analysed. If you have an uplink, simply use the Router´s MAC address here and then specify the maximum receive and send rate of the Router´s uplink.<br />
<br />
In this example, we configured maximum values of 250MBit/s for the downlink and 40MBit/s for the uplink for the Router MAC address.<br />
<br />
[[File:Burst mac measurement.png|500px]]<br />
<br />
Please note that the burst analysis is done with 1 millisecond resolution by default. In our example, the Router is connected at 1GBit/s and it can receive more than the configured uplink bandwidth. This is shown in the display as a utilisation of ">> 100%" and indicates that a burst may not be able to be handled by this uplink.<br />
<br />
== Advantage for Mirror Port and Packet Brokers ==<br />
<br />
The MAC burst detection can be used for a specific end device ( a file server,... ) or for the gateway of an uplink ( Router,... ). It allows to monitor links and end devices even in out-of-band installations.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Burst_analysis_on_a_Mirror_or_Packet_Broker_input&diff=3072Burst analysis on a Mirror or Packet Broker input2020-10-14T14:37:34Z<p>David.Griffiths: /* MAC Burst Measurement */</p>
<hr />
<div>== Problem ==<br />
<br />
The Allegro Network Multimeter is connected to a Mirror or Packet Broker port. By default, this makes it difficult to analyse a specific link for bursts since the packets are aggregated on the Mirror or Packet Broker port.<br />
<br />
Please note that this guide is based on the manual [[Burst analysis]] and on the use case guide [[Network Burst Analysis]].<br />
<br />
== Link Burst Measurement ==<br />
<br />
By default, the Allegro Network Multimeter measures the bursts per interface at '''L2 Ethernet''' → ''' Burst Analysis'''<br />
<br />
[[File:Burst link measurement.png|500px]]<br />
<br />
Here you can configure the speed per link as the maximum speed. The percent values displayed are based on that maximum speed.<br />
<br />
== MAC Burst Measurement ==<br />
<br />
To analyse a specific link, you can use the MAC burst analysis. This is shown in the second tab '''MACs''' in the burst analysis module. It allows you to set a specific receive and send bandwidth for a chosen MAC address. Up to five MAC addresses can be analysed. If you have an uplink, simply use the Router´s MAC address here and then specify the maximum receive and send rate of the Router´s uplink.<br />
<br />
In this example, we configured maximum values of 250MBit/s for the downlink and 40MBit/s for the uplink for the Router MAC address.<br />
<br />
[[File:Burst mac measurement.png|500px]]<br />
<br />
Please note that the burst analysis is done with 1 millisecond resolution by default. In our example, the router is connected with 1GBit/s and it can receive more than the configured uplink bandwidth. This is shown in the display as an utilization of ">> 100%" and indicates that a burst might not be able to be handled by this uplink.<br />
<br />
== Advantage for Mirror Port and Packet Brokers ==<br />
<br />
The MAC burst detection can be used for a specific end device ( a file server,... ) or for the gateway of an uplink ( Router,... ). It allows to monitor links and end devices even in out-of-band installations.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Burst_analysis_on_a_Mirror_or_Packet_Broker_input&diff=3071Burst analysis on a Mirror or Packet Broker input2020-10-14T14:36:56Z<p>David.Griffiths: /* MAC Burst Measurement */</p>
<hr />
<div>== Problem ==<br />
<br />
The Allegro Network Multimeter is connected to a Mirror or Packet Broker port. By default, this makes it difficult to analyse a specific link for bursts since the packets are aggregated on the Mirror or Packet Broker port.<br />
<br />
Please note that this guide is based on the manual [[Burst analysis]] and on the use case guide [[Network Burst Analysis]].<br />
<br />
== Link Burst Measurement ==<br />
<br />
By default, the Allegro Network Multimeter measures the bursts per interface at '''L2 Ethernet''' → ''' Burst Analysis'''<br />
<br />
[[File:Burst link measurement.png|500px]]<br />
<br />
Here you can configure the speed per link as the maximum speed. The percent values displayed are based on that maximum speed.<br />
<br />
== MAC Burst Measurement ==<br />
<br />
To analyse a specific link, you can use the MAC burst analysis. This is shown in the second tab '''MACs''' in the burst analysis module. It allows you to set a specific receive and send bandwidth for a certain MAC address. Up to five MAC addresses can be analysed. If you have an uplink, simply use the Router´s MAC address here and then specify the maximum receive and send rate of the Router´s uplink.<br />
<br />
In this example, we configured maximum values of 250MBit/s for the downlink and 40MBit/s for the uplink for the Router MAC address.<br />
<br />
[[File:Burst mac measurement.png|500px]]<br />
<br />
Please note that the burst analysis is done with 1 millisecond resolution by default. In our example, the router is connected with 1GBit/s and it can receive more than the configured uplink bandwidth. This is shown in the display as an utilization of ">> 100%" and indicates that a burst might not be able to be handled by this uplink.<br />
<br />
== Advantage for Mirror Port and Packet Brokers ==<br />
<br />
The MAC burst detection can be used for a specific end device ( a file server,... ) or for the gateway of an uplink ( Router,... ). It allows to monitor links and end devices even in out-of-band installations.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Burst_analysis_on_a_Mirror_or_Packet_Broker_input&diff=3070Burst analysis on a Mirror or Packet Broker input2020-10-14T14:31:29Z<p>David.Griffiths: /* Problem */</p>
<hr />
<div>== Problem ==<br />
<br />
The Allegro Network Multimeter is connected to a Mirror or Packet Broker port. By default, this makes it difficult to analyse a specific link for bursts since the packets are aggregated on the Mirror or Packet Broker port.<br />
<br />
Please note that this guide is based on the manual [[Burst analysis]] and on the use case guide [[Network Burst Analysis]].<br />
<br />
== Link Burst Measurement ==<br />
<br />
By default, the Allegro Network Multimeter measures the bursts per interface at '''L2 Ethernet''' → ''' Burst Analysis'''<br />
<br />
[[File:Burst link measurement.png|500px]]<br />
<br />
Here you can configure the speed per link as the maximum speed. The percent values displayed are based on that maximum speed.<br />
<br />
== MAC Burst Measurement ==<br />
<br />
To analyse a specific link, you can use the MAC burst analysis. This is shown in the second tab '''MACs''' in the burst analysis module. It allows to set a specific receive and send bandwidth for a certain MAC address. Up to five MAC addresses can be analysed. If you have an uplink, simply use the Router´s MAC address here and then specify the maximum receive and send rate of the Router´s uplink.<br />
<br />
In this example, we configured maximum values of 250MBit/s for the downlink and 40MBit/s for the uplink for the Router MAC address.<br />
<br />
[[File:Burst mac measurement.png|500px]]<br />
<br />
Please note that the burst analysis is done with 1 millisecond resolution by default. In our example, the router is connected with 1GBit/s and it can receive more than the configured uplink bandwidth. This is shown in the display as an utilization of ">> 100%" and indicates that a burst might not be able to be handled by this uplink.<br />
<br />
== Advantage for Mirror Port and Packet Brokers ==<br />
<br />
The MAC burst detection can be used for a specific end device ( a file server,... ) or for the gateway of an uplink ( Router,... ). It allows to monitor links and end devices even in out-of-band installations.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Burst_analysis_on_a_Mirror_or_Packet_Broker_input&diff=3069Burst analysis on a Mirror or Packet Broker input2020-10-14T14:08:11Z<p>David.Griffiths: /* MAC Burst measurement */</p>
<hr />
<div>== Problem ==<br />
<br />
The Allegro Network Multimeter is connected to a mirror or packet broker port. By default, this makes it difficult to analyse a specific link for bursts since the packets are aggregated on the mirror or packet broker port.<br />
<br />
Please note that this guide is based on the manual [[Burst analysis]] and on the use case guide [[Network Burst Analysis]].<br />
<br />
== Link Burst Measurement ==<br />
<br />
By default, the Allegro Network Multimeter measures the bursts per interface at '''L2 Ethernet''' → ''' Burst Analysis'''<br />
<br />
[[File:Burst link measurement.png|500px]]<br />
<br />
Here you can configure the speed per link as the maximum speed. The percent values displayed are based on that maximum speed.<br />
<br />
== MAC Burst Measurement ==<br />
<br />
To analyse a specific link, you can use the MAC burst analysis. This is shown in the second tab '''MACs''' in the burst analysis module. It allows to set a specific receive and send bandwidth for a certain MAC address. Up to five MAC addresses can be analysed. If you have an uplink, simply use the Router´s MAC address here and then specify the maximum receive and send rate of the Router´s uplink.<br />
<br />
In this example, we configured maximum values of 250MBit/s for the downlink and 40MBit/s for the uplink for the Router MAC address.<br />
<br />
[[File:Burst mac measurement.png|500px]]<br />
<br />
Please note that the burst analysis is done with 1 millisecond resolution by default. In our example, the router is connected with 1GBit/s and it can receive more than the configured uplink bandwidth. This is shown in the display as an utilization of ">> 100%" and indicates that a burst might not be able to be handled by this uplink.<br />
<br />
== Advantage for Mirror Port and Packet Brokers ==<br />
<br />
The MAC burst detection can be used for a specific end device ( a file server,... ) or for the gateway of an uplink ( Router,... ). It allows to monitor links and end devices even in out-of-band installations.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Burst_analysis_on_a_Mirror_or_Packet_Broker_input&diff=3068Burst analysis on a Mirror or Packet Broker input2020-10-14T14:07:44Z<p>David.Griffiths: /* Advantage for Mirror Port and Packet Brokers */</p>
<hr />
<div>== Problem ==<br />
<br />
The Allegro Network Multimeter is connected to a mirror or packet broker port. By default, this makes it difficult to analyse a specific link for bursts since the packets are aggregated on the mirror or packet broker port.<br />
<br />
Please note that this guide is based on the manual [[Burst analysis]] and on the use case guide [[Network Burst Analysis]].<br />
<br />
== Link Burst Measurement ==<br />
<br />
By default, the Allegro Network Multimeter measures the bursts per interface at '''L2 Ethernet''' → ''' Burst Analysis'''<br />
<br />
[[File:Burst link measurement.png|500px]]<br />
<br />
Here you can configure the speed per link as the maximum speed. The percent values displayed are based on that maximum speed.<br />
<br />
== MAC Burst measurement ==<br />
<br />
To analyse a specific link, you can use the MAC burst analysis. This is shown in the second tab '''MACs''' in the burst analysis module. It allows to set a specific receive and send bandwidth for a certain MAC address. Up to five MAC addresses can be analysed. If you have an uplink, simply use the Router´s MAC address here and then specify the maximum receive and send rate of the Router´s uplink.<br />
<br />
In this example, we configured maximum values of 250MBit/s for the downlink and 40MBit/s for the uplink for the Router MAC address.<br />
<br />
[[File:Burst mac measurement.png|500px]]<br />
<br />
Please note that the burst analysis is done with 1 millisecond resolution by default. In our example, the router is connected with 1GBit/s and it can receive more than the configured uplink bandwidth. This is shown in the display as an utilization of ">> 100%" and indicates that a burst might not be able to be handled by this uplink.<br />
<br />
== Advantage for Mirror Port and Packet Brokers ==<br />
<br />
The MAC burst detection can be used for a specific end device ( a file server,... ) or for the gateway of an uplink ( Router,... ). It allows to monitor links and end devices even in out-of-band installations.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Burst_analysis_on_a_Mirror_or_Packet_Broker_input&diff=3067Burst analysis on a Mirror or Packet Broker input2020-10-14T14:07:14Z<p>David.Griffiths: /* MAC Burst measurement */</p>
<hr />
<div>== Problem ==<br />
<br />
The Allegro Network Multimeter is connected to a mirror or packet broker port. By default, this makes it difficult to analyse a specific link for bursts since the packets are aggregated on the mirror or packet broker port.<br />
<br />
Please note that this guide is based on the manual [[Burst analysis]] and on the use case guide [[Network Burst Analysis]].<br />
<br />
== Link Burst Measurement ==<br />
<br />
By default, the Allegro Network Multimeter measures the bursts per interface at '''L2 Ethernet''' → ''' Burst Analysis'''<br />
<br />
[[File:Burst link measurement.png|500px]]<br />
<br />
Here you can configure the speed per link as the maximum speed. The percent values displayed are based on that maximum speed.<br />
<br />
== MAC Burst measurement ==<br />
<br />
To analyse a specific link, you can use the MAC burst analysis. This is shown in the second tab '''MACs''' in the burst analysis module. It allows to set a specific receive and send bandwidth for a certain MAC address. Up to five MAC addresses can be analysed. If you have an uplink, simply use the Router´s MAC address here and then specify the maximum receive and send rate of the Router´s uplink.<br />
<br />
In this example, we configured maximum values of 250MBit/s for the downlink and 40MBit/s for the uplink for the Router MAC address.<br />
<br />
[[File:Burst mac measurement.png|500px]]<br />
<br />
Please note that the burst analysis is done with 1 millisecond resolution by default. In our example, the router is connected with 1GBit/s and it can receive more than the configured uplink bandwidth. This is shown in the display as an utilization of ">> 100%" and indicates that a burst might not be able to be handled by this uplink.<br />
<br />
== Advantage for Mirror Port and Packet Brokers ==<br />
<br />
The MAC burst detection can be used for a specific end device ( a file server,... ) or for the gateway of an uplink ( router,... ). It allows to monitor links and end devices even in out-of-band installations.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Burst_analysis_on_a_Mirror_or_Packet_Broker_input&diff=3066Burst analysis on a Mirror or Packet Broker input2020-10-14T14:06:31Z<p>David.Griffiths: /* MAC Burst measurement */</p>
<hr />
<div>== Problem ==<br />
<br />
The Allegro Network Multimeter is connected to a mirror or packet broker port. By default, this makes it difficult to analyse a specific link for bursts since the packets are aggregated on the mirror or packet broker port.<br />
<br />
Please note that this guide is based on the manual [[Burst analysis]] and on the use case guide [[Network Burst Analysis]].<br />
<br />
== Link Burst Measurement ==<br />
<br />
By default, the Allegro Network Multimeter measures the bursts per interface at '''L2 Ethernet''' → ''' Burst Analysis'''<br />
<br />
[[File:Burst link measurement.png|500px]]<br />
<br />
Here you can configure the speed per link as the maximum speed. The percent values displayed are based on that maximum speed.<br />
<br />
== MAC Burst measurement ==<br />
<br />
To analyse a specific link, you can use the MAC burst analysis. This is shown in the second tab '''MACs''' in the burst analysis module. It allows to set a specific receive and send bandwidth for a certain MAC address. Up to five MAC addresses can be analysed. If you have an uplink, simply use the Router´s MAC address here and then specify the maximum receive and send rate of the Router´s uplink.<br />
<br />
In this example, we configured maximum values of 250 MBit/s for the downlink and 40 MBit/s for the uplink for the router MAC address.<br />
<br />
[[File:Burst mac measurement.png|500px]]<br />
<br />
Please note that the burst analysis is done with 1 millisecond resolution by default. In our example, the router is connected with 1 GBit/s and it can receive more than the configured uplink bandwidth. This is shown in the display as an utilization of ">> 100%" and indicates that a burst that might not be able to be handled by this uplink.<br />
<br />
== Advantage for Mirror Port and Packet Brokers ==<br />
<br />
The MAC burst detection can be used for a specific end device ( a file server,... ) or for the gateway of an uplink ( router,... ). It allows to monitor links and end devices even in out-of-band installations.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Burst_analysis_on_a_Mirror_or_Packet_Broker_input&diff=3065Burst analysis on a Mirror or Packet Broker input2020-10-14T13:58:26Z<p>David.Griffiths: /* Link Burst Measurement */</p>
<hr />
<div>== Problem ==<br />
<br />
The Allegro Network Multimeter is connected to a mirror or packet broker port. By default, this makes it difficult to analyse a specific link for bursts since the packets are aggregated on the mirror or packet broker port.<br />
<br />
Please note that this guide is based on the manual [[Burst analysis]] and on the use case guide [[Network Burst Analysis]].<br />
<br />
== Link Burst Measurement ==<br />
<br />
By default, the Allegro Network Multimeter measures the bursts per interface at '''L2 Ethernet''' → ''' Burst Analysis'''<br />
<br />
[[File:Burst link measurement.png|500px]]<br />
<br />
Here you can configure the speed per link as the maximum speed. The percent values displayed are based on that maximum speed.<br />
<br />
== MAC Burst measurement ==<br />
<br />
To analyze a specific link, you can use the MAC burst analysis. This is shown in the second tab '''MACs''' in the burst analysis module. It allows to set a specific receive and send bandwidth for a certain MAC address. Up to five MAC addresses can be analyzed. If you have an uplink, simply use the router´s MAC address here and then specify the maximum receive and send rate of the router´s uplink.<br />
<br />
In this example, we configured maximum values of 250 MBit/s for the downlink and 40 MBit/s for the uplink for the router MAC address.<br />
<br />
[[File:Burst mac measurement.png|500px]]<br />
<br />
Please note that the burst analysis is done with 1 millisecond resolution by default. In our example, the router is connected with 1 GBit/s and it can receive more than the configured uplink bandwidth. This is shown in the display as an utilization of ">> 100%" and indicates that a burst that might not be able to be handled by this uplink.<br />
<br />
== Advantage for Mirror Port and Packet Brokers ==<br />
<br />
The MAC burst detection can be used for a specific end device ( a file server,... ) or for the gateway of an uplink ( router,... ). It allows to monitor links and end devices even in out-of-band installations.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Burst_analysis_on_a_Mirror_or_Packet_Broker_input&diff=3064Burst analysis on a Mirror or Packet Broker input2020-10-14T13:40:52Z<p>David.Griffiths: /* Problem */</p>
<hr />
<div>== Problem ==<br />
<br />
The Allegro Network Multimeter is connected to a mirror or packet broker port. By default, this makes it difficult to analyse a specific link for bursts since the packets are aggregated on the mirror or packet broker port.<br />
<br />
Please note that this guide is based on the manual [[Burst analysis]] and on the use case guide [[Network Burst Analysis]].<br />
<br />
== Link Burst Measurement ==<br />
<br />
By default, the Allegro Network Multimeter measures the bursts per interface at '''L2 Ethernet''' → ''' Burst Analysis'''<br />
<br />
[[File:Burst link measurement.png|500px]]<br />
<br />
Here you can configure the speed per link as the maximum speed. The shown percent values are based on that maximum speed.<br />
<br />
== MAC Burst measurement ==<br />
<br />
To analyze a specific link, you can use the MAC burst analysis. This is shown in the second tab '''MACs''' in the burst analysis module. It allows to set a specific receive and send bandwidth for a certain MAC address. Up to five MAC addresses can be analyzed. If you have an uplink, simply use the router´s MAC address here and then specify the maximum receive and send rate of the router´s uplink.<br />
<br />
In this example, we configured maximum values of 250 MBit/s for the downlink and 40 MBit/s for the uplink for the router MAC address.<br />
<br />
[[File:Burst mac measurement.png|500px]]<br />
<br />
Please note that the burst analysis is done with 1 millisecond resolution by default. In our example, the router is connected with 1 GBit/s and it can receive more than the configured uplink bandwidth. This is shown in the display as an utilization of ">> 100%" and indicates that a burst that might not be able to be handled by this uplink.<br />
<br />
== Advantage for Mirror Port and Packet Brokers ==<br />
<br />
The MAC burst detection can be used for a specific end device ( a file server,... ) or for the gateway of an uplink ( router,... ). It allows to monitor links and end devices even in out-of-band installations.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Packet_ring_buffer&diff=3062Packet ring buffer2020-10-09T11:13:13Z<p>David.Griffiths: </p>
<hr />
<div>== Packet ring buffer==<br />
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. <br />
If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. <br />
If the feature is not enabled, a button titled '''Create ring buffer''' is visible. <br />
Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. <br />
It must be ensured that enough space is available on the external storage device. <br />
As soon as the ring buffer has been created, statistics about the ring buffer will be displayed instead of the button:<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer1.png|600px|none|right]]<br />
|}<br />
* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.<br />
<br />
* Total size: The total size of the ring buffer on the external storage device. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than zero replication, an adjusted value is displayed to reflect the redundant copies of packet data. <br />
:The raw on-disk value will be displayed next to it in parentheses.<br />
<br />
* Used size: The currently used amount of memory in the capture buffer. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than zero replication, an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.<br />
* Overall bytes captured since start: The amount of captured bytes since system start. <br />
:This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. <br />
:The history graph shows the captured traffic of the last minute or in the selected interval (if set).<br />
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. <br />
:This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.<br />
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. <br />
:The history graph shows discarding over time.<br />
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. <br />
:If larger bursts of traffic need to be stored in this queue, the size can be modified in the capture module settings.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer2.png|600px|none|right]]<br />
|}<br />
<br />
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data with a dark grey background colour. <br />
The time range before start of the ring buffer will be visualized in the same way.<br />
When the ring buffer is running, the behaviour of the pcap capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialogue will appear asking you to specify from how far back in time the capture should start. <br />
This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. <br />
The capture will also continue with live traffic. <br />
If the user interface is in '''back-in-time''' mode (a timespan from the past is selected) starting a capture will produce a dialogue asking to confirm that the capture will cover exactly the timespan selected. <br />
The capture will automatically stop after the selected timespan has been processed. <br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer3.png|1200px|none|right]]<br />
|}<br />
<br />
==== Cluster ring buffer ==== <br />
The cluster ring buffer feature allows you to use multiple whole disks in parallel for a single packet ring buffer. <br />
It also allows you to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.<br />
<br />
It is also possible to create multiple cluster packet ring buffers that<br />
run in parallel. To enable multiple cluster packet ring buffers, the<br />
option `The maximum number of concurrent packet ring buffers` in the<br />
capture module options can be set to the required number.<br />
<br />
When clicking the '''Create cluster ring buffer''' button, an empty cluster ring buffer will be created and the '''Cluster configuration''' tab on the now visible packet ring buffer statistics page becomes available. <br />
<br />
If multiple cluster packet ring buffers are used, the page will show<br />
a number of buttons at the top to switch between the different clusters.<br />
Each cluster has its own statistics and configuration.<br />
<br />
In the Cluster configuration tab you can configure the '''Write redundancy level''' at the very top. <br />
This level controls how many redundant copies of each packet are written. <br />
No replication means that only a single copy of each packet is written and provides no redundancy. <br />
This level gives the highest write bandwidth for a given number of disks; single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disks to half the performance of no replication. <br />
Double replication and triple replication writes two and three additional copies of each packet respectively. <br />
Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster3.png|600px|none|right]]<br />
|}<br />
<br />
Below the '''Write redundancy level''' setting is the list of all disks available for use in the cluster. <br />
The following columns are displayed in the list:<br />
* Disk: A description of the disk and its capacity.<br />
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.<br />
* Status: If the disk has been added to the cluster this column will display the current status as '''ok''' or '''failed'''. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.<br />
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off. <br />
<br />
<br />
In the last unlabelled column, three buttons are displayed which have the following functionality:<br />
* Add to cluster: Add a fresh disk to the cluster. <br />
:The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.<br />
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. <br />
:The data on that disk is now part of the packet ring buffer.<br />
* Remove from cluster: Remove the disk from the ring buffer. <br />
:The data stored on that disk is no longer part of the packet ring buffer but the data is not removed from the disk. It can be resumed in the cluster at a later time.<br />
<br />
:If a disk is missing because it was e.g. removed from the enclosure, it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster4.png|1200px|none|right]]<br />
|}<br />
<br />
==== Packet ring buffer snapshot length filter ====<br />
Rules can be configured to control the snapshot length of each packet which will be stored in the packet ring buffer. <br />
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. <br />
This allows you to fine tune how much packet data needs to be written to the packet ring buffer. <br />
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). <br />
<br />
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.<br />
<br />
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. <br />
The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. <br />
This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).<br />
<br />
<br />
When creating a snapshot length filter rule, a dialogue is displayed and allows the following options:<br />
* Rule condition: Specify which packets to match.<br />
<br />
:The input field below allows entering the corresponding value.<br />
<br />
:{| class="wikitable"<br />
|-<br />
! Rule condition<br />
! description<br />
|-<br />
| All packets<br />
| everything<br />
|-<br />
| MAC address<br />
| source or destination MAC address<br />
|-<br />
| IP address<br />
| source or destination IP address or subnet<br />
|-<br />
| TCP port<br />
| the source or destination TCP port<br />
|-<br />
| UDP port<br />
| the source or destination UDP port<br />
|-<br />
| Layer 7 protocol<br />
| the selected Layer 7 protocol<br />
|-<br />
| outer VLAN tag<br />
| the most outer VLAN tag (directly after Ethernet header) <br />
|-<br />
| interface<br />
| the ingress interface the packet originated from<br />
|-<br />
| SIP phone number<br />
|<br />
The number matches part of the 'From:' or 'To:' entry in a SIP INVITE packet.<br />
* only the part between '''<nowiki>'<'</nowiki>''' and '''<nowiki>'>'</nowiki>''' of the From/To line is tested.<br />
* value '''<nowiki>'234'</nowiki>''' will match '<nowiki>From: "Caller1" <sip:234></nowiki>', but also '<nowiki>From: "Caller2" <sip:12345@test></nowiki>'<br />
* to match from the start, use '''<nowiki>'sip:234'</nowiki>'''<br />
<br />
Correlating SIP packets for the same Call-ID will match.<br />
<br />
The RTP packets correlated to this SIP call will also match.<br />
<br />
|-<br />
| virtual link group<br />
| the virtual link group the packet belongs to<br />
|}<br />
<br />
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. <br />
:If this is on, the value must not match.<br />
* Action: What shall be done with the matching packets.<br />
:{| class="wikitable"<br />
|-<br />
! Action !! Description<br />
|-<br />
| Snapshot length<br />
| The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.<br />
|-<br />
| Discard<br />
| Discard the whole packet.<br />
|-<br />
| Full<br />
| The entire packet is captured.<br />
|-<br />
| Header + data<br />
|<br />
Capture just certain parts of the packet.<br />
<br />
When selecting '''L3 header''', Layer 2 and Layer 3 headers are stored. <br />
<br />
When selecting '''L3 + L4 header''', Layer 2, 3 and 4 headers are stored. <br />
<br />
When selecting '''L3 + L4 + L7 data''', an input field is shown where the length of Layer 7 data can be configured. In this case Layers 2, 3 and 4 are stored together with the specified amount of Layer 7 data.<br />
<br />
|}<br />
<br />
==== Analyzing the packet ring buffer ====<br />
When the packet ring buffer is activated, it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. <br />
When the Analyze packet ring buffer button is pressed, a dialogue will appear which allows you to choose the time range of the packet ring buffer which is to be replayed. <br />
After confirming this dialogue, the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. <br />
Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.<br />
<br />
<br />
<br />
==== Extracting the packet ring buffer ====<br />
When the packet ring buffer is active, the entire contents can be extracted by capturing the complete timespan that is contained within. <br />
For convenience, a button labelled Extract packet ring buffer is available that opens the capture dialogue with the start time and end time set to the appropriate values.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Packet_ring_buffer&diff=3061Packet ring buffer2020-10-09T10:27:37Z<p>David.Griffiths: /* Packet ring buffer snapshot length filter */</p>
<hr />
<div>== Packet ring buffer==<br />
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. <br />
If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. <br />
If the feature is not enabled, a button titled '''Create ring buffer''' is visible. <br />
Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. <br />
It must be ensured that enough space is available on the external storage device. <br />
As soon as the ring buffer has been created, statistics about the ring buffer will be displayed instead of the button:<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer1.png|600px|none|right]]<br />
|}<br />
* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.<br />
<br />
* Total size: The total size of the ring buffer on the external storage device. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication, an adjusted value is displayed to reflect the redundant copies of packet data. <br />
:The raw on-disk value will be displayed next to it in parentheses.<br />
<br />
* Used size: The currently used amount of memory in the capture buffer. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication, an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.<br />
* Overall bytes captured since start: The amount of captured bytes since system start. <br />
:This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. <br />
:The history graph shows the captured traffic of the last minute or in the selected interval (if set).<br />
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. <br />
:This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.<br />
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. <br />
:The history graph shows discarding over time.<br />
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. <br />
:If larger bursts of traffic need to be stored in this queue, the size can be modified in the capture module settings.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer2.png|600px|none|right]]<br />
|}<br />
<br />
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data with a dark grey background colour. <br />
The time range before start of the ring buffer will be visualized in the same way.<br />
When the ring buffer is running, the behaviour of the pcap capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialogue will appear asking you to specify from how far back in time the capture should start. <br />
This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. <br />
The capture will also continue with live traffic. <br />
If the user interface is in '''back-in-time''' mode (a timespan from the past is selected) starting a capture will produce a dialogue asking to confirm that the capture will cover exactly the timespan selected. <br />
The capture will automatically stop after the selected timespan has been processed. <br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer3.png|1200px|none|right]]<br />
|}<br />
<br />
==== Cluster ring buffer ==== <br />
The cluster ring buffer feature allows you to use multiple whole disks in parallel for a single packet ring buffer. <br />
It also allows you to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.<br />
<br />
It is also possible to create multiple cluster packet ring buffers that<br />
run in parallel. To enable multiple cluster packet ring buffers, the<br />
option `The maximum number of concurrent packet ring buffers` in the<br />
capture module options can be set to the required number.<br />
<br />
When clicking the '''Create cluster ring buffer''' button, an empty cluster ring buffer will be created and the '''Cluster configuration''' tab on the now visible packet ring buffer statistics page becomes available. <br />
<br />
If multiple cluster packet ring buffers are used, the page will show<br />
a number of buttons at the top to switch between the different clusters.<br />
Each cluster has its own statistics and configuration.<br />
<br />
In the Cluster configuration tab you can configure the '''Write redundancy level''' at the very top. <br />
This level controls how many redundant copies of each packet are written. <br />
No replication means that only a single copy of each packet is written and provides no redundancy. <br />
This level gives the highest write bandwidth for a given number of disks; single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disks to half the performance of no replication. <br />
Double replication and triple replication writes two and three additional copies of each packet respectively. <br />
Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster3.png|600px|none|right]]<br />
|}<br />
<br />
Below the '''Write redundancy level''' setting is the list of all disks available for use in the cluster. <br />
The following columns are displayed in the list:<br />
* Disk: A description of the disk and its capacity.<br />
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.<br />
* Status: If the disk has been added to the cluster this column will display the current status as '''ok''' or '''failed'''. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.<br />
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off. <br />
<br />
<br />
In the last unlabelled column, three buttons are displayed which have the following functionality:<br />
* Add to cluster: Add a fresh disk to the cluster. <br />
:The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.<br />
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. <br />
:The data on that disk is now part of the packet ring buffer.<br />
* Remove from cluster: Remove the disk from the ring buffer. <br />
:The data stored on that disk is no longer part of the packet ring buffer but the data is not removed from the disk. It can be resumed in the cluster at a later time.<br />
<br />
:If a disk is missing because it was e.g. removed from the enclosure, it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster4.png|1200px|none|right]]<br />
|}<br />
<br />
==== Packet ring buffer snapshot length filter ====<br />
Rules can be configured to control the snapshot length of each packet which will be stored in the packet ring buffer. <br />
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. <br />
This allows you to fine tune how much packet data needs to be written to the packet ring buffer. <br />
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). <br />
<br />
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.<br />
<br />
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. <br />
The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. <br />
This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).<br />
<br />
<br />
When creating a snapshot length filter rule, a dialogue is displayed and allows the following options:<br />
* Rule condition: Specify which packets to match.<br />
<br />
:The input field below allows entering the corresponding value.<br />
<br />
:{| class="wikitable"<br />
|-<br />
! Rule condition<br />
! description<br />
|-<br />
| All packets<br />
| everything<br />
|-<br />
| MAC address<br />
| source or destination MAC address<br />
|-<br />
| IP address<br />
| source or destination IP address or subnet<br />
|-<br />
| TCP port<br />
| the source or destination TCP port<br />
|-<br />
| UDP port<br />
| the source or destination UDP port<br />
|-<br />
| Layer 7 protocol<br />
| the selected Layer 7 protocol<br />
|-<br />
| outer VLAN tag<br />
| the most outer VLAN tag (directly after Ethernet header) <br />
|-<br />
| interface<br />
| the ingress interface the packet originated from<br />
|-<br />
| SIP phone number<br />
|<br />
The number matches part of the 'From:' or 'To:' entry in a SIP INVITE packet.<br />
* only the part between '''<nowiki>'<'</nowiki>''' and '''<nowiki>'>'</nowiki>''' of the From/To line is tested.<br />
* value '''<nowiki>'234'</nowiki>''' will match '<nowiki>From: "Caller1" <sip:234></nowiki>', but also '<nowiki>From: "Caller2" <sip:12345@test></nowiki>'<br />
* to match from the start, use '''<nowiki>'sip:234'</nowiki>'''<br />
<br />
Correlating SIP packets for the same Call-ID will match.<br />
<br />
The RTP packets correlated to this SIP call will also match.<br />
<br />
|-<br />
| virtual link group<br />
| the virtual link group the packet belongs to<br />
|}<br />
<br />
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. <br />
:If this is on, the value must not match.<br />
* Action: What shall be done with the matching packets.<br />
:{| class="wikitable"<br />
|-<br />
! Action !! Description<br />
|-<br />
| Snapshot length<br />
| The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.<br />
|-<br />
| Discard<br />
| Discard the whole packet.<br />
|-<br />
| Full<br />
| The entire packet is captured.<br />
|-<br />
| Header + data<br />
|<br />
Capture just certain parts of the packet.<br />
<br />
When selecting '''L3 header''', Layer 2 and Layer 3 headers are stored. <br />
<br />
When selecting '''L3 + L4 header''', Layer 2, 3 and 4 headers are stored. <br />
<br />
When selecting '''L3 + L4 + L7 data''', an input field is shown where the length of Layer 7 data can be configured. In this case Layers 2, 3 and 4 are stored together with the specified amount of Layer 7 data.<br />
<br />
|}<br />
<br />
==== Analyzing the packet ring buffer ====<br />
When the packet ring buffer is activated, it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. <br />
When the Analyze packet ring buffer button is pressed, a dialogue will appear which allows you to choose the time range of the packet ring buffer which is to be replayed. <br />
After confirming this dialogue, the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. <br />
Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.<br />
<br />
<br />
<br />
==== Extracting the packet ring buffer ====<br />
When the packet ring buffer is active, the entire contents can be extracted by capturing the complete timespan that is contained within. <br />
For convenience, a button labelled Extract packet ring buffer is available that opens the capture dialogue with the start time and end time set to the appropriate values.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Packet_ring_buffer&diff=3060Packet ring buffer2020-10-09T10:27:08Z<p>David.Griffiths: /* Packet ring buffer snapshot length filter */</p>
<hr />
<div>== Packet ring buffer==<br />
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. <br />
If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. <br />
If the feature is not enabled, a button titled '''Create ring buffer''' is visible. <br />
Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. <br />
It must be ensured that enough space is available on the external storage device. <br />
As soon as the ring buffer has been created, statistics about the ring buffer will be displayed instead of the button:<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer1.png|600px|none|right]]<br />
|}<br />
* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.<br />
<br />
* Total size: The total size of the ring buffer on the external storage device. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication, an adjusted value is displayed to reflect the redundant copies of packet data. <br />
:The raw on-disk value will be displayed next to it in parentheses.<br />
<br />
* Used size: The currently used amount of memory in the capture buffer. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication, an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.<br />
* Overall bytes captured since start: The amount of captured bytes since system start. <br />
:This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. <br />
:The history graph shows the captured traffic of the last minute or in the selected interval (if set).<br />
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. <br />
:This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.<br />
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. <br />
:The history graph shows discarding over time.<br />
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. <br />
:If larger bursts of traffic need to be stored in this queue, the size can be modified in the capture module settings.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer2.png|600px|none|right]]<br />
|}<br />
<br />
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data with a dark grey background colour. <br />
The time range before start of the ring buffer will be visualized in the same way.<br />
When the ring buffer is running, the behaviour of the pcap capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialogue will appear asking you to specify from how far back in time the capture should start. <br />
This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. <br />
The capture will also continue with live traffic. <br />
If the user interface is in '''back-in-time''' mode (a timespan from the past is selected) starting a capture will produce a dialogue asking to confirm that the capture will cover exactly the timespan selected. <br />
The capture will automatically stop after the selected timespan has been processed. <br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer3.png|1200px|none|right]]<br />
|}<br />
<br />
==== Cluster ring buffer ==== <br />
The cluster ring buffer feature allows you to use multiple whole disks in parallel for a single packet ring buffer. <br />
It also allows you to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.<br />
<br />
It is also possible to create multiple cluster packet ring buffers that<br />
run in parallel. To enable multiple cluster packet ring buffers, the<br />
option `The maximum number of concurrent packet ring buffers` in the<br />
capture module options can be set to the required number.<br />
<br />
When clicking the '''Create cluster ring buffer''' button, an empty cluster ring buffer will be created and the '''Cluster configuration''' tab on the now visible packet ring buffer statistics page becomes available. <br />
<br />
If multiple cluster packet ring buffers are used, the page will show<br />
a number of buttons at the top to switch between the different clusters.<br />
Each cluster has its own statistics and configuration.<br />
<br />
In the Cluster configuration tab you can configure the '''Write redundancy level''' at the very top. <br />
This level controls how many redundant copies of each packet are written. <br />
No replication means that only a single copy of each packet is written and provides no redundancy. <br />
This level gives the highest write bandwidth for a given number of disks; single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disks to half the performance of no replication. <br />
Double replication and triple replication writes two and three additional copies of each packet respectively. <br />
Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster3.png|600px|none|right]]<br />
|}<br />
<br />
Below the '''Write redundancy level''' setting is the list of all disks available for use in the cluster. <br />
The following columns are displayed in the list:<br />
* Disk: A description of the disk and its capacity.<br />
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.<br />
* Status: If the disk has been added to the cluster this column will display the current status as '''ok''' or '''failed'''. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.<br />
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off. <br />
<br />
<br />
In the last unlabelled column, three buttons are displayed which have the following functionality:<br />
* Add to cluster: Add a fresh disk to the cluster. <br />
:The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.<br />
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. <br />
:The data on that disk is now part of the packet ring buffer.<br />
* Remove from cluster: Remove the disk from the ring buffer. <br />
:The data stored on that disk is no longer part of the packet ring buffer but the data is not removed from the disk. It can be resumed in the cluster at a later time.<br />
<br />
:If a disk is missing because it was e.g. removed from the enclosure, it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster4.png|1200px|none|right]]<br />
|}<br />
<br />
==== Packet ring buffer snapshot length filter ====<br />
Rules can be configured to control the snapshot length of each packet which will be stored in the packet ring buffer. <br />
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. <br />
This allows to fine tune how much packet data needs to be written to the packet ring buffer. <br />
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). <br />
<br />
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.<br />
<br />
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. <br />
The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. <br />
This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).<br />
<br />
<br />
When creating a snapshot length filter rule, a dialogue is displayed and allows the following options:<br />
* Rule condition: Specify which packets to match.<br />
<br />
:The input field below allows entering the corresponding value.<br />
<br />
:{| class="wikitable"<br />
|-<br />
! Rule condition<br />
! description<br />
|-<br />
| All packets<br />
| everything<br />
|-<br />
| MAC address<br />
| source or destination MAC address<br />
|-<br />
| IP address<br />
| source or destination IP address or subnet<br />
|-<br />
| TCP port<br />
| the source or destination TCP port<br />
|-<br />
| UDP port<br />
| the source or destination UDP port<br />
|-<br />
| Layer 7 protocol<br />
| the selected Layer 7 protocol<br />
|-<br />
| outer VLAN tag<br />
| the most outer VLAN tag (directly after Ethernet header) <br />
|-<br />
| interface<br />
| the ingress interface the packet originated from<br />
|-<br />
| SIP phone number<br />
|<br />
The number matches part of the 'From:' or 'To:' entry in a SIP INVITE packet.<br />
* only the part between '''<nowiki>'<'</nowiki>''' and '''<nowiki>'>'</nowiki>''' of the From/To line is tested.<br />
* value '''<nowiki>'234'</nowiki>''' will match '<nowiki>From: "Caller1" <sip:234></nowiki>', but also '<nowiki>From: "Caller2" <sip:12345@test></nowiki>'<br />
* to match from the start, use '''<nowiki>'sip:234'</nowiki>'''<br />
<br />
Correlating SIP packets for the same Call-ID will match.<br />
<br />
The RTP packets correlated to this SIP call will also match.<br />
<br />
|-<br />
| virtual link group<br />
| the virtual link group the packet belongs to<br />
|}<br />
<br />
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. <br />
:If this is on, the value must not match.<br />
* Action: What shall be done with the matching packets.<br />
:{| class="wikitable"<br />
|-<br />
! Action !! Description<br />
|-<br />
| Snapshot length<br />
| The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.<br />
|-<br />
| Discard<br />
| Discard the whole packet.<br />
|-<br />
| Full<br />
| The entire packet is captured.<br />
|-<br />
| Header + data<br />
|<br />
Capture just certain parts of the packet.<br />
<br />
When selecting '''L3 header''', Layer 2 and Layer 3 headers are stored. <br />
<br />
When selecting '''L3 + L4 header''', Layer 2, 3 and 4 headers are stored. <br />
<br />
When selecting '''L3 + L4 + L7 data''', an input field is shown where the length of Layer 7 data can be configured. In this case Layers 2, 3 and 4 are stored together with the specified amount of Layer 7 data.<br />
<br />
|}<br />
<br />
==== Analyzing the packet ring buffer ====<br />
When the packet ring buffer is activated, it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. <br />
When the Analyze packet ring buffer button is pressed, a dialogue will appear which allows you to choose the time range of the packet ring buffer which is to be replayed. <br />
After confirming this dialogue, the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. <br />
Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.<br />
<br />
<br />
<br />
==== Extracting the packet ring buffer ====<br />
When the packet ring buffer is active, the entire contents can be extracted by capturing the complete timespan that is contained within. <br />
For convenience, a button labelled Extract packet ring buffer is available that opens the capture dialogue with the start time and end time set to the appropriate values.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Packet_ring_buffer&diff=3059Packet ring buffer2020-10-09T10:26:20Z<p>David.Griffiths: /* Cluster ring buffer */</p>
<hr />
<div>== Packet ring buffer==<br />
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. <br />
If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. <br />
If the feature is not enabled, a button titled '''Create ring buffer''' is visible. <br />
Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. <br />
It must be ensured that enough space is available on the external storage device. <br />
As soon as the ring buffer has been created, statistics about the ring buffer will be displayed instead of the button:<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer1.png|600px|none|right]]<br />
|}<br />
* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.<br />
<br />
* Total size: The total size of the ring buffer on the external storage device. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication, an adjusted value is displayed to reflect the redundant copies of packet data. <br />
:The raw on-disk value will be displayed next to it in parentheses.<br />
<br />
* Used size: The currently used amount of memory in the capture buffer. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication, an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.<br />
* Overall bytes captured since start: The amount of captured bytes since system start. <br />
:This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. <br />
:The history graph shows the captured traffic of the last minute or in the selected interval (if set).<br />
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. <br />
:This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.<br />
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. <br />
:The history graph shows discarding over time.<br />
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. <br />
:If larger bursts of traffic need to be stored in this queue, the size can be modified in the capture module settings.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer2.png|600px|none|right]]<br />
|}<br />
<br />
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data with a dark grey background colour. <br />
The time range before start of the ring buffer will be visualized in the same way.<br />
When the ring buffer is running, the behaviour of the pcap capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialogue will appear asking you to specify from how far back in time the capture should start. <br />
This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. <br />
The capture will also continue with live traffic. <br />
If the user interface is in '''back-in-time''' mode (a timespan from the past is selected) starting a capture will produce a dialogue asking to confirm that the capture will cover exactly the timespan selected. <br />
The capture will automatically stop after the selected timespan has been processed. <br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer3.png|1200px|none|right]]<br />
|}<br />
<br />
==== Cluster ring buffer ==== <br />
The cluster ring buffer feature allows you to use multiple whole disks in parallel for a single packet ring buffer. <br />
It also allows you to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.<br />
<br />
It is also possible to create multiple cluster packet ring buffers that<br />
run in parallel. To enable multiple cluster packet ring buffers, the<br />
option `The maximum number of concurrent packet ring buffers` in the<br />
capture module options can be set to the required number.<br />
<br />
When clicking the '''Create cluster ring buffer''' button, an empty cluster ring buffer will be created and the '''Cluster configuration''' tab on the now visible packet ring buffer statistics page becomes available. <br />
<br />
If multiple cluster packet ring buffers are used, the page will show<br />
a number of buttons at the top to switch between the different clusters.<br />
Each cluster has its own statistics and configuration.<br />
<br />
In the Cluster configuration tab you can configure the '''Write redundancy level''' at the very top. <br />
This level controls how many redundant copies of each packet are written. <br />
No replication means that only a single copy of each packet is written and provides no redundancy. <br />
This level gives the highest write bandwidth for a given number of disks; single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disks to half the performance of no replication. <br />
Double replication and triple replication writes two and three additional copies of each packet respectively. <br />
Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster3.png|600px|none|right]]<br />
|}<br />
<br />
Below the '''Write redundancy level''' setting is the list of all disks available for use in the cluster. <br />
The following columns are displayed in the list:<br />
* Disk: A description of the disk and its capacity.<br />
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.<br />
* Status: If the disk has been added to the cluster this column will display the current status as '''ok''' or '''failed'''. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.<br />
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off. <br />
<br />
<br />
In the last unlabelled column, three buttons are displayed which have the following functionality:<br />
* Add to cluster: Add a fresh disk to the cluster. <br />
:The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.<br />
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. <br />
:The data on that disk is now part of the packet ring buffer.<br />
* Remove from cluster: Remove the disk from the ring buffer. <br />
:The data stored on that disk is no longer part of the packet ring buffer but the data is not removed from the disk. It can be resumed in the cluster at a later time.<br />
<br />
:If a disk is missing because it was e.g. removed from the enclosure, it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster4.png|1200px|none|right]]<br />
|}<br />
<br />
==== Packet ring buffer snapshot length filter ====<br />
Rules can be configured that control the snapshot length of each packet which will be stored in the packet ring buffer. <br />
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. <br />
This allows to fine tune how much packet data needs to be written to the packet ring buffer. <br />
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). <br />
<br />
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.<br />
<br />
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. <br />
The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. <br />
This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).<br />
<br />
<br />
When creating a snapshot length filter rule, a dialogue is displayed and allows the following options:<br />
* Rule condition: Specify which packets to match.<br />
<br />
:The input field below allows entering the corresponding value.<br />
<br />
:{| class="wikitable"<br />
|-<br />
! Rule condition<br />
! description<br />
|-<br />
| All packets<br />
| everything<br />
|-<br />
| MAC address<br />
| source or destination MAC address<br />
|-<br />
| IP address<br />
| source or destination IP address or subnet<br />
|-<br />
| TCP port<br />
| the source or destination TCP port<br />
|-<br />
| UDP port<br />
| the source or destination UDP port<br />
|-<br />
| Layer 7 protocol<br />
| the selected Layer 7 protocol<br />
|-<br />
| outer VLAN tag<br />
| the most outer VLAN tag (directly after Ethernet header) <br />
|-<br />
| interface<br />
| the ingress interface the packet originated from<br />
|-<br />
| SIP phone number<br />
|<br />
The number matches part of the 'From:' or 'To:' entry in a SIP INVITE packet.<br />
* only the part between '''<nowiki>'<'</nowiki>''' and '''<nowiki>'>'</nowiki>''' of the From/To line is tested.<br />
* value '''<nowiki>'234'</nowiki>''' will match '<nowiki>From: "Caller1" <sip:234></nowiki>', but also '<nowiki>From: "Caller2" <sip:12345@test></nowiki>'<br />
* to match from the start, use '''<nowiki>'sip:234'</nowiki>'''<br />
<br />
Correlating SIP packets for the same Call-ID will match.<br />
<br />
The RTP packets correlated to this SIP call will also match.<br />
<br />
|-<br />
| virtual link group<br />
| the virtual link group the packet belongs to<br />
|}<br />
<br />
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. <br />
:If this is on, the value must not match.<br />
* Action: What shall be done with the matching packets.<br />
:{| class="wikitable"<br />
|-<br />
! Action !! Description<br />
|-<br />
| Snapshot length<br />
| The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.<br />
|-<br />
| Discard<br />
| Discard the whole packet.<br />
|-<br />
| Full<br />
| The entire packet is captured.<br />
|-<br />
| Header + data<br />
|<br />
Capture just certain parts of the packet.<br />
<br />
When selecting '''L3 header''', Layer 2 and Layer 3 headers are stored. <br />
<br />
When selecting '''L3 + L4 header''', Layer 2, 3 and 4 headers are stored. <br />
<br />
When selecting '''L3 + L4 + L7 data''', an input field is shown where the length of Layer 7 data can be configured. In this case Layers 2, 3 and 4 are stored together with the specified amount of Layer 7 data.<br />
<br />
|}<br />
<br />
==== Analyzing the packet ring buffer ====<br />
When the packet ring buffer is activated, it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. <br />
When the Analyze packet ring buffer button is pressed, a dialogue will appear which allows you to choose the time range of the packet ring buffer which is to be replayed. <br />
After confirming this dialogue, the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. <br />
Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.<br />
<br />
<br />
<br />
==== Extracting the packet ring buffer ====<br />
When the packet ring buffer is active, the entire contents can be extracted by capturing the complete timespan that is contained within. <br />
For convenience, a button labelled Extract packet ring buffer is available that opens the capture dialogue with the start time and end time set to the appropriate values.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Packet_ring_buffer&diff=3058Packet ring buffer2020-10-09T10:25:07Z<p>David.Griffiths: /* Cluster ring buffer */</p>
<hr />
<div>== Packet ring buffer==<br />
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. <br />
If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. <br />
If the feature is not enabled, a button titled '''Create ring buffer''' is visible. <br />
Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. <br />
It must be ensured that enough space is available on the external storage device. <br />
As soon as the ring buffer has been created, statistics about the ring buffer will be displayed instead of the button:<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer1.png|600px|none|right]]<br />
|}<br />
* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.<br />
<br />
* Total size: The total size of the ring buffer on the external storage device. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication, an adjusted value is displayed to reflect the redundant copies of packet data. <br />
:The raw on-disk value will be displayed next to it in parentheses.<br />
<br />
* Used size: The currently used amount of memory in the capture buffer. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication, an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.<br />
* Overall bytes captured since start: The amount of captured bytes since system start. <br />
:This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. <br />
:The history graph shows the captured traffic of the last minute or in the selected interval (if set).<br />
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. <br />
:This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.<br />
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. <br />
:The history graph shows discarding over time.<br />
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. <br />
:If larger bursts of traffic need to be stored in this queue, the size can be modified in the capture module settings.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer2.png|600px|none|right]]<br />
|}<br />
<br />
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data with a dark grey background colour. <br />
The time range before start of the ring buffer will be visualized in the same way.<br />
When the ring buffer is running, the behaviour of the pcap capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialogue will appear asking you to specify from how far back in time the capture should start. <br />
This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. <br />
The capture will also continue with live traffic. <br />
If the user interface is in '''back-in-time''' mode (a timespan from the past is selected) starting a capture will produce a dialogue asking to confirm that the capture will cover exactly the timespan selected. <br />
The capture will automatically stop after the selected timespan has been processed. <br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer3.png|1200px|none|right]]<br />
|}<br />
<br />
==== Cluster ring buffer ==== <br />
The cluster ring buffer feature allows you to use multiple whole disks in parallel for a single packet ring buffer. <br />
It also allows you to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.<br />
<br />
It is also possible to create multiple cluster packet ring buffers that<br />
run in parallel. To enable multiple cluster packet ring buffers, the<br />
option `The maximum number of concurrent packet ring buffers` in the<br />
capture module options can be set to the required number.<br />
<br />
When clicking the '''Create cluster ring buffer''' button, an empty cluster ring buffer will be created and the '''Cluster configuration''' tab on the now visible packet ring buffer statistics page becomes available. <br />
<br />
If multiple cluster packet ring buffers are used, the page will show<br />
a number of buttons at the top to switch between the different clusters.<br />
Each cluster has its own statistics and configuration.<br />
<br />
In the Cluster configuration tab you can configure the '''Write redundancy level''' at the very top. <br />
This level controls how many redundant copies of each packet are written. <br />
No replication means that only a single copy of each packet is written and provides no redundancy. <br />
This level gives the highest write bandwidth for a given number of disks; single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disks to half the performance of no replication. <br />
Double replication and triple replication writes two and three additional copies of each packet respectively. <br />
Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster3.png|600px|none|right]]<br />
|}<br />
<br />
Below the '''Write redundancy level''' setting is the list of all disks available for use in the cluster. <br />
The following columns are displayed in the list:<br />
* Disk: A description of the disk and its capacity.<br />
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.<br />
* Status: If the disk has been added to the cluster this column will display the current status as '''ok''' or '''failed'''. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.<br />
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off. <br />
<br />
<br />
In the last unlabelled column, three buttons are displayed which have the following functionality:<br />
* Add to cluster: Add a fresh disk to the cluster. <br />
:The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.<br />
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. <br />
:The data on that disk is now part of the packet ring buffer.<br />
* Remove from cluster: Remove the disk from the ring buffer. <br />
:The data stored on that disk is no longer not part of the packet ring buffer but the data is not removed from the disk. It can be resumed in the cluster at a later time.<br />
<br />
:If a disk is missing because it was e.g. removed from the enclosure, it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster4.png|1200px|none|right]]<br />
|}<br />
<br />
==== Packet ring buffer snapshot length filter ====<br />
Rules can be configured that control the snapshot length of each packet which will be stored in the packet ring buffer. <br />
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. <br />
This allows to fine tune how much packet data needs to be written to the packet ring buffer. <br />
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). <br />
<br />
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.<br />
<br />
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. <br />
The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. <br />
This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).<br />
<br />
<br />
When creating a snapshot length filter rule, a dialogue is displayed and allows the following options:<br />
* Rule condition: Specify which packets to match.<br />
<br />
:The input field below allows entering the corresponding value.<br />
<br />
:{| class="wikitable"<br />
|-<br />
! Rule condition<br />
! description<br />
|-<br />
| All packets<br />
| everything<br />
|-<br />
| MAC address<br />
| source or destination MAC address<br />
|-<br />
| IP address<br />
| source or destination IP address or subnet<br />
|-<br />
| TCP port<br />
| the source or destination TCP port<br />
|-<br />
| UDP port<br />
| the source or destination UDP port<br />
|-<br />
| Layer 7 protocol<br />
| the selected Layer 7 protocol<br />
|-<br />
| outer VLAN tag<br />
| the most outer VLAN tag (directly after Ethernet header) <br />
|-<br />
| interface<br />
| the ingress interface the packet originated from<br />
|-<br />
| SIP phone number<br />
|<br />
The number matches part of the 'From:' or 'To:' entry in a SIP INVITE packet.<br />
* only the part between '''<nowiki>'<'</nowiki>''' and '''<nowiki>'>'</nowiki>''' of the From/To line is tested.<br />
* value '''<nowiki>'234'</nowiki>''' will match '<nowiki>From: "Caller1" <sip:234></nowiki>', but also '<nowiki>From: "Caller2" <sip:12345@test></nowiki>'<br />
* to match from the start, use '''<nowiki>'sip:234'</nowiki>'''<br />
<br />
Correlating SIP packets for the same Call-ID will match.<br />
<br />
The RTP packets correlated to this SIP call will also match.<br />
<br />
|-<br />
| virtual link group<br />
| the virtual link group the packet belongs to<br />
|}<br />
<br />
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. <br />
:If this is on, the value must not match.<br />
* Action: What shall be done with the matching packets.<br />
:{| class="wikitable"<br />
|-<br />
! Action !! Description<br />
|-<br />
| Snapshot length<br />
| The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.<br />
|-<br />
| Discard<br />
| Discard the whole packet.<br />
|-<br />
| Full<br />
| The entire packet is captured.<br />
|-<br />
| Header + data<br />
|<br />
Capture just certain parts of the packet.<br />
<br />
When selecting '''L3 header''', Layer 2 and Layer 3 headers are stored. <br />
<br />
When selecting '''L3 + L4 header''', Layer 2, 3 and 4 headers are stored. <br />
<br />
When selecting '''L3 + L4 + L7 data''', an input field is shown where the length of Layer 7 data can be configured. In this case Layers 2, 3 and 4 are stored together with the specified amount of Layer 7 data.<br />
<br />
|}<br />
<br />
==== Analyzing the packet ring buffer ====<br />
When the packet ring buffer is activated, it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. <br />
When the Analyze packet ring buffer button is pressed, a dialogue will appear which allows you to choose the time range of the packet ring buffer which is to be replayed. <br />
After confirming this dialogue, the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. <br />
Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.<br />
<br />
<br />
<br />
==== Extracting the packet ring buffer ====<br />
When the packet ring buffer is active, the entire contents can be extracted by capturing the complete timespan that is contained within. <br />
For convenience, a button labelled Extract packet ring buffer is available that opens the capture dialogue with the start time and end time set to the appropriate values.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Packet_ring_buffer&diff=3057Packet ring buffer2020-10-09T10:24:02Z<p>David.Griffiths: /* Cluster ring buffer */</p>
<hr />
<div>== Packet ring buffer==<br />
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. <br />
If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. <br />
If the feature is not enabled, a button titled '''Create ring buffer''' is visible. <br />
Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. <br />
It must be ensured that enough space is available on the external storage device. <br />
As soon as the ring buffer has been created, statistics about the ring buffer will be displayed instead of the button:<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer1.png|600px|none|right]]<br />
|}<br />
* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.<br />
<br />
* Total size: The total size of the ring buffer on the external storage device. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication, an adjusted value is displayed to reflect the redundant copies of packet data. <br />
:The raw on-disk value will be displayed next to it in parentheses.<br />
<br />
* Used size: The currently used amount of memory in the capture buffer. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication, an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.<br />
* Overall bytes captured since start: The amount of captured bytes since system start. <br />
:This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. <br />
:The history graph shows the captured traffic of the last minute or in the selected interval (if set).<br />
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. <br />
:This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.<br />
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. <br />
:The history graph shows discarding over time.<br />
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. <br />
:If larger bursts of traffic need to be stored in this queue, the size can be modified in the capture module settings.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer2.png|600px|none|right]]<br />
|}<br />
<br />
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data with a dark grey background colour. <br />
The time range before start of the ring buffer will be visualized in the same way.<br />
When the ring buffer is running, the behaviour of the pcap capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialogue will appear asking you to specify from how far back in time the capture should start. <br />
This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. <br />
The capture will also continue with live traffic. <br />
If the user interface is in '''back-in-time''' mode (a timespan from the past is selected) starting a capture will produce a dialogue asking to confirm that the capture will cover exactly the timespan selected. <br />
The capture will automatically stop after the selected timespan has been processed. <br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer3.png|1200px|none|right]]<br />
|}<br />
<br />
==== Cluster ring buffer ==== <br />
The cluster ring buffer feature allows you to use multiple whole disks in parallel for a single packet ring buffer. <br />
It also allows you to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.<br />
<br />
It is also possible to create multiple cluster packet ring buffers that<br />
run in parallel. To enable multiple cluster packet ring buffers, the<br />
option `The maximum number of concurrent packet ring buffers` in the<br />
capture module options can be set to the required number.<br />
<br />
When clicking the '''Create cluster ring buffer''' button, an empty cluster ring buffer will be created and the '''Cluster configuration''' tab on the now visible packet ring buffer statistics page becomes available. <br />
<br />
If multiple cluster packet ring buffers are used, the page will show<br />
a number of buttons at the top to switch between the different clusters.<br />
Each cluster has its own statistics and configuration.<br />
<br />
In the Cluster configuration tab you can configure the '''Write redundancy level''' at the very top. <br />
This level controls how many redundant copies of each packet are written. <br />
No replication means that only a single copy of each packet is written and provides no redundancy. <br />
This level gives the highest write bandwidth for a given number of disks; single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disks to half the performance of no replication. <br />
Double replication and triple replication write two and three additional copies of each packet respectively. <br />
Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster3.png|600px|none|right]]<br />
|}<br />
<br />
Below the '''Write redundancy level''' setting is the list of all disks available for use in the cluster. <br />
The following columns are displayed in the list:<br />
* Disk: A description of the disk and its capacity.<br />
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.<br />
* Status: If the disk has been added to the cluster this column will display the current status as '''ok''' or '''failed'''. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.<br />
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off. <br />
<br />
<br />
In the last unlabelled column, three buttons are displayed which have the following functionality:<br />
* Add to cluster: Add a fresh disk to the cluster. <br />
:The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.<br />
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. <br />
:The data on that disk is now part of the packet ring buffer.<br />
* Remove from cluster: Remove the disk from the ring buffer. <br />
:The data stored on that disk is no longer not part of the packet ring buffer but the data is not removed from the disk. It can be resumed in the cluster at a later time.<br />
<br />
:If a disk is missing because it was e.g. removed from the enclosure, it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster4.png|1200px|none|right]]<br />
|}<br />
<br />
==== Packet ring buffer snapshot length filter ====<br />
Rules can be configured that control the snapshot length of each packet which will be stored in the packet ring buffer. <br />
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. <br />
This allows to fine tune how much packet data needs to be written to the packet ring buffer. <br />
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). <br />
<br />
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.<br />
<br />
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. <br />
The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. <br />
This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).<br />
<br />
<br />
When creating a snapshot length filter rule, a dialogue is displayed and allows the following options:<br />
* Rule condition: Specify which packets to match.<br />
<br />
:The input field below allows entering the corresponding value.<br />
<br />
:{| class="wikitable"<br />
|-<br />
! Rule condition<br />
! description<br />
|-<br />
| All packets<br />
| everything<br />
|-<br />
| MAC address<br />
| source or destination MAC address<br />
|-<br />
| IP address<br />
| source or destination IP address or subnet<br />
|-<br />
| TCP port<br />
| the source or destination TCP port<br />
|-<br />
| UDP port<br />
| the source or destination UDP port<br />
|-<br />
| Layer 7 protocol<br />
| the selected Layer 7 protocol<br />
|-<br />
| outer VLAN tag<br />
| the most outer VLAN tag (directly after Ethernet header) <br />
|-<br />
| interface<br />
| the ingress interface the packet originated from<br />
|-<br />
| SIP phone number<br />
|<br />
The number matches part of the 'From:' or 'To:' entry in a SIP INVITE packet.<br />
* only the part between '''<nowiki>'<'</nowiki>''' and '''<nowiki>'>'</nowiki>''' of the From/To line is tested.<br />
* value '''<nowiki>'234'</nowiki>''' will match '<nowiki>From: "Caller1" <sip:234></nowiki>', but also '<nowiki>From: "Caller2" <sip:12345@test></nowiki>'<br />
* to match from the start, use '''<nowiki>'sip:234'</nowiki>'''<br />
<br />
Correlating SIP packets for the same Call-ID will match.<br />
<br />
The RTP packets correlated to this SIP call will also match.<br />
<br />
|-<br />
| virtual link group<br />
| the virtual link group the packet belongs to<br />
|}<br />
<br />
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. <br />
:If this is on, the value must not match.<br />
* Action: What shall be done with the matching packets.<br />
:{| class="wikitable"<br />
|-<br />
! Action !! Description<br />
|-<br />
| Snapshot length<br />
| The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.<br />
|-<br />
| Discard<br />
| Discard the whole packet.<br />
|-<br />
| Full<br />
| The entire packet is captured.<br />
|-<br />
| Header + data<br />
|<br />
Capture just certain parts of the packet.<br />
<br />
When selecting '''L3 header''', Layer 2 and Layer 3 headers are stored. <br />
<br />
When selecting '''L3 + L4 header''', Layer 2, 3 and 4 headers are stored. <br />
<br />
When selecting '''L3 + L4 + L7 data''', an input field is shown where the length of Layer 7 data can be configured. In this case Layers 2, 3 and 4 are stored together with the specified amount of Layer 7 data.<br />
<br />
|}<br />
<br />
==== Analyzing the packet ring buffer ====<br />
When the packet ring buffer is activated, it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. <br />
When the Analyze packet ring buffer button is pressed, a dialogue will appear which allows you to choose the time range of the packet ring buffer which is to be replayed. <br />
After confirming this dialogue, the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. <br />
Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.<br />
<br />
<br />
<br />
==== Extracting the packet ring buffer ====<br />
When the packet ring buffer is active, the entire contents can be extracted by capturing the complete timespan that is contained within. <br />
For convenience, a button labelled Extract packet ring buffer is available that opens the capture dialogue with the start time and end time set to the appropriate values.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Packet_ring_buffer&diff=3056Packet ring buffer2020-10-09T10:23:02Z<p>David.Griffiths: </p>
<hr />
<div>== Packet ring buffer==<br />
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. <br />
If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. <br />
If the feature is not enabled, a button titled '''Create ring buffer''' is visible. <br />
Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. <br />
It must be ensured that enough space is available on the external storage device. <br />
As soon as the ring buffer has been created, statistics about the ring buffer will be displayed instead of the button:<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer1.png|600px|none|right]]<br />
|}<br />
* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.<br />
<br />
* Total size: The total size of the ring buffer on the external storage device. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication, an adjusted value is displayed to reflect the redundant copies of packet data. <br />
:The raw on-disk value will be displayed next to it in parentheses.<br />
<br />
* Used size: The currently used amount of memory in the capture buffer. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication, an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.<br />
* Overall bytes captured since start: The amount of captured bytes since system start. <br />
:This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. <br />
:The history graph shows the captured traffic of the last minute or in the selected interval (if set).<br />
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. <br />
:This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.<br />
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. <br />
:The history graph shows discarding over time.<br />
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. <br />
:If larger bursts of traffic need to be stored in this queue, the size can be modified in the capture module settings.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer2.png|600px|none|right]]<br />
|}<br />
<br />
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data with a dark grey background colour. <br />
The time range before start of the ring buffer will be visualized in the same way.<br />
When the ring buffer is running, the behaviour of the pcap capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialogue will appear asking you to specify from how far back in time the capture should start. <br />
This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. <br />
The capture will also continue with live traffic. <br />
If the user interface is in '''back-in-time''' mode (a timespan from the past is selected) starting a capture will produce a dialogue asking to confirm that the capture will cover exactly the timespan selected. <br />
The capture will automatically stop after the selected timespan has been processed. <br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer3.png|1200px|none|right]]<br />
|}<br />
<br />
==== Cluster ring buffer ==== <br />
The cluster ring buffer feature allows to use multiple whole disks in parallel for a single packet ring buffer. <br />
It also allows you to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.<br />
<br />
It is also possible to create multiple cluster packet ring buffers that<br />
run in parallel. To enable multiple cluster packet ring buffers, the<br />
option `The maximum number of concurrent packet ring buffers` in the<br />
capture module options can be set to the required number.<br />
<br />
When clicking the '''Create cluster ring buffer''' button, an empty cluster ring buffer will be created and the '''Cluster configuration''' tab on the now visible packet ring buffer statistics page becomes available. <br />
<br />
If multiple cluster packet ring buffers are used, the page will show<br />
a number of buttons at the top to switch between the different clusters.<br />
Each cluster has its own statistics and configuration.<br />
<br />
In the Cluster configuration tab you can configure the '''Write redundancy level''' at the very top. <br />
This level controls how many redundant copies of each packet are written. <br />
No replication means that only a single copy of each packet is written and provides no redundancy. <br />
This level gives the highest write bandwidth for a given number of disks; single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disks to half the performance of no replication. <br />
Double replication and triple replication write two and three additional copies of each packet respectively. <br />
Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster3.png|600px|none|right]]<br />
|}<br />
<br />
Below the '''Write redundancy level''' setting is the list of all disks available for use in the cluster. <br />
The following columns are displayed in the list:<br />
* Disk: A description of the disk and its capacity.<br />
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.<br />
* Status: If the disk has been added to the cluster this column will display the current status as '''ok''' or '''failed'''. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.<br />
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off. <br />
<br />
<br />
In the last unlabelled column, three buttons are displayed which have the following functionality:<br />
* Add to cluster: Add a fresh disk to the cluster. <br />
:The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.<br />
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. <br />
:The data on that disk is now part of the packet ring buffer.<br />
* Remove from cluster: Remove the disk from the ring buffer. <br />
:The data stored on that disk is no longer not part of the packet ring buffer but the data is not removed from the disk. It can be resumed in the cluster at a later time.<br />
<br />
:If a disk is missing because it was e.g. removed from the enclosure, it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster4.png|1200px|none|right]]<br />
|}<br />
<br />
==== Packet ring buffer snapshot length filter ====<br />
Rules can be configured that control the snapshot length of each packet which will be stored in the packet ring buffer. <br />
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. <br />
This allows to fine tune how much packet data needs to be written to the packet ring buffer. <br />
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). <br />
<br />
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.<br />
<br />
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. <br />
The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. <br />
This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).<br />
<br />
<br />
When creating a snapshot length filter rule, a dialogue is displayed and allows the following options:<br />
* Rule condition: Specify which packets to match.<br />
<br />
:The input field below allows entering the corresponding value.<br />
<br />
:{| class="wikitable"<br />
|-<br />
! Rule condition<br />
! description<br />
|-<br />
| All packets<br />
| everything<br />
|-<br />
| MAC address<br />
| source or destination MAC address<br />
|-<br />
| IP address<br />
| source or destination IP address or subnet<br />
|-<br />
| TCP port<br />
| the source or destination TCP port<br />
|-<br />
| UDP port<br />
| the source or destination UDP port<br />
|-<br />
| Layer 7 protocol<br />
| the selected Layer 7 protocol<br />
|-<br />
| outer VLAN tag<br />
| the most outer VLAN tag (directly after Ethernet header) <br />
|-<br />
| interface<br />
| the ingress interface the packet originated from<br />
|-<br />
| SIP phone number<br />
|<br />
The number matches part of the 'From:' or 'To:' entry in a SIP INVITE packet.<br />
* only the part between '''<nowiki>'<'</nowiki>''' and '''<nowiki>'>'</nowiki>''' of the From/To line is tested.<br />
* value '''<nowiki>'234'</nowiki>''' will match '<nowiki>From: "Caller1" <sip:234></nowiki>', but also '<nowiki>From: "Caller2" <sip:12345@test></nowiki>'<br />
* to match from the start, use '''<nowiki>'sip:234'</nowiki>'''<br />
<br />
Correlating SIP packets for the same Call-ID will match.<br />
<br />
The RTP packets correlated to this SIP call will also match.<br />
<br />
|-<br />
| virtual link group<br />
| the virtual link group the packet belongs to<br />
|}<br />
<br />
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. <br />
:If this is on, the value must not match.<br />
* Action: What shall be done with the matching packets.<br />
:{| class="wikitable"<br />
|-<br />
! Action !! Description<br />
|-<br />
| Snapshot length<br />
| The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.<br />
|-<br />
| Discard<br />
| Discard the whole packet.<br />
|-<br />
| Full<br />
| The entire packet is captured.<br />
|-<br />
| Header + data<br />
|<br />
Capture just certain parts of the packet.<br />
<br />
When selecting '''L3 header''', Layer 2 and Layer 3 headers are stored. <br />
<br />
When selecting '''L3 + L4 header''', Layer 2, 3 and 4 headers are stored. <br />
<br />
When selecting '''L3 + L4 + L7 data''', an input field is shown where the length of Layer 7 data can be configured. In this case Layers 2, 3 and 4 are stored together with the specified amount of Layer 7 data.<br />
<br />
|}<br />
<br />
==== Analyzing the packet ring buffer ====<br />
When the packet ring buffer is activated, it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. <br />
When the Analyze packet ring buffer button is pressed, a dialogue will appear which allows you to choose the time range of the packet ring buffer which is to be replayed. <br />
After confirming this dialogue, the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. <br />
Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.<br />
<br />
<br />
<br />
==== Extracting the packet ring buffer ====<br />
When the packet ring buffer is active, the entire contents can be extracted by capturing the complete timespan that is contained within. <br />
For convenience, a button labelled Extract packet ring buffer is available that opens the capture dialogue with the start time and end time set to the appropriate values.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Packet_ring_buffer&diff=3055Packet ring buffer2020-10-09T10:21:36Z<p>David.Griffiths: </p>
<hr />
<div>== Packet ring buffer==<br />
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. <br />
If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. <br />
If the feature is not enabled, a button titled '''Create ring buffer''' is visible. <br />
Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. <br />
It must be ensured that enough space is available on the external storage device. <br />
As soon as the ring buffer has been created, statistics about the ring buffer will be displayed instead of the button:<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer1.png|600px|none|right]]<br />
|}<br />
* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.<br />
<br />
* Total size: The total size of the ring buffer on the external storage device. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication, an adjusted value is displayed to reflect the redundant copies of packet data. <br />
:The raw on-disk value will be displayed next to it in parentheses.<br />
<br />
* Used size: The currently used amount of memory in the capture buffer. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication, an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.<br />
* Overall bytes captured since start: The amount of captured bytes since system start. <br />
:This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. <br />
:The history graph shows the captured traffic of the last minute or in the selected interval (if set).<br />
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. <br />
:This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.<br />
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. <br />
:The history graph shows discarding over time.<br />
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. <br />
:If larger bursts of traffic need to be stored in this queue the size can be modified in the capture module settings.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer2.png|600px|none|right]]<br />
|}<br />
<br />
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data with a dark grey background colour. <br />
The time range before start of the ring buffer will be visualized in the same way.<br />
When the ring buffer is running, the behaviour of the pcap capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialogue will appear asking you to specify from how far back in time the capture should start. <br />
This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. <br />
The capture will also continue with live traffic. <br />
If the user interface is in '''back-in-time''' mode (a timespan from the past is selected) starting a capture will produce a dialogue asking to confirm that the capture will cover exactly the timespan selected. <br />
The capture will automatically stop after the selected timespan has been processed. <br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer3.png|1200px|none|right]]<br />
|}<br />
<br />
==== Cluster ring buffer ==== <br />
The cluster ring buffer feature allows to use multiple whole disks in parallel for a single packet ring buffer. <br />
It also allows you to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.<br />
<br />
It is also possible to create multiple cluster packet ring buffers that<br />
run in parallel. To enable multiple cluster packet ring buffers, the<br />
option `The maximum number of concurrent packet ring buffers` in the<br />
capture module options can be set to the required number.<br />
<br />
When clicking the '''Create cluster ring buffer''' button, an empty cluster ring buffer will be created and the '''Cluster configuration''' tab on the now visible packet ring buffer statistics page becomes available. <br />
<br />
If multiple cluster packet ring buffers are used, the page will show<br />
a number of buttons at the top to switch between the different clusters.<br />
Each cluster has its own statistics and configuration.<br />
<br />
In the Cluster configuration tab you can configure the '''Write redundancy level''' at the very top. <br />
This level controls how many redundant copies of each packet are written. <br />
No replication means that only a single copy of each packet is written and provides no redundancy. <br />
This level gives the highest write bandwidth for a given number of disks; single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disks to half the performance of no replication. <br />
Double replication and triple replication write two and three additional copies of each packet respectively. <br />
Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster3.png|600px|none|right]]<br />
|}<br />
<br />
Below the '''Write redundancy level''' setting is the list of all disks available for use in the cluster. <br />
The following columns are displayed in the list:<br />
* Disk: A description of the disk and its capacity.<br />
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.<br />
* Status: If the disk has been added to the cluster this column will display the current status as '''ok''' or '''failed'''. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.<br />
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off. <br />
<br />
<br />
In the last unlabelled column, three buttons are displayed which have the following functionality:<br />
* Add to cluster: Add a fresh disk to the cluster. <br />
:The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.<br />
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. <br />
:The data on that disk is now part of the packet ring buffer.<br />
* Remove from cluster: Remove the disk from the ring buffer. <br />
:The data stored on that disk is no longer not part of the packet ring buffer but the data is not removed from the disk. It can be resumed in the cluster at a later time.<br />
<br />
:If a disk is missing because it was e.g. removed from the enclosure, it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster4.png|1200px|none|right]]<br />
|}<br />
<br />
==== Packet ring buffer snapshot length filter ====<br />
Rules can be configured that control the snapshot length of each packet which will be stored in the packet ring buffer. <br />
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. <br />
This allows to fine tune how much packet data needs to be written to the packet ring buffer. <br />
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). <br />
<br />
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.<br />
<br />
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. <br />
The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. <br />
This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).<br />
<br />
<br />
When creating a snapshot length filter rule, a dialogue is displayed and allows the following options:<br />
* Rule condition: Specify which packets to match.<br />
<br />
:The input field below allows entering the corresponding value.<br />
<br />
:{| class="wikitable"<br />
|-<br />
! Rule condition<br />
! description<br />
|-<br />
| All packets<br />
| everything<br />
|-<br />
| MAC address<br />
| source or destination MAC address<br />
|-<br />
| IP address<br />
| source or destination IP address or subnet<br />
|-<br />
| TCP port<br />
| the source or destination TCP port<br />
|-<br />
| UDP port<br />
| the source or destination UDP port<br />
|-<br />
| Layer 7 protocol<br />
| the selected Layer 7 protocol<br />
|-<br />
| outer VLAN tag<br />
| the most outer VLAN tag (directly after Ethernet header) <br />
|-<br />
| interface<br />
| the ingress interface the packet originated from<br />
|-<br />
| SIP phone number<br />
|<br />
The number matches part of the 'From:' or 'To:' entry in a SIP INVITE packet.<br />
* only the part between '''<nowiki>'<'</nowiki>''' and '''<nowiki>'>'</nowiki>''' of the From/To line is tested.<br />
* value '''<nowiki>'234'</nowiki>''' will match '<nowiki>From: "Caller1" <sip:234></nowiki>', but also '<nowiki>From: "Caller2" <sip:12345@test></nowiki>'<br />
* to match from the start, use '''<nowiki>'sip:234'</nowiki>'''<br />
<br />
Correlating SIP packets for the same Call-ID will match.<br />
<br />
The RTP packets correlated to this SIP call will also match.<br />
<br />
|-<br />
| virtual link group<br />
| the virtual link group the packet belongs to<br />
|}<br />
<br />
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. <br />
:If this is on, the value must not match.<br />
* Action: What shall be done with the matching packets.<br />
:{| class="wikitable"<br />
|-<br />
! Action !! Description<br />
|-<br />
| Snapshot length<br />
| The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.<br />
|-<br />
| Discard<br />
| Discard the whole packet.<br />
|-<br />
| Full<br />
| The entire packet is captured.<br />
|-<br />
| Header + data<br />
|<br />
Capture just certain parts of the packet.<br />
<br />
When selecting '''L3 header''', Layer 2 and Layer 3 headers are stored. <br />
<br />
When selecting '''L3 + L4 header''', Layer 2, 3 and 4 headers are stored. <br />
<br />
When selecting '''L3 + L4 + L7 data''', an input field is shown where the length of Layer 7 data can be configured. In this case Layers 2, 3 and 4 are stored together with the specified amount of Layer 7 data.<br />
<br />
|}<br />
<br />
==== Analyzing the packet ring buffer ====<br />
When the packet ring buffer is activated, it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. <br />
When the Analyze packet ring buffer button is pressed, a dialogue will appear which allows you to choose the time range of the packet ring buffer which is to be replayed. <br />
After confirming this dialogue, the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. <br />
Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.<br />
<br />
<br />
<br />
==== Extracting the packet ring buffer ====<br />
When the packet ring buffer is active, the entire contents can be extracted by capturing the complete timespan that is contained within. <br />
For convenience, a button labelled Extract packet ring buffer is available that opens the capture dialogue with the start time and end time set to the appropriate values.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Packet_ring_buffer&diff=3054Packet ring buffer2020-10-09T10:20:42Z<p>David.Griffiths: </p>
<hr />
<div>== Packet ring buffer==<br />
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. <br />
If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. <br />
If the feature is not enabled, a button titled '''Create ring buffer''' is visible. <br />
Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. <br />
It must be ensured that enough space is available on the external storage device. <br />
As soon as the ring buffer has been created, statistics about the ring buffer will be displayed instead of the button:<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer1.png|600px|none|right]]<br />
|}<br />
* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.<br />
<br />
* Total size: The total size of the ring buffer on the external storage device. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. <br />
:The raw on-disk value will be displayed next to it in parentheses.<br />
<br />
* Used size: The currently used amount of memory in the capture buffer. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.<br />
* Overall bytes captured since start: The amount of captured bytes since system start. <br />
:This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. <br />
:The history graph shows the captured traffic of the last minute or in the selected interval (if set).<br />
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. <br />
:This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.<br />
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. <br />
:The history graph shows discarding over time.<br />
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. <br />
:If larger bursts of traffic need to be stored in this queue the size can be modified in the capture module settings.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer2.png|600px|none|right]]<br />
|}<br />
<br />
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data with a dark grey background colour. <br />
The time range before start of the ring buffer will be visualized in the same way.<br />
When the ring buffer is running, the behaviour of the pcap capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialogue will appear asking you to specify from how far back in time the capture should start. <br />
This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. <br />
The capture will also continue with live traffic. <br />
If the user interface is in '''back-in-time''' mode (a timespan from the past is selected) starting a capture will produce a dialogue asking to confirm that the capture will cover exactly the timespan selected. <br />
The capture will automatically stop after the selected timespan has been processed. <br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer3.png|1200px|none|right]]<br />
|}<br />
<br />
==== Cluster ring buffer ==== <br />
The cluster ring buffer feature allows to use multiple whole disks in parallel for a single packet ring buffer. <br />
It also allows you to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.<br />
<br />
It is also possible to create multiple cluster packet ring buffers that<br />
run in parallel. To enable multiple cluster packet ring buffers, the<br />
option `The maximum number of concurrent packet ring buffers` in the<br />
capture module options can be set to the required number.<br />
<br />
When clicking the '''Create cluster ring buffer''' button, an empty cluster ring buffer will be created and the '''Cluster configuration''' tab on the now visible packet ring buffer statistics page becomes available. <br />
<br />
If multiple cluster packet ring buffers are used, the page will show<br />
a number of buttons at the top to switch between the different clusters.<br />
Each cluster has its own statistics and configuration.<br />
<br />
In the Cluster configuration tab you can configure the '''Write redundancy level''' at the very top. <br />
This level controls how many redundant copies of each packet are written. <br />
No replication means that only a single copy of each packet is written and provides no redundancy. <br />
This level gives the highest write bandwidth for a given number of disks; single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disks to half the performance of no replication. <br />
Double replication and triple replication write two and three additional copies of each packet respectively. <br />
Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster3.png|600px|none|right]]<br />
|}<br />
<br />
Below the '''Write redundancy level''' setting is the list of all disks available for use in the cluster. <br />
The following columns are displayed in the list:<br />
* Disk: A description of the disk and its capacity.<br />
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.<br />
* Status: If the disk has been added to the cluster this column will display the current status as '''ok''' or '''failed'''. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.<br />
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off. <br />
<br />
<br />
In the last unlabelled column, three buttons are displayed which have the following functionality:<br />
* Add to cluster: Add a fresh disk to the cluster. <br />
:The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.<br />
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. <br />
:The data on that disk is now part of the packet ring buffer.<br />
* Remove from cluster: Remove the disk from the ring buffer. <br />
:The data stored on that disk is no longer not part of the packet ring buffer but the data is not removed from the disk. It can be resumed in the cluster at a later time.<br />
<br />
:If a disk is missing because it was e.g. removed from the enclosure, it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster4.png|1200px|none|right]]<br />
|}<br />
<br />
==== Packet ring buffer snapshot length filter ====<br />
Rules can be configured that control the snapshot length of each packet which will be stored in the packet ring buffer. <br />
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. <br />
This allows to fine tune how much packet data needs to be written to the packet ring buffer. <br />
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). <br />
<br />
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.<br />
<br />
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. <br />
The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. <br />
This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).<br />
<br />
<br />
When creating a snapshot length filter rule, a dialogue is displayed and allows the following options:<br />
* Rule condition: Specify which packets to match.<br />
<br />
:The input field below allows entering the corresponding value.<br />
<br />
:{| class="wikitable"<br />
|-<br />
! Rule condition<br />
! description<br />
|-<br />
| All packets<br />
| everything<br />
|-<br />
| MAC address<br />
| source or destination MAC address<br />
|-<br />
| IP address<br />
| source or destination IP address or subnet<br />
|-<br />
| TCP port<br />
| the source or destination TCP port<br />
|-<br />
| UDP port<br />
| the source or destination UDP port<br />
|-<br />
| Layer 7 protocol<br />
| the selected Layer 7 protocol<br />
|-<br />
| outer VLAN tag<br />
| the most outer VLAN tag (directly after Ethernet header) <br />
|-<br />
| interface<br />
| the ingress interface the packet originated from<br />
|-<br />
| SIP phone number<br />
|<br />
The number matches part of the 'From:' or 'To:' entry in a SIP INVITE packet.<br />
* only the part between '''<nowiki>'<'</nowiki>''' and '''<nowiki>'>'</nowiki>''' of the From/To line is tested.<br />
* value '''<nowiki>'234'</nowiki>''' will match '<nowiki>From: "Caller1" <sip:234></nowiki>', but also '<nowiki>From: "Caller2" <sip:12345@test></nowiki>'<br />
* to match from the start, use '''<nowiki>'sip:234'</nowiki>'''<br />
<br />
Correlating SIP packets for the same Call-ID will match.<br />
<br />
The RTP packets correlated to this SIP call will also match.<br />
<br />
|-<br />
| virtual link group<br />
| the virtual link group the packet belongs to<br />
|}<br />
<br />
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. <br />
:If this is on, the value must not match.<br />
* Action: What shall be done with the matching packets.<br />
:{| class="wikitable"<br />
|-<br />
! Action !! Description<br />
|-<br />
| Snapshot length<br />
| The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.<br />
|-<br />
| Discard<br />
| Discard the whole packet.<br />
|-<br />
| Full<br />
| The entire packet is captured.<br />
|-<br />
| Header + data<br />
|<br />
Capture just certain parts of the packet.<br />
<br />
When selecting '''L3 header''', Layer 2 and Layer 3 headers are stored. <br />
<br />
When selecting '''L3 + L4 header''', Layer 2, 3 and 4 headers are stored. <br />
<br />
When selecting '''L3 + L4 + L7 data''', an input field is shown where the length of Layer 7 data can be configured. In this case Layers 2, 3 and 4 are stored together with the specified amount of Layer 7 data.<br />
<br />
|}<br />
<br />
==== Analyzing the packet ring buffer ====<br />
When the packet ring buffer is activated, it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. <br />
When the Analyze packet ring buffer button is pressed, a dialogue will appear which allows you to choose the time range of the packet ring buffer which is to be replayed. <br />
After confirming this dialogue, the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. <br />
Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.<br />
<br />
<br />
<br />
==== Extracting the packet ring buffer ====<br />
When the packet ring buffer is active, the entire contents can be extracted by capturing the complete timespan that is contained within. <br />
For convenience, a button labelled Extract packet ring buffer is available that opens the capture dialogue with the start time and end time set to the appropriate values.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Packet_ring_buffer&diff=3053Packet ring buffer2020-10-09T10:20:13Z<p>David.Griffiths: </p>
<hr />
<div>== Packet ring buffer==<br />
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. <br />
If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. <br />
If the feature is not enabled, a button titled '''Create ring buffer''' is visible. <br />
Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. <br />
It must be ensured that enough space is available on the external storage device. <br />
As soon as the ring buffer has been created statistics about the ring buffer will be displayed instead of the button:<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer1.png|600px|none|right]]<br />
|}<br />
* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.<br />
<br />
* Total size: The total size of the ring buffer on the external storage device. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. <br />
:The raw on-disk value will be displayed next to it in parentheses.<br />
<br />
* Used size: The currently used amount of memory in the capture buffer. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.<br />
* Overall bytes captured since start: The amount of captured bytes since system start. <br />
:This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. <br />
:The history graph shows the captured traffic of the last minute or in the selected interval (if set).<br />
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. <br />
:This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.<br />
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. <br />
:The history graph shows discarding over time.<br />
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. <br />
:If larger bursts of traffic need to be stored in this queue the size can be modified in the capture module settings.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer2.png|600px|none|right]]<br />
|}<br />
<br />
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data with a dark grey background colour. <br />
The time range before start of the ring buffer will be visualized in the same way.<br />
When the ring buffer is running, the behaviour of the pcap capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialogue will appear asking you to specify from how far back in time the capture should start. <br />
This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. <br />
The capture will also continue with live traffic. <br />
If the user interface is in '''back-in-time''' mode (a timespan from the past is selected) starting a capture will produce a dialogue asking to confirm that the capture will cover exactly the timespan selected. <br />
The capture will automatically stop after the selected timespan has been processed. <br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer3.png|1200px|none|right]]<br />
|}<br />
<br />
==== Cluster ring buffer ==== <br />
The cluster ring buffer feature allows to use multiple whole disks in parallel for a single packet ring buffer. <br />
It also allows you to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.<br />
<br />
It is also possible to create multiple cluster packet ring buffers that<br />
run in parallel. To enable multiple cluster packet ring buffers, the<br />
option `The maximum number of concurrent packet ring buffers` in the<br />
capture module options can be set to the required number.<br />
<br />
When clicking the '''Create cluster ring buffer''' button, an empty cluster ring buffer will be created and the '''Cluster configuration''' tab on the now visible packet ring buffer statistics page becomes available. <br />
<br />
If multiple cluster packet ring buffers are used, the page will show<br />
a number of buttons at the top to switch between the different clusters.<br />
Each cluster has its own statistics and configuration.<br />
<br />
In the Cluster configuration tab you can configure the '''Write redundancy level''' at the very top. <br />
This level controls how many redundant copies of each packet are written. <br />
No replication means that only a single copy of each packet is written and provides no redundancy. <br />
This level gives the highest write bandwidth for a given number of disks; single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disks to half the performance of no replication. <br />
Double replication and triple replication write two and three additional copies of each packet respectively. <br />
Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster3.png|600px|none|right]]<br />
|}<br />
<br />
Below the '''Write redundancy level''' setting is the list of all disks available for use in the cluster. <br />
The following columns are displayed in the list:<br />
* Disk: A description of the disk and its capacity.<br />
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.<br />
* Status: If the disk has been added to the cluster this column will display the current status as '''ok''' or '''failed'''. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.<br />
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off. <br />
<br />
<br />
In the last unlabelled column, three buttons are displayed which have the following functionality:<br />
* Add to cluster: Add a fresh disk to the cluster. <br />
:The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.<br />
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. <br />
:The data on that disk is now part of the packet ring buffer.<br />
* Remove from cluster: Remove the disk from the ring buffer. <br />
:The data stored on that disk is no longer not part of the packet ring buffer but the data is not removed from the disk. It can be resumed in the cluster at a later time.<br />
<br />
:If a disk is missing because it was e.g. removed from the enclosure, it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster4.png|1200px|none|right]]<br />
|}<br />
<br />
==== Packet ring buffer snapshot length filter ====<br />
Rules can be configured that control the snapshot length of each packet which will be stored in the packet ring buffer. <br />
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. <br />
This allows to fine tune how much packet data needs to be written to the packet ring buffer. <br />
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). <br />
<br />
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.<br />
<br />
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. <br />
The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. <br />
This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).<br />
<br />
<br />
When creating a snapshot length filter rule, a dialogue is displayed and allows the following options:<br />
* Rule condition: Specify which packets to match.<br />
<br />
:The input field below allows entering the corresponding value.<br />
<br />
:{| class="wikitable"<br />
|-<br />
! Rule condition<br />
! description<br />
|-<br />
| All packets<br />
| everything<br />
|-<br />
| MAC address<br />
| source or destination MAC address<br />
|-<br />
| IP address<br />
| source or destination IP address or subnet<br />
|-<br />
| TCP port<br />
| the source or destination TCP port<br />
|-<br />
| UDP port<br />
| the source or destination UDP port<br />
|-<br />
| Layer 7 protocol<br />
| the selected Layer 7 protocol<br />
|-<br />
| outer VLAN tag<br />
| the most outer VLAN tag (directly after Ethernet header) <br />
|-<br />
| interface<br />
| the ingress interface the packet originated from<br />
|-<br />
| SIP phone number<br />
|<br />
The number matches part of the 'From:' or 'To:' entry in a SIP INVITE packet.<br />
* only the part between '''<nowiki>'<'</nowiki>''' and '''<nowiki>'>'</nowiki>''' of the From/To line is tested.<br />
* value '''<nowiki>'234'</nowiki>''' will match '<nowiki>From: "Caller1" <sip:234></nowiki>', but also '<nowiki>From: "Caller2" <sip:12345@test></nowiki>'<br />
* to match from the start, use '''<nowiki>'sip:234'</nowiki>'''<br />
<br />
Correlating SIP packets for the same Call-ID will match.<br />
<br />
The RTP packets correlated to this SIP call will also match.<br />
<br />
|-<br />
| virtual link group<br />
| the virtual link group the packet belongs to<br />
|}<br />
<br />
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. <br />
:If this is on, the value must not match.<br />
* Action: What shall be done with the matching packets.<br />
:{| class="wikitable"<br />
|-<br />
! Action !! Description<br />
|-<br />
| Snapshot length<br />
| The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.<br />
|-<br />
| Discard<br />
| Discard the whole packet.<br />
|-<br />
| Full<br />
| The entire packet is captured.<br />
|-<br />
| Header + data<br />
|<br />
Capture just certain parts of the packet.<br />
<br />
When selecting '''L3 header''', Layer 2 and Layer 3 headers are stored. <br />
<br />
When selecting '''L3 + L4 header''', Layer 2, 3 and 4 headers are stored. <br />
<br />
When selecting '''L3 + L4 + L7 data''', an input field is shown where the length of Layer 7 data can be configured. In this case Layers 2, 3 and 4 are stored together with the specified amount of Layer 7 data.<br />
<br />
|}<br />
<br />
==== Analyzing the packet ring buffer ====<br />
When the packet ring buffer is activated, it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. <br />
When the Analyze packet ring buffer button is pressed, a dialogue will appear which allows you to choose the time range of the packet ring buffer which is to be replayed. <br />
After confirming this dialogue, the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. <br />
Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.<br />
<br />
<br />
<br />
==== Extracting the packet ring buffer ====<br />
When the packet ring buffer is active, the entire contents can be extracted by capturing the complete timespan that is contained within. <br />
For convenience, a button labelled Extract packet ring buffer is available that opens the capture dialogue with the start time and end time set to the appropriate values.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Packet_ring_buffer&diff=3052Packet ring buffer2020-10-09T10:19:38Z<p>David.Griffiths: </p>
<hr />
<div>== Packet ring buffer==<br />
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. <br />
If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. <br />
If the feature is not enabled a button titled '''Create ring buffer''' is visible. <br />
Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. <br />
It must be ensured that enough space is available on the external storage device. <br />
As soon as the ring buffer has been created statistics about the ring buffer will be displayed instead of the button:<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer1.png|600px|none|right]]<br />
|}<br />
* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.<br />
<br />
* Total size: The total size of the ring buffer on the external storage device. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. <br />
:The raw on-disk value will be displayed next to it in parentheses.<br />
<br />
* Used size: The currently used amount of memory in the capture buffer. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.<br />
* Overall bytes captured since start: The amount of captured bytes since system start. <br />
:This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. <br />
:The history graph shows the captured traffic of the last minute or in the selected interval (if set).<br />
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. <br />
:This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.<br />
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. <br />
:The history graph shows discarding over time.<br />
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. <br />
:If larger bursts of traffic need to be stored in this queue the size can be modified in the capture module settings.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer2.png|600px|none|right]]<br />
|}<br />
<br />
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data with a dark grey background colour. <br />
The time range before start of the ring buffer will be visualized in the same way.<br />
When the ring buffer is running, the behaviour of the pcap capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialogue will appear asking you to specify from how far back in time the capture should start. <br />
This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. <br />
The capture will also continue with live traffic. <br />
If the user interface is in '''back-in-time''' mode (a timespan from the past is selected) starting a capture will produce a dialogue asking to confirm that the capture will cover exactly the timespan selected. <br />
The capture will automatically stop after the selected timespan has been processed. <br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer3.png|1200px|none|right]]<br />
|}<br />
<br />
==== Cluster ring buffer ==== <br />
The cluster ring buffer feature allows to use multiple whole disks in parallel for a single packet ring buffer. <br />
It also allows you to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.<br />
<br />
It is also possible to create multiple cluster packet ring buffers that<br />
run in parallel. To enable multiple cluster packet ring buffers, the<br />
option `The maximum number of concurrent packet ring buffers` in the<br />
capture module options can be set to the required number.<br />
<br />
When clicking the '''Create cluster ring buffer''' button, an empty cluster ring buffer will be created and the '''Cluster configuration''' tab on the now visible packet ring buffer statistics page becomes available. <br />
<br />
If multiple cluster packet ring buffers are used, the page will show<br />
a number of buttons at the top to switch between the different clusters.<br />
Each cluster has its own statistics and configuration.<br />
<br />
In the Cluster configuration tab you can configure the '''Write redundancy level''' at the very top. <br />
This level controls how many redundant copies of each packet are written. <br />
No replication means that only a single copy of each packet is written and provides no redundancy. <br />
This level gives the highest write bandwidth for a given number of disks; single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disks to half the performance of no replication. <br />
Double replication and triple replication write two and three additional copies of each packet respectively. <br />
Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster3.png|600px|none|right]]<br />
|}<br />
<br />
Below the '''Write redundancy level''' setting is the list of all disks available for use in the cluster. <br />
The following columns are displayed in the list:<br />
* Disk: A description of the disk and its capacity.<br />
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.<br />
* Status: If the disk has been added to the cluster this column will display the current status as '''ok''' or '''failed'''. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.<br />
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off. <br />
<br />
<br />
In the last unlabelled column, three buttons are displayed which have the following functionality:<br />
* Add to cluster: Add a fresh disk to the cluster. <br />
:The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.<br />
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. <br />
:The data on that disk is now part of the packet ring buffer.<br />
* Remove from cluster: Remove the disk from the ring buffer. <br />
:The data stored on that disk is no longer not part of the packet ring buffer but the data is not removed from the disk. It can be resumed in the cluster at a later time.<br />
<br />
:If a disk is missing because it was e.g. removed from the enclosure, it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster4.png|1200px|none|right]]<br />
|}<br />
<br />
==== Packet ring buffer snapshot length filter ====<br />
Rules can be configured that control the snapshot length of each packet which will be stored in the packet ring buffer. <br />
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. <br />
This allows to fine tune how much packet data needs to be written to the packet ring buffer. <br />
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). <br />
<br />
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.<br />
<br />
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. <br />
The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. <br />
This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).<br />
<br />
<br />
When creating a snapshot length filter rule, a dialogue is displayed and allows the following options:<br />
* Rule condition: Specify which packets to match.<br />
<br />
:The input field below allows entering the corresponding value.<br />
<br />
:{| class="wikitable"<br />
|-<br />
! Rule condition<br />
! description<br />
|-<br />
| All packets<br />
| everything<br />
|-<br />
| MAC address<br />
| source or destination MAC address<br />
|-<br />
| IP address<br />
| source or destination IP address or subnet<br />
|-<br />
| TCP port<br />
| the source or destination TCP port<br />
|-<br />
| UDP port<br />
| the source or destination UDP port<br />
|-<br />
| Layer 7 protocol<br />
| the selected Layer 7 protocol<br />
|-<br />
| outer VLAN tag<br />
| the most outer VLAN tag (directly after Ethernet header) <br />
|-<br />
| interface<br />
| the ingress interface the packet originated from<br />
|-<br />
| SIP phone number<br />
|<br />
The number matches part of the 'From:' or 'To:' entry in a SIP INVITE packet.<br />
* only the part between '''<nowiki>'<'</nowiki>''' and '''<nowiki>'>'</nowiki>''' of the From/To line is tested.<br />
* value '''<nowiki>'234'</nowiki>''' will match '<nowiki>From: "Caller1" <sip:234></nowiki>', but also '<nowiki>From: "Caller2" <sip:12345@test></nowiki>'<br />
* to match from the start, use '''<nowiki>'sip:234'</nowiki>'''<br />
<br />
Correlating SIP packets for the same Call-ID will match.<br />
<br />
The RTP packets correlated to this SIP call will also match.<br />
<br />
|-<br />
| virtual link group<br />
| the virtual link group the packet belongs to<br />
|}<br />
<br />
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. <br />
:If this is on, the value must not match.<br />
* Action: What shall be done with the matching packets.<br />
:{| class="wikitable"<br />
|-<br />
! Action !! Description<br />
|-<br />
| Snapshot length<br />
| The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.<br />
|-<br />
| Discard<br />
| Discard the whole packet.<br />
|-<br />
| Full<br />
| The entire packet is captured.<br />
|-<br />
| Header + data<br />
|<br />
Capture just certain parts of the packet.<br />
<br />
When selecting '''L3 header''', Layer 2 and Layer 3 headers are stored. <br />
<br />
When selecting '''L3 + L4 header''', Layer 2, 3 and 4 headers are stored. <br />
<br />
When selecting '''L3 + L4 + L7 data''', an input field is shown where the length of Layer 7 data can be configured. In this case Layers 2, 3 and 4 are stored together with the specified amount of Layer 7 data.<br />
<br />
|}<br />
<br />
==== Analyzing the packet ring buffer ====<br />
When the packet ring buffer is activated, it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. <br />
When the Analyze packet ring buffer button is pressed, a dialogue will appear which allows you to choose the time range of the packet ring buffer which is to be replayed. <br />
After confirming this dialogue, the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. <br />
Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.<br />
<br />
<br />
<br />
==== Extracting the packet ring buffer ====<br />
When the packet ring buffer is active, the entire contents can be extracted by capturing the complete timespan that is contained within. <br />
For convenience, a button labelled Extract packet ring buffer is available that opens the capture dialogue with the start time and end time set to the appropriate values.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Packet_ring_buffer&diff=3051Packet ring buffer2020-10-09T10:14:07Z<p>David.Griffiths: </p>
<hr />
<div>== Packet ring buffer==<br />
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. <br />
If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. <br />
If the feature is not enabled a button titled '''Create ring buffer''' is visible. <br />
Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. <br />
It must be ensured that enough space is available on the external storage device. <br />
As soon as the ring buffer has been created statistics about the ring buffer will be displayed instead of the button:<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer1.png|600px|none|right]]<br />
|}<br />
* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.<br />
<br />
* Total size: The total size of the ring buffer on the external storage device. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. <br />
:The raw on-disk value will be displayed next to it in parentheses.<br />
<br />
* Used size: The currently used amount of memory in the capture buffer. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.<br />
* Overall bytes captured since start: The amount of captured bytes since system start. <br />
:This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. <br />
:The history graph shows the captured traffic of the last minute or in the selected interval (if set).<br />
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. <br />
:This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.<br />
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. <br />
:The history graph shows discarding over time.<br />
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. <br />
:If larger bursts of traffic need to be stored in this queue the size can be modified in the capture module settings.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer2.png|600px|none|right]]<br />
|}<br />
<br />
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data with a dark grey background colour. <br />
The time range before start of the ring buffer will be visualized in the same way.<br />
When the ring buffer is running, the behaviour of the pcap capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialogue will appear asking you to specify from how far back in time the capture should start. <br />
This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. <br />
The capture will also continue with live traffic. <br />
If the user interface is in '''back-in-time''' mode (a timespan from the past is selected) starting a capture will produce a dialogue asking to confirm that the capture will cover exactly the timespan selected. <br />
The capture will automatically stop after the selected timespan has been processed. <br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer3.png|1200px|none|right]]<br />
|}<br />
<br />
==== Cluster ring buffer ==== <br />
The cluster ring buffer feature allows to use multiple whole disks in parallel for a single packet ring buffer. <br />
It also allows you to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.<br />
<br />
It is also possible to create multiple cluster packet ring buffers that<br />
run in parallel. To enable multiple cluster packet ring buffers, the<br />
option `The maximum number of concurrent packet ring buffers` in the<br />
capture module options can be set to the required number.<br />
<br />
When clicking the '''Create cluster ring buffer''' button, an empty cluster ring buffer will be created and the '''Cluster configuration''' tab on the now visible packet ring buffer statistics page becomes available. <br />
<br />
If multiple cluster packet ring buffers are used, the page will show<br />
a number of buttons at the top to switch between the different clusters.<br />
Each cluster has its own statistics and configuration.<br />
<br />
In the Cluster configuration tab you can configure the '''Write redundancy level''' at the very top. <br />
This level controls how many redundant copies of each packet are written. <br />
No replication means that only a single copy of each packet is written and provides no redundancy. <br />
This level gives the highest write bandwidth for a given number of disks; single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disks to half the performance of no replication. <br />
Double replication and triple replication write two and three additional copies of each packet respectively. <br />
Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster3.png|600px|none|right]]<br />
|}<br />
<br />
Below the '''Write redundancy level''' setting is the list of all disks available for use in the cluster. <br />
The following columns are displayed in the list:<br />
* Disk: A description of the disk and its capacity.<br />
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.<br />
* Status: If the disk has been added to the cluster this column will display the current status as '''ok''' or '''failed'''. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.<br />
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off. <br />
<br />
<br />
In the last unlabelled column, three buttons are displayed which have the following functionality:<br />
* Add to cluster: Add a fresh disk to the cluster. <br />
:The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.<br />
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. <br />
:The data on that disk is now part of the packet ring buffer.<br />
* Remove from cluster: Remove the disk from the ring buffer. <br />
:The data stored on that disk is not part of the packet ring buffer anymore but the data is not removed from the disk. It can be resumed in the cluster at a later time.<br />
<br />
:If a disk is missing because it was e.g. removed from the enclosure it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster4.png|1200px|none|right]]<br />
|}<br />
<br />
==== Packet ring buffer snapshot length filter ====<br />
Rules can be configured that control the snapshot length of each packet which shall be stored in the packet ring buffer. <br />
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. <br />
This allows to fine tune how much packet data needs to be written to the packet ring buffer. <br />
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). <br />
<br />
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.<br />
<br />
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. <br />
The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. <br />
This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).<br />
<br />
<br />
When creating a snapshot length filter rule, a dialog is displayed and allows following options:<br />
* Rule condition: Specify which packets to match.<br />
<br />
:The input field below allows entering the corresponding value.<br />
<br />
:{| class="wikitable"<br />
|-<br />
! Rule condition<br />
! Description<br />
|-<br />
| All packets<br />
| everything<br />
|-<br />
| MAC address<br />
| source or destination MAC address<br />
|-<br />
| IP address<br />
| source or destination IP address or subnet<br />
|-<br />
| TCP port<br />
| the source or destination TCP port<br />
|-<br />
| UDP port<br />
| the source or destination UDP port<br />
|-<br />
| Layer 7 protocol<br />
| the selected layer 7 protocol<br />
|-<br />
| outer VLAN tag<br />
| the most outer VLAN tag (directly after ethernet header) <br />
|-<br />
| interface<br />
| the ingress interface the packet originated from<br />
|-<br />
| SIP phone number<br />
|<br />
The number matches part of the 'From:' or 'To:' entry in a SIP INVITE packet.<br />
* only the part between '''<nowiki>'<'</nowiki>''' and '''<nowiki>'>'</nowiki>''' of the From/To line is tested.<br />
* value '''<nowiki>'234'</nowiki>''' will match '<nowiki>From: "Caller1" <sip:234></nowiki>', but also '<nowiki>From: "Caller2" <sip:12345@test></nowiki>'<br />
* to match from the start, use '''<nowiki>'sip:234'</nowiki>'''<br />
<br />
Correlating SIP packets for the same Call-ID will match.<br />
<br />
The RTP packets correlated to this SIP call will also match.<br />
<br />
|-<br />
| virtual link group<br />
| the virtual link group the packet belongs to<br />
|}<br />
<br />
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. <br />
:If this is on, the value must not match.<br />
* Action: What shall be done with the matching packets.<br />
:{| class="wikitable"<br />
|-<br />
! Action !! Description<br />
|-<br />
| Snapshot length<br />
| The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.<br />
|-<br />
| Discard<br />
| Discard the whole packet.<br />
|-<br />
| Full<br />
| The whole packet is captured.<br />
|-<br />
| Header + data<br />
|<br />
Capture just certain parts of the packet.<br />
<br />
When selecting '''L3 header''', layer 2 and layer 3 headers are stored. <br />
<br />
When selecting '''L3 + L4 header''', layer 2, 3 and 4 headers are stored. <br />
<br />
When selecting '''L3 + L4 + L7 data''', an input field is shown where the length of layer 7 data can be configured. In this case layer 2, 3 and 4 are stored together with the specified amount of layer 7 data.<br />
<br />
|}<br />
<br />
==== Analyzing the packet ring buffer ====<br />
When the packet ring buffer is activated it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. <br />
When the Analyze packet ring buffer button is pressed a dialog will appear which allows to choose the time range of the packet ring buffer which is to be replayed. <br />
After confirming this dialog the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. <br />
Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.<br />
<br />
<br />
<br />
==== Extracting the packet ring buffer ====<br />
When the packet ring buffer is active the complete contents of it can be extracted by capturing the complete timespan that is contained within. <br />
For convenience a button labeled Extract packet ring buffer is available that opens the capture dialog with the start time and end time set to the appropriate values.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Packet_ring_buffer&diff=3050Packet ring buffer2020-10-09T10:10:53Z<p>David.Griffiths: </p>
<hr />
<div>== Packet ring buffer==<br />
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. <br />
If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. <br />
If the feature is not enabled a button titled '''Create ring buffer''' is visible. <br />
Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. <br />
It must be ensured that enough space is available on the external storage device. <br />
As soon as the ring buffer has been created statistics about the ring buffer will be displayed instead of the button:<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer1.png|600px|none|right]]<br />
|}<br />
* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.<br />
<br />
* Total size: The total size of the ring buffer on the external storage device. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. <br />
:The raw on-disk value will be displayed next to it in parentheses.<br />
<br />
* Used size: The currently used amount of memory in the capture buffer. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.<br />
* Overall bytes captured since start: The amount of captured bytes since system start. <br />
:This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. <br />
:The history graph shows the captured traffic of the last minute or in the selected interval (if set).<br />
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. <br />
:This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.<br />
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. <br />
:The history graph shows discarding over time.<br />
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. <br />
:If larger bursts of traffic need to be stored in this queue the size can be modified in the capture module settings.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer2.png|600px|none|right]]<br />
|}<br />
<br />
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data with a dark grey background colour. <br />
The time range before start of the ring buffer will be visualized in the same way.<br />
When the ring buffer is running, the behaviour of the pcap capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialogue will appear asking you to specify from how far back in time the capture should start. <br />
This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. <br />
The capture will also continue with live traffic. <br />
If the user interface is in '''back-in-time''' mode (a timespan from the past is selected) starting a capture will produce a dialogue asking to confirm that the capture will cover exactly the timespan selected. <br />
The capture will automatically stop after the selected timespan has been processed. <br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer3.png|1200px|none|right]]<br />
|}<br />
<br />
==== Cluster ring buffer ==== <br />
The cluster ring buffer feature allows to use multiple whole disks in parallel for a single packet ring buffer. <br />
It also allows to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.<br />
<br />
It is also possible to create multiple cluster packet ring buffers that<br />
run in parallel. To enable multiple cluster packet ring buffers the<br />
option `The maximum number of concurrent packet ring buffers` in the<br />
capture module options can be set to the required number.<br />
<br />
When clicking the '''Create cluster ring buffer''' button an empty cluster ring buffer will be created and the '''Cluster configuration''' tab on the now visible packet ring buffer statistics page becomes available. <br />
<br />
If multiple cluster packet ring buffers are used the page will show<br />
a number of buttons at the top to switch between the different clusters.<br />
Each cluster has it's own statistics and configuration.<br />
<br />
In the Cluster configuration tab you can configure the '''Write redundancy level''' at the very top. <br />
This level controls how many redundant copies of each packet are written. <br />
no replication means, that only a single copy of each packet is written and provides no redundancy. <br />
This level gives the highest write bandwidth for a given number of disks. single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disk to half the performance of no replication. <br />
double replication and triple replication write two and three additional copies of each packet respectively. <br />
Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster3.png|600px|none|right]]<br />
|}<br />
<br />
Below the '''Write redundancy level''' setting is the list of all disks available for use in the cluster. <br />
Following columns are displayed in the list:<br />
* Disk: A description of the disk and its capacity.<br />
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.<br />
* Status: If the disk has been added to the cluster this column will display the current status as '''ok''' or '''failed'''. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.<br />
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off. <br />
<br />
<br />
In the last unlabeled column there are three buttons displayed which have the following functionality:<br />
* Add to cluster: Add a fresh disk to the cluster. <br />
:The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.<br />
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. <br />
:The data on that disk is now part of the packet ring buffer.<br />
* Remove from cluster: Remove the disk from the ring buffer. <br />
:The data stored on that disk is not part of the packet ring buffer anymore but the data is not removed from the disk. It can be resumed in the cluster at a later time.<br />
<br />
:If a disk is missing because it was e.g. removed from the enclosure it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster4.png|1200px|none|right]]<br />
|}<br />
<br />
==== Packet ring buffer snapshot length filter ====<br />
Rules can be configured that control the snapshot length of each packet which shall be stored in the packet ring buffer. <br />
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. <br />
This allows to fine tune how much packet data needs to be written to the packet ring buffer. <br />
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). <br />
<br />
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.<br />
<br />
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. <br />
The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. <br />
This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).<br />
<br />
<br />
When creating a snapshot length filter rule, a dialog is displayed and allows following options:<br />
* Rule condition: Specify which packets to match.<br />
<br />
:The input field below allows entering the corresponding value.<br />
<br />
:{| class="wikitable"<br />
|-<br />
! Rule condition<br />
! Description<br />
|-<br />
| All packets<br />
| everything<br />
|-<br />
| MAC address<br />
| source or destination MAC address<br />
|-<br />
| IP address<br />
| source or destination IP address or subnet<br />
|-<br />
| TCP port<br />
| the source or destination TCP port<br />
|-<br />
| UDP port<br />
| the source or destination UDP port<br />
|-<br />
| Layer 7 protocol<br />
| the selected layer 7 protocol<br />
|-<br />
| outer VLAN tag<br />
| the most outer VLAN tag (directly after ethernet header) <br />
|-<br />
| interface<br />
| the ingress interface the packet originated from<br />
|-<br />
| SIP phone number<br />
|<br />
The number matches part of the 'From:' or 'To:' entry in a SIP INVITE packet.<br />
* only the part between '''<nowiki>'<'</nowiki>''' and '''<nowiki>'>'</nowiki>''' of the From/To line is tested.<br />
* value '''<nowiki>'234'</nowiki>''' will match '<nowiki>From: "Caller1" <sip:234></nowiki>', but also '<nowiki>From: "Caller2" <sip:12345@test></nowiki>'<br />
* to match from the start, use '''<nowiki>'sip:234'</nowiki>'''<br />
<br />
Correlating SIP packets for the same Call-ID will match.<br />
<br />
The RTP packets correlated to this SIP call will also match.<br />
<br />
|-<br />
| virtual link group<br />
| the virtual link group the packet belongs to<br />
|}<br />
<br />
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. <br />
:If this is on, the value must not match.<br />
* Action: What shall be done with the matching packets.<br />
:{| class="wikitable"<br />
|-<br />
! Action !! Description<br />
|-<br />
| Snapshot length<br />
| The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.<br />
|-<br />
| Discard<br />
| Discard the whole packet.<br />
|-<br />
| Full<br />
| The whole packet is captured.<br />
|-<br />
| Header + data<br />
|<br />
Capture just certain parts of the packet.<br />
<br />
When selecting '''L3 header''', layer 2 and layer 3 headers are stored. <br />
<br />
When selecting '''L3 + L4 header''', layer 2, 3 and 4 headers are stored. <br />
<br />
When selecting '''L3 + L4 + L7 data''', an input field is shown where the length of layer 7 data can be configured. In this case layer 2, 3 and 4 are stored together with the specified amount of layer 7 data.<br />
<br />
|}<br />
<br />
==== Analyzing the packet ring buffer ====<br />
When the packet ring buffer is activated it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. <br />
When the Analyze packet ring buffer button is pressed a dialog will appear which allows to choose the time range of the packet ring buffer which is to be replayed. <br />
After confirming this dialog the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. <br />
Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.<br />
<br />
<br />
<br />
==== Extracting the packet ring buffer ====<br />
When the packet ring buffer is active the complete contents of it can be extracted by capturing the complete timespan that is contained within. <br />
For convenience a button labeled Extract packet ring buffer is available that opens the capture dialog with the start time and end time set to the appropriate values.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Packet_ring_buffer&diff=3049Packet ring buffer2020-10-09T10:09:11Z<p>David.Griffiths: </p>
<hr />
<div>== Packet ring buffer==<br />
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. <br />
If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. <br />
If the feature is not enabled a button titled '''Create ring buffer''' is visible. <br />
Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. <br />
It must be ensured that enough space is available on the external storage device. <br />
As soon as the ring buffer has been created statistics about the ring buffer will be displayed instead of the button:<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer1.png|600px|none|right]]<br />
|}<br />
* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.<br />
<br />
* Total size: The total size of the ring buffer on the external storage device. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. <br />
:The raw on-disk value will be displayed next to it in parentheses.<br />
<br />
* Used size: The currently used amount of memory in the capture buffer. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.<br />
* Overall bytes captured since start: The amount of captured bytes since system start. <br />
:This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. <br />
:The history graph shows the captured traffic of the last minute or in the selected interval (if set).<br />
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. <br />
:This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.<br />
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. <br />
:The history graph shows discarding over time.<br />
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. <br />
:If larger bursts of traffic need to be stored in this queue the size can be modified in the capture module settings.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer2.png|600px|none|right]]<br />
|}<br />
<br />
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data with a dark grey background colour. <br />
The time range before start of the ring buffer will be visualized in the same way.<br />
When the ring buffer is running, the behavior of the PCAP capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialog will appear asking to specify from how far back in time the capture should start. <br />
This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. <br />
The capture will also continue with live traffic. <br />
If the user interface is in '''back-in-time''' mode (a timespan from the past is selected) starting a capture will produce a dialog asking to confirm that the capture will cover exactly the timespan selected. <br />
The capture will automatically stop after the selected timespan has been processed. <br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer3.png|1200px|none|right]]<br />
|}<br />
<br />
==== Cluster ring buffer ==== <br />
The cluster ring buffer feature allows to use multiple whole disks in parallel for a single packet ring buffer. <br />
It also allows to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.<br />
<br />
It is also possible to create multiple cluster packet ring buffers that<br />
run in parallel. To enable multiple cluster packet ring buffers the<br />
option `The maximum number of concurrent packet ring buffers` in the<br />
capture module options can be set to the required number.<br />
<br />
When clicking the '''Create cluster ring buffer''' button an empty cluster ring buffer will be created and the '''Cluster configuration''' tab on the now visible packet ring buffer statistics page becomes available. <br />
<br />
If multiple cluster packet ring buffers are used the page will show<br />
a number of buttons at the top to switch between the different clusters.<br />
Each cluster has it's own statistics and configuration.<br />
<br />
In the Cluster configuration tab you can configure the '''Write redundancy level''' at the very top. <br />
This level controls how many redundant copies of each packet are written. <br />
no replication means, that only a single copy of each packet is written and provides no redundancy. <br />
This level gives the highest write bandwidth for a given number of disks. single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disk to half the performance of no replication. <br />
double replication and triple replication write two and three additional copies of each packet respectively. <br />
Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster3.png|600px|none|right]]<br />
|}<br />
<br />
Below the '''Write redundancy level''' setting is the list of all disks available for use in the cluster. <br />
Following columns are displayed in the list:<br />
* Disk: A description of the disk and its capacity.<br />
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.<br />
* Status: If the disk has been added to the cluster this column will display the current status as '''ok''' or '''failed'''. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.<br />
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off. <br />
<br />
<br />
In the last unlabeled column there are three buttons displayed which have the following functionality:<br />
* Add to cluster: Add a fresh disk to the cluster. <br />
:The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.<br />
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. <br />
:The data on that disk is now part of the packet ring buffer.<br />
* Remove from cluster: Remove the disk from the ring buffer. <br />
:The data stored on that disk is not part of the packet ring buffer anymore but the data is not removed from the disk. It can be resumed in the cluster at a later time.<br />
<br />
:If a disk is missing because it was e.g. removed from the enclosure it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster4.png|1200px|none|right]]<br />
|}<br />
<br />
==== Packet ring buffer snapshot length filter ====<br />
Rules can be configured that control the snapshot length of each packet which shall be stored in the packet ring buffer. <br />
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. <br />
This allows to fine tune how much packet data needs to be written to the packet ring buffer. <br />
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). <br />
<br />
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.<br />
<br />
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. <br />
The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. <br />
This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).<br />
<br />
<br />
When creating a snapshot length filter rule, a dialog is displayed and allows following options:<br />
* Rule condition: Specify which packets to match.<br />
<br />
:The input field below allows entering the corresponding value.<br />
<br />
:{| class="wikitable"<br />
|-<br />
! Rule condition<br />
! Description<br />
|-<br />
| All packets<br />
| everything<br />
|-<br />
| MAC address<br />
| source or destination MAC address<br />
|-<br />
| IP address<br />
| source or destination IP address or subnet<br />
|-<br />
| TCP port<br />
| the source or destination TCP port<br />
|-<br />
| UDP port<br />
| the source or destination UDP port<br />
|-<br />
| Layer 7 protocol<br />
| the selected layer 7 protocol<br />
|-<br />
| outer VLAN tag<br />
| the most outer VLAN tag (directly after ethernet header) <br />
|-<br />
| interface<br />
| the ingress interface the packet originated from<br />
|-<br />
| SIP phone number<br />
|<br />
The number matches part of the 'From:' or 'To:' entry in a SIP INVITE packet.<br />
* only the part between '''<nowiki>'<'</nowiki>''' and '''<nowiki>'>'</nowiki>''' of the From/To line is tested.<br />
* value '''<nowiki>'234'</nowiki>''' will match '<nowiki>From: "Caller1" <sip:234></nowiki>', but also '<nowiki>From: "Caller2" <sip:12345@test></nowiki>'<br />
* to match from the start, use '''<nowiki>'sip:234'</nowiki>'''<br />
<br />
Correlating SIP packets for the same Call-ID will match.<br />
<br />
The RTP packets correlated to this SIP call will also match.<br />
<br />
|-<br />
| virtual link group<br />
| the virtual link group the packet belongs to<br />
|}<br />
<br />
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. <br />
:If this is on, the value must not match.<br />
* Action: What shall be done with the matching packets.<br />
:{| class="wikitable"<br />
|-<br />
! Action !! Description<br />
|-<br />
| Snapshot length<br />
| The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.<br />
|-<br />
| Discard<br />
| Discard the whole packet.<br />
|-<br />
| Full<br />
| The whole packet is captured.<br />
|-<br />
| Header + data<br />
|<br />
Capture just certain parts of the packet.<br />
<br />
When selecting '''L3 header''', layer 2 and layer 3 headers are stored. <br />
<br />
When selecting '''L3 + L4 header''', layer 2, 3 and 4 headers are stored. <br />
<br />
When selecting '''L3 + L4 + L7 data''', an input field is shown where the length of layer 7 data can be configured. In this case layer 2, 3 and 4 are stored together with the specified amount of layer 7 data.<br />
<br />
|}<br />
<br />
==== Analyzing the packet ring buffer ====<br />
When the packet ring buffer is activated it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. <br />
When the Analyze packet ring buffer button is pressed a dialog will appear which allows to choose the time range of the packet ring buffer which is to be replayed. <br />
After confirming this dialog the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. <br />
Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.<br />
<br />
<br />
<br />
==== Extracting the packet ring buffer ====<br />
When the packet ring buffer is active the complete contents of it can be extracted by capturing the complete timespan that is contained within. <br />
For convenience a button labeled Extract packet ring buffer is available that opens the capture dialog with the start time and end time set to the appropriate values.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Packet_ring_buffer&diff=3048Packet ring buffer2020-10-09T10:02:09Z<p>David.Griffiths: </p>
<hr />
<div>== Packet ring buffer==<br />
The ring buffer feature allows to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. <br />
If the fixed size buffer is full then the oldest packets in the buffer will be replaced with new packets in a round-robin fashion. <br />
If the feature is not enabled a button titled '''Create ring buffer''' is visible. <br />
Upon clicking on it a dialogue will be displayed and allows you to specify the size of the ring buffer. <br />
It must be ensured that enough space is available on the external storage device. <br />
As soon as the ring buffer has been created statistics about the ring buffer will be displayed instead of the button:<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer1.png|600px|none|right]]<br />
|}<br />
* Timestamp of oldest packet: The timestamp of the oldest packet in the ring buffer.<br />
<br />
* Total size: The total size of the ring buffer on the external storage device. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. <br />
:The raw on-disk value will be displayed next to it in parentheses.<br />
<br />
* Used size: The currently used amount of memory in the capture buffer. <br />
:If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses.<br />
* Overall bytes captured since start: The amount of captured bytes since system start. <br />
:This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. <br />
:The history graph shows the captured traffic of the last minute or in the selected interval (if set).<br />
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. <br />
:This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time.<br />
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. <br />
:The history graph shows discarding over time.<br />
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. <br />
:If larger bursts of traffic need to be stored in this queue the size can be modified in the capture module settings.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer2.png|600px|none|right]]<br />
|}<br />
<br />
When the ring buffer is full and old packets are deleted, the graphs will show the time range with no data in darkgrey background color. <br />
The time range before start of the ring buffer will be visualized in the same way.<br />
When the ring buffer is running, the behavior of the PCAP capture buttons throughout the system changes: if the user interface is in live mode and a capture is started, a dialog will appear asking to specify from how far back in time the capture should start. <br />
This way it is possible to e.g. capture the traffic of an IP address starting from an hour ago. <br />
The capture will also continue with live traffic. <br />
If the user interface is in '''back-in-time''' mode (a timespan from the past is selected) starting a capture will produce a dialog asking to confirm that the capture will cover exactly the timespan selected. <br />
The capture will automatically stop after the selected timespan has been processed. <br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Create Packet ring buffer3.png|1200px|none|right]]<br />
|}<br />
<br />
==== Cluster ring buffer ==== <br />
The cluster ring buffer feature allows to use multiple whole disks in parallel for a single packet ring buffer. <br />
It also allows to optionally write redundant copies of packets to multiple disks to provide fault tolerance in case of a disk failure.<br />
<br />
It is also possible to create multiple cluster packet ring buffers that<br />
run in parallel. To enable multiple cluster packet ring buffers the<br />
option `The maximum number of concurrent packet ring buffers` in the<br />
capture module options can be set to the required number.<br />
<br />
When clicking the '''Create cluster ring buffer''' button an empty cluster ring buffer will be created and the '''Cluster configuration''' tab on the now visible packet ring buffer statistics page becomes available. <br />
<br />
If multiple cluster packet ring buffers are used the page will show<br />
a number of buttons at the top to switch between the different clusters.<br />
Each cluster has it's own statistics and configuration.<br />
<br />
In the Cluster configuration tab you can configure the '''Write redundancy level''' at the very top. <br />
This level controls how many redundant copies of each packet are written. <br />
no replication means, that only a single copy of each packet is written and provides no redundancy. <br />
This level gives the highest write bandwidth for a given number of disks. single replication means that one additional copy of each packet is written to some other disk and thus reduces the total write performance for a given number of disk to half the performance of no replication. <br />
double replication and triple replication write two and three additional copies of each packet respectively. <br />
Note that for each level to work there must be at least the number of replications + 1 disks available in the cluster.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster3.png|600px|none|right]]<br />
|}<br />
<br />
Below the '''Write redundancy level''' setting is the list of all disks available for use in the cluster. <br />
Following columns are displayed in the list:<br />
* Disk: A description of the disk and its capacity.<br />
* Enclosure: If the disk is part of a multi-disk enclosure this column will show the enclosure number along with the slot number.<br />
* Status: If the disk has been added to the cluster this column will display the current status as '''ok''' or '''failed'''. If multiple cluster packet ring buffers are used this will also show if the disk is active in another cluster.<br />
* Locator: For disks in a multi-disk enclosure the button displayed in this column allows to turn the slot locator LED on and off. <br />
<br />
<br />
In the last unlabeled column there are three buttons displayed which have the following functionality:<br />
* Add to cluster: Add a fresh disk to the cluster. <br />
:The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost.<br />
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. <br />
:The data on that disk is now part of the packet ring buffer.<br />
* Remove from cluster: Remove the disk from the ring buffer. <br />
:The data stored on that disk is not part of the packet ring buffer anymore but the data is not removed from the disk. It can be resumed in the cluster at a later time.<br />
<br />
:If a disk is missing because it was e.g. removed from the enclosure it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer.<br />
<br />
<br />
'''Web interface'''<br />
{|class="wikitable sortable" <br />
|-<br />
|[[File:Cluster4.png|1200px|none|right]]<br />
|}<br />
<br />
==== Packet ring buffer snapshot length filter ====<br />
Rules can be configured that control the snapshot length of each packet which shall be stored in the packet ring buffer. <br />
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. <br />
This allows to fine tune how much packet data needs to be written to the packet ring buffer. <br />
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). <br />
<br />
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons.<br />
<br />
Evaluation of the rules takes place in the order of the rules as displayed in the rules list from top to bottom. <br />
The first rule that matches for a given packet will be applied and no further rules will be evaluated for that packet. <br />
This means that the most generic rule should be at the bottom of the list (like e.g. ‘all packets will be discarded’) and more specific rules should be higher up in the list (like e.g ‘packets with an IP matching 192.168.1.0/24 will be fully captured’).<br />
<br />
<br />
When creating a snapshot length filter rule, a dialog is displayed and allows following options:<br />
* Rule condition: Specify which packets to match.<br />
<br />
:The input field below allows entering the corresponding value.<br />
<br />
:{| class="wikitable"<br />
|-<br />
! Rule condition<br />
! Description<br />
|-<br />
| All packets<br />
| everything<br />
|-<br />
| MAC address<br />
| source or destination MAC address<br />
|-<br />
| IP address<br />
| source or destination IP address or subnet<br />
|-<br />
| TCP port<br />
| the source or destination TCP port<br />
|-<br />
| UDP port<br />
| the source or destination UDP port<br />
|-<br />
| Layer 7 protocol<br />
| the selected layer 7 protocol<br />
|-<br />
| outer VLAN tag<br />
| the most outer VLAN tag (directly after ethernet header) <br />
|-<br />
| interface<br />
| the ingress interface the packet originated from<br />
|-<br />
| SIP phone number<br />
|<br />
The number matches part of the 'From:' or 'To:' entry in a SIP INVITE packet.<br />
* only the part between '''<nowiki>'<'</nowiki>''' and '''<nowiki>'>'</nowiki>''' of the From/To line is tested.<br />
* value '''<nowiki>'234'</nowiki>''' will match '<nowiki>From: "Caller1" <sip:234></nowiki>', but also '<nowiki>From: "Caller2" <sip:12345@test></nowiki>'<br />
* to match from the start, use '''<nowiki>'sip:234'</nowiki>'''<br />
<br />
Correlating SIP packets for the same Call-ID will match.<br />
<br />
The RTP packets correlated to this SIP call will also match.<br />
<br />
|-<br />
| virtual link group<br />
| the virtual link group the packet belongs to<br />
|}<br />
<br />
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. <br />
:If this is on, the value must not match.<br />
* Action: What shall be done with the matching packets.<br />
:{| class="wikitable"<br />
|-<br />
! Action !! Description<br />
|-<br />
| Snapshot length<br />
| The packet is captured with a max length as specified in the input field below. If the packet is larger, the remaining bytes will be discarded.<br />
|-<br />
| Discard<br />
| Discard the whole packet.<br />
|-<br />
| Full<br />
| The whole packet is captured.<br />
|-<br />
| Header + data<br />
|<br />
Capture just certain parts of the packet.<br />
<br />
When selecting '''L3 header''', layer 2 and layer 3 headers are stored. <br />
<br />
When selecting '''L3 + L4 header''', layer 2, 3 and 4 headers are stored. <br />
<br />
When selecting '''L3 + L4 + L7 data''', an input field is shown where the length of layer 7 data can be configured. In this case layer 2, 3 and 4 are stored together with the specified amount of layer 7 data.<br />
<br />
|}<br />
<br />
==== Analyzing the packet ring buffer ====<br />
When the packet ring buffer is activated it is possible to restart the packet processing core and analyze all packets contained in the packet ring buffer. <br />
When the Analyze packet ring buffer button is pressed a dialog will appear which allows to choose the time range of the packet ring buffer which is to be replayed. <br />
After confirming this dialog the Network Multimeter will reset all statistics and start analyzing the contents of the packet ring buffer. <br />
Progress, statistics and the option to resume normal operation will appear on the Packet ring buffer page.<br />
<br />
<br />
<br />
==== Extracting the packet ring buffer ====<br />
When the packet ring buffer is active the complete contents of it can be extracted by capturing the complete timespan that is contained within. <br />
For convenience a button labeled Extract packet ring buffer is available that opens the capture dialog with the start time and end time set to the appropriate values.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=USB_Presenter_Capture&diff=3020USB Presenter Capture2020-09-17T11:16:38Z<p>David.Griffiths: </p>
<hr />
<div><accesscontrol>AC:GroupUsers</accesscontrol><br />
<br />
This page describes how the Allegro Network Multimeter allows a user to start a capture with a USB presenter. This capture can be actioned 'Back in Time' for a defined period. In addition, the capture files can be uploaded to an SFTP server at a defined time.<br />
<br />
This feature has been designed to allow non-IT staff to record pcaps when an error occurs; it also allows for captures without opening a Web interface.<br />
<br />
== Requirements ==<br />
<br />
This feature is supported by all Allegro Network Multimeters, even for the VM Version starting at firmware Release 3.0. It requires a free USB port on the Allegro with USB 2.0 or higher. One internal or external disk needs to be configured at '''Generic''' → '''Storage''' and a [[Packet ring buffer|ring buffer]] must be configured. Please note that the capture is extracted from the ring buffer and a ring buffer filter rules for packet slicing will affect the exported pcap.<br />
<br />
As of now, the Logitech R400 is supported. Allegro will add more presenters on request. An optional USB sound device will play a beep when a key has been pressed.<br />
<br />
== USB Capture Trigger Setup ==<br />
<br />
Connect the Logitech R400 USB dongle with the Allegro. If you have a Virtual Edition Allegro, please pass-through the USB device directly to the Allegro VM.<br />
<br />
Once this is done, navigate to the '''Settings''' -> '''Expert settings''' page and open the '''USB capture trigger'''.<br />
<br />
[[File:Presenter dialog.png|600px]]<br />
<br />
Once any key has been pressed on the presenter, one pcap will be generated. The pcap end time is when the button has been pressed and the start time is defined by the capture interval. As example, an interval of 60 seconds will generate a capture of the last minute when a presenter key was pressed.<br />
<br />
The captures are stored at the root directory of the storage device or, if enabled, in the upload directory for SFTP uploads.<br />
<br />
== SFTP Export Setup ==<br />
<br />
The Allegro can automatically upload pcap files to an SFTP server from the upload directory on the disk. To configure it, please navigate to '''Settings''' → '''Remote Access and Export''' → '''Pcap export via SFTP'''. This allow to export all captured pcap files at a certain time of day. As example it can be used to transfer pcaps during the night from remote locations to a central SFTP server.<br />
<br />
[[File:Sftp export.png|1000px]]<br />
<br />
== Advanced Multi-pcap Setup ==<br />
<br />
There are situations where the Allegro shall record multiple separate pcaps for a key with specific filters. This can be done by enabling the '''USB capture filter''' in the '''USB capture trigger''' dialog. The filter syntax is described in the [[Capture module]].<br />
<br />
A good example is the installation of an Allegro 500 with 2 links and 2 virtual link groups ( see [[Virtual Link Group Configuration Guide]]), one before and one behind the firewall.<br />
<br />
[[File:Presenter filter group.png|600px]]<br />
<br />
As a second example you can record pcaps of up to 4 different IP addresses at the same time with just one click.<br />
<br />
[[File:Presenter filter ip.png|600px]]</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=USB_Presenter_Capture&diff=3019USB Presenter Capture2020-09-17T11:14:18Z<p>David.Griffiths: </p>
<hr />
<div><accesscontrol>AC:GroupUsers</accesscontrol><br />
<br />
This page describes how the Allegro Network Multimeter allows a user to start a capture with a USB presenter. This capture can be actioned 'Back in Time' for a defined period. In addition, the capture files can be uploaded to an SFTP server at a defined time.<br />
<br />
This feature has been designed to allow non-IT staff to record pcaps when an error occurs; it also allows for captures without opening a Web interface.<br />
<br />
== Requirements ==<br />
<br />
This feature is supported by all Allegro Network Multimeters, even for the VM Version starting at firmware Release 3.0. It requires a free USB port on the Allegro with USB 2.0 or higher. One internal or external disk needs to be configured at '''Generic''' → '''Storage''' and a [[Packet ring buffer|ring buffer]] must be configured. Please note that the capture is extracted from the ring buffer and a ring buffer filter rules for packet slicing will affect the exported pcap.<br />
<br />
As of now, the Logitech R400 is supported. Allegro will add more presenters on request. An optional USB sound device will play a beep when a key has been pressed.<br />
<br />
== USB Capture Trigger Setup ==<br />
<br />
Please connect the Logitech R400 USB dongle with the Allegro. If you have a Virtual Edition Allegro, please pass-through the USB device directly to the Allegro VM.<br />
<br />
Once this is done, navigate to the '''Settings''' -> '''Expert Settings''' page and open the '''USB capture trigger'''.<br />
<br />
[[File:Presenter dialog.png|600px]]<br />
<br />
Once any key has been pressed on the presenter, one pcap will be generated. The pcap end time is when the button has been pressed and the start time is defined by the capture interval. As example, an interval of 60 seconds will generate a capture of the last minute when a presenter key was pressed.<br />
<br />
The captures are stored at the root directory of the storage device or, if enabled, in the upload directory for SFTP uploads.<br />
<br />
== SFTP Export Setup ==<br />
<br />
The Allegro can automatically upload pcap files to an SFTP server from the upload directory on the disk. To configure it, please navigate to '''Settings''' → '''Remote Access and Export''' → '''Pcap export via SFTP'''. This allow to export all captured pcap files at a certain time of day. As example it can be used to transfer pcaps during the night from remote locations to a central SFTP server.<br />
<br />
[[File:Sftp export.png|1000px]]<br />
<br />
== Advanced Multi-pcap Setup ==<br />
<br />
There are situations where the Allegro shall record multiple separate pcaps for a key with specific filters. This can be done by enabling the '''USB capture filter''' in the '''USB capture trigger''' dialog. The filter syntax is described in the [[Capture module]].<br />
<br />
A good example is the installation of an Allegro 500 with 2 links and 2 virtual link groups ( see [[Virtual Link Group Configuration Guide]]), one before and one behind the firewall.<br />
<br />
[[File:Presenter filter group.png|600px]]<br />
<br />
As a second example you can record pcaps of up to 4 different IP addresses at the same time with just one click.<br />
<br />
[[File:Presenter filter ip.png|600px]]</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=USB_Presenter_Capture&diff=3018USB Presenter Capture2020-09-17T11:11:08Z<p>David.Griffiths: </p>
<hr />
<div><accesscontrol>AC:GroupUsers</accesscontrol><br />
<br />
This page describes how the Allegro Network Multimeter allows a user to start a capture with a USB presenter. This capture can be actioned 'Back in Time' for a defined period. In addition, the capture files can be uploaded to an SFTP server at a defined time.<br />
<br />
This feature has been designed to allow non-IT staff to record pcaps when an error occurs; it also allows for captures without opening a web interface.<br />
<br />
== Requirements ==<br />
<br />
This feature is supported by all Allegro Network Multimeters, even for the VM Version starting at firmware version 3.0. It requires a free USB port on the Allegro with USB 2.0 or higher. One internal or external disk needs to be configured at '''Generic''' → '''Storage''' and a [[Packet ring buffer|ring buffer]] must be configured. Please note that the capture is extracted from the ring buffer and a ring buffer filter rules for packet slicing will affect the exported pcap.<br />
<br />
As of now, the Logitech R400 is supported. Allegro will add more presenter on request. An optional USB sound device will play a beep when a key has been pressed.<br />
<br />
== USB Capture Trigger Setup ==<br />
<br />
Please connect the Logitech R400 USB dongle with the Allegro. If you have a virtual Allegro, please pass-through the USB device directly to the Allegro VM.<br />
<br />
Once this is done, navigate to the '''Settings''' -> '''Expert Settings''' page and open the '''USB capture trigger'''.<br />
<br />
[[File:Presenter dialog.png|600px]]<br />
<br />
Once any key has been pressed on the presenter, one pcap will be generated. The pcap end time is when the button has been pressed and the start time is defined by the capture interval. As example, an interval of 60 seconds will generate a capture of the last minute when a presenter key has been pressed.<br />
<br />
The captures are stored at the root directory of the storage device or, if enabled, in the upload directory for sftp uploads.<br />
<br />
== SFTP Export Setup ==<br />
<br />
The Allegro can automatically upload pcap files to an SFTP server from the upload directory on the disk. To configure it, please navigate to '''Settings''' → '''Remote Access and Export''' → '''Pcap export via SFTP'''. This allow to export all captured pcap files at a certain time of day. As example it can be used to transfer pcaps during the night from remote locations to a central sftp server.<br />
<br />
[[File:Sftp export.png|1000px]]<br />
<br />
== Advanced Multi-Pcap Setup ==<br />
<br />
There are situations where the Allegro shall record multiple separate pcaps for a key with specific filters. This can be done by enabling the '''USB capture filter''' in the '''USB capture trigger''' dialog. The filter syntax is described in the [[Capture module]].<br />
<br />
A good example is the installation of an Allegro 500 with 2 links and 2 virtual link groups ( see [[Virtual Link Group Configuration Guide]]), one before and one behind the firewall.<br />
<br />
[[File:Presenter filter group.png|600px]]<br />
<br />
As a second example you can record Pcaps of up to 4 different IP addresses at the same time with just one click.<br />
<br />
[[File:Presenter filter ip.png|600px]]</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Global_settings&diff=2846Global settings2020-05-22T15:29:12Z<p>David.Griffiths: /* Expert settings */</p>
<hr />
<div>The Global settings section contains parameters for adjusting the behavior of the system.<br />
The settings are split among multiple tabs, described as follows.<br />
<br />
== Generic settings ==<br />
<br />
=== Packet processing mode ===<br />
<br />
This section allows for configuring the main packet processing mode:<br />
<br />
* Bridge mode: In Bridge mode, all received packets will be retransmitted on the corresponding mutual port so that the device can be placed inline between any network component. The device will be transparent and will not modify the traffic in any way. The additional latency will be typically around or less than 1 millisecond.<br />
* Sink mode: In Sink mode, packets are only received and not forwarded. This operation mode allows for installation at a Mirror port of a Switch or when using a network Tap to access the network traffic.<br />
<br />
<br />
The packet processing mode can be changed during runtime.<br />
<br />
=== Webshark support ===<br />
<br />
The Allegro Network Multimeter allows having a preview of the first Megabyte of packets directly in the browser, called Webshark. To support this, the device needs a small amount of system memory for packet processing. This amount of memory (~100MB) will be reserved by the Multimeter and is not available for the In-Memory database used to store metadata, thus the history of stored metadata is a little shorter. If this is not desired, it is possible to disable the Webshark support. Changing this value requires a restart of the processing.<br />
<br />
=== Limit module processing ===<br />
<br />
This setting allows you to configure which modules are active. With this setting, the performance of the Allegro Network Multimeter can be significantly improved and allows a higher throughput if you do not need to select some analysis modules.<br />
<br />
The following modes are possible:<br />
<br />
* Only capturing: Only interface statistics and the capture module is provided. The capture filters are supported except Layer 7 protocol recognition.<br />
* Up to Layer 2: Additionally all Layer 2 related modules are active such as MAC, MAC protocols, ARP and Burst Analysis.<br />
* Up to Layer 3: Additionally all Layer 3 related modules are active such as IP and DHCP statistics.<br />
* Up to Layer 4: Additionally all Layer 4 related modules are active such as TCP and Layer 4 server ports.<br />
* Unlimited: All modules are active.<br />
<br />
When switching to another mode you need to restart the processing in order to activate the new settings.<br />
<br />
=== Graph detail settings ===<br />
<br />
It is possible to modify the detail level of all graphs in the interface. This settings allow you to see a more detailed view (with higher time resolution) or to reduce the detail level so more data can be stored on the device. Changing the default values has an impact on the performance and memory usage. Changing a slider to the left increases the detail level of graphs, but increases memory usage and decreases performance.<br />
<br />
* Best graph resolution: This option configures how detailed the graph information are shown in the best case (the latest information). The default value is one second which means that a graph sample point represents a second of packet time. You can change the resolution up to 1 millisecond which gives a detailed sub-second representation of the traffic. You can also decide to decrease the resolution which enables the Multimeter to store more data for a longer period of time.<br />
<br />
* Reduce graph resolution of old data by up to: The resolution of older graph data is automatically reduced to save memory and to allow a longer view into the traffic history. This option allows you to change this behaviour. With a reduction factor of 1/1 no reduction is done at all which means the selected graph resolution is available for the complete time. <br />
:This reduces the time period to see historical data. You can choose to increase the reduction factor to store more data for a longer period. The time printed in parentheses represents the worst-case graph resolution based on the chosen resolution and reduction factor.<br />
<br />
<br />
Note: Regardless of these settings, the graph values are always converted to represent a value per second (when applicable). For example, the packets per second for IP addresses will always be a value literally per second even if the resolution is larger or smaller than one second. The displayed value is scaled to match this view. Especially with sub-second resolution this might be misleading. <br />
<br />
<br />
For instance, if there is a network element sending one packet per second and the resolution is set to 100 milliseconds, the value might be shown as 10 packets per second as each sample point is scaled to represent an value per second. For a detailed investigation it is recommended to select a specific time interval since the total packet counters shown in all statistics are unscaled and represent the actual values.<br />
<br />
<br />
Performance implications: The performance degradation and memory usage depends on the actual network traffic and is not exactly predictable. <br />
<br />
Here are some examples for reference on a Multimeter 1000 series with different configuration values (under ideal test conditions):<br />
<br />
* 1 second resolution, 1/1 reduction factor: 90% of default performance<br />
* 100 millisecond resolution, 1/1 reduction factor: 50% of default performance,<br />
* 10 millisecond resolution, 1/1 reduction factor: 15% of default performance<br />
* 1 millisecond resolution, 1/1 reduction factor: 10% of default performance<br />
<br />
=== pcap parallel analysis ===<br />
<br />
The pcap parallel analysis feature allows to analyse pcap files or the<br />
packet ring buffer in parallel to the live measurement. The settings<br />
allow to enable the feature and choose how much memory of the main<br />
memory is used for parallel analysis and how many parallel slots can<br />
be used. Detailed description of the configuration values are<br />
described [[pcap parallel analysis|here]].<br />
<br />
== IPFIX settings ==<br />
<br />
The Allegro Network Multimeter may be running as an IPFIX exporter. These settings allows for reporting configuration. When enabled, the following settings are possible:<br />
<br />
* IP address: Address of IPFIX collector.<br />
* Port: Corresponding port.<br />
* Protocol: TCP or UDP.<br />
* Update interval: Interval in seconds for sending a status update of flows.<br />
* UDP resend interval: Interval in seconds for resending IPFIX templates for UDP connections.<br />
* TCP reconnect timeout: When TCP connections could not be established, wait for this time period until the next attempt to establish a connection.<br />
<br />
Individual IPFIX messages can be enabled or disabled by toggling corresponding options. See the NetFlow/IPFIX interface documentation for details about the message types.<br />
<br />
== Time settings ==<br />
<br />
The Allegro Network Multimeter can be configured to use a time synchronization service. NTP is supported for all variants of the Multimeter. PTP service may be used if management interface supports hardware time stamping.<br />
If a GPS-capable PTP grandmaster card is available, GPS time synchronization is available and the antenna cable delay in nanoseconds can be configured.<br />
<br />
To enable a time service, switch to the proper type in the dropdown box.<br />
The time service field will show whether the selected service is running or not.<br />
For NTP time retrieval you can specify and edit dedicated NTP servers. If you do not specify a NTP server, a set of predefined NTP servers will be automatically selected.<br />
For PTP time retrieval, the PTP grandmaster clock identity is shown. This is usually an EUI-64 address. The first and last set of octets of the identity represent the (EUI-48) MAC address of the grandmaster.<br />
<br />
The following settings are possible for PTP and should match the settings of the PTP grandmaster:<br />
<br />
* Delay mechanism: Use end-to-end (E2E), peer-to-peer (P2P) or automatic delay measurement. In case automatic measurement is selected, E2E is used at the beginning and switched to P2P when a peer delay request is received. Default is '''Auto'''.<br />
* Network transport: Use UDPv4, UDPv6 or Layer 2 as network transport. Default is '''UDPv4'''.<br />
* Domain number: The domain number of the grandmaster. This is used to define logical groups of synchronized clocks.<br />
<br />
<br />
The GPS time retrieval option is available if a GPS capable PTP grandmaster card is installed in the Multimeter. <br />
If no time synchronization mechanism is selected the date and time of the device can be manually configured by entering a properly formatted date and time description.<br />
Below the time synchronization settings, the time zone used by the device can be configured. The drop-down list provides a list of cities grouped by world regions to select the appropriate time zone.<br />
To make changes take effect, click on the Save settings button at the bottom of the page. To reload the stored settings, click on Reload settings.<br />
<br />
== Email notification ==<br />
<br />
Certain modules support the sending of email notifications. The following settings are used to globally configure the SMTP server used and the target email address that will receive the notifications:<br />
<br />
* Enable email notifications: globally enables or disables the sending of email notifications.<br />
* SMTP server address: the address of the SMTP server that will be used to send notification emails.<br />
* SMTP server port: the TCP port on which the SMTP server is listening.<br />
* SMTP server uses SSL: must be set to On if the SMTP server expects an SSL connection from the very start. If the SMTP server uses no SSL or STARTTLS this setting must be set to Off.<br />
* Ignore certificate errors: if the SSL certificate should not be validated because e.g. it is a self-signed certificate this setting can be used to turn off certificate validation.<br />
* Allow unencrypted connections: if an unencrypted connection must be allowed because e.g. a legacy SMTP server does not support it this setting can be used.<br />
* Username: the username used to log in to the SMTP server.<br />
* Password: the password used to log in to the SMTP server.<br />
* From email address: the email address from which incident notifications will be sent.<br />
* Target email address: the email address to which incident notifications will be sent.<br />
* Email links base URL: this base URL will be used to generate the HTML links in notification emails. Since the device cannot by itself determine the proper address by which it is visible to the email recipient this setting can be used to set the correct URL prefix for links sent with the notification emails.<br />
* Send periodic system status mail: if set to hourly or daily, a system status email will be sent to the configured target address with the selected frequency. It will contain basic system information and system health status, management interface configuration and a list of detected LLDP neighbours if the management LLDP feature is enabled.<br />
<br />
The Send test email button can be used to verify that the entered settings are working.<br />
<br />
== Expert settings ==<br />
<br />
The Expert settings contains parameter which are only necessary to change in rare installation scenarios or some specific need for a different operation mode.<br />
<br />
=== Packet length accounting ===<br />
<br />
This setting allows you to configure which packet length is used for all traffic counters and incidents. The following modes are possible:<br />
<br />
* Layer 1: Packet length is accounted on Layer 1 including preamble (7 Byte), SFD (1 Byte) and inter-frame gap (12 Bytes)<br />
* Layer 2 without frame check sequence (default): Packet length is accounted on Layer 2 without a frame check sequence (4 Bytes)<br />
* Layer 2 with frame check sequence: Account packet length on Layer 2 with frame check sequence (4 Bytes) When switching to another mode, it will only be applied on new packets. Older packet size statistics will not be changed.<br />
<br />
=== VLAN handling ===<br />
<br />
The Allegro Network Multimeter can ignore VLAN tags for connection tracking. Enabling this option may be necessary if network traffic is seen on the Network Multimeter that contains changing VLAN tags for the same connection. For example, depending on the configuration of the Mirror Port to which the Network Multimeter is connected, incoming traffic could contain a VLAN tag while outgoing traffic does not. In this example, a connection would appear twice in the statistics which is often the desired behaviour to be able to identify a network misconfiguration. But sometimes this behaviour is intended and the user wants to see only one connection. In this scenario the option can be enabled to ignore varying VLAN tags for a otherwise identical connection.<br />
<br />
=== Tunnel view mode ===<br />
<br />
The Allegro Network Multimeter can decapsulate ERSPAN type II and type III traffic. In this mode all non-ERSPAN traffic is discarded. On the Dashboard a dropped counter will display dropped non ERSPAN packets for indication if this mode is active. The Multimeter will show the encapsulated content in all analysis modules. When capturing, packets with complete outer Layer 2, Layer 3, GRE and ERSPAN headers will be stored as seen on the wire.<br />
<br />
=== Database mode settings ===<br />
<br />
The database mode is a special analysis mode for high-performance Network Multimeters with multiple processors to increase the performance on such systems. It is normally enabled automatically but depending on the actual network traffic and system usage, some parameter tweak might be necessary to improve overall system performance. <br />
You should only change these parameters in discussion with the Allegro Packets support department.<br />
These settings are only visible if your Network Multimeter is capable of running this mode.<br />
<br />
You can read more about the meaning of the settings [[DB mode|here]].<br />
<br />
=== Network performance ===<br />
<br />
There are several network performance settings available to improve performance on high-performance systems in case of packet drops during very high incoming bandwidth. They are only visible if your Network Multimeter is capable of changing these settings.<br />
<br />
* Max RX queues per socket: This setting specifies the quantity of threads dedicated to read and write interactions with the network interface controllers. By increasing this value, network receive bandwidth can be increased before packet drops occur. By decreasing this value, data analysis will improve. The default setting of 2 RX queues is suitable for most configurations since data analysis typically needs much more processing ressources.<br />
* Use Hyper-Threading for RX queues: This setting allows enabling or disabling Hyper-Threading for the threads dedicated to read and write interactions with the network interface controllers. By disabling it, network performance can be improved as the RX queues will be distributed to physical CPU cores only. By enabling it, RX queues will also be distributed to virtual Hyper-Threading CPU cores which is not as efficient as physical CPU cores. By using Hyper-Threading, data analysis will improve since there are more CPU cores available for these tasks. Hyper-Threading is used by default. This is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Preferred Network interface controller: This setting allows fine tuning of network and data analysis performance for dedicated network controllers. The selected set of network controllers will be preferred over others. Usually the fastest or the network controller with the most traffic should be preferred. The '''Auto''' setting is used by default, preferring the fastest network controller.<br />
<br />
You should only change these parameters in discussion with the Allegro Packets support department.<br />
<br />
=== Processing performance ===<br />
<br />
Processing performance may be modified on high-performance systems. This is only visible if your Network Multimeter is capable of changing this setting.<br />
<br />
* Processing performance mode: This setting allows for fine tuning processing performance. By using '''Analysing''', as much processing ressources on all CPUs as possible are used for data analysis. By using '''Capturing''', the focus will be on high data throughput and low latency for capturing purposes by using only the CPU where the preferred newtork controller is attached to. This has an impact on data analysis performance. '''Analysing''' is used by default.<br />
You should only change this parameter in discussion with the Allegro Packets support department.<br />
<br />
=== Packet ring buffer timeouts ===<br />
<br />
Two timeout settings related to the packet ring buffer can be adjusted.<br />
<br />
* The long timeout controls after which maximum period of time a packet is actually written to the packet ring buffer. A lower value may decrease the time difference by which packets are stored out of their order in the packet ring buffer but it may increase the amount of unused overhead data in the packet ring buffer.<br />
* The short timeout controls after which period of time smaller batches of packets are written to the packet ring buffer even if waiting for more packets would result in a more efficient operation. A lower value may decrease the time difference by which packets are stored out of their order in the packet ring buffer but it may also decrease the performance of the packet ring buffer.<br />
<br />
=== Data retention timeout ===<br />
<br />
When this timeout is set to a value greater than 0, data will be removed from the system after a given number of minutes. This means that entities like IPs, which have been inactive for longer than the timeout, will be removed. History graph data for entities that are still active will be truncated to cover only the given timespan while the absolute values for the whole runtime will be retained. When a packet ring buffer is active, packets which are older than the timeout will be discarded.<br />
<br />
=== L3 tunnel mode ===<br />
<br />
If L3 tunnel mode is enabled for an interface, this interface will only process packets encapsulated in GRE or GRE+ERSPAN and targeted for the configured IP address. All other packets received on that interface will be discarded. The system will process the packets as if only the inner encapsulated packet is seen and any traffic captures will only contain the encapsulated packet. An interface with L3 tunnel mode enabled will respond to ARP requests and to ICMP echo requests so it is possible to use ping to verify that the interface is reachable under the configured IP address. Currently only IPv4 L3 tunnels are supported. It must be noted that if the system is running in bridge packet processing mode any links with an interface configured for L3 tunnel mode will not forward traffic.<br />
<br />
=== Multithreaded capture analysis ===<br />
<br />
This option enables the use of multiple CPUs for capture analysis like when<br />
analyzing a pcap capture file or analyzing the packet ring buffer. Depending<br />
on the number of available CPUs this can significantly speed up the analysis.<br />
<br />
It is possible to dedicate a number a CPUs exclusively to capture analysis.<br />
Since these CPUs are not available for live packet processing the performance of<br />
live traffic analysis may be lower.<br />
When set to 0 a lower priority is used for capture analysis than for live analysis<br />
but it cannot be ruled out that the performance of the live processing is<br />
affected.<br />
<br />
=== Load balancing ===<br />
<br />
This option select the load distribution method. By default, network<br />
traffic is balanced among all processing threads based on the IP<br />
addresses. This is fast and usually the best way for efficient load<br />
balancing.<br />
<br />
If the network traffic only occurs between a few IP addresses, this<br />
method can lead to a load imbalance so that some threads are doing more<br />
work while other threads may be idle. In this scenario, "flow based<br />
balancing" can be enabled to distribute the traffic based on the IP<br />
and port information. This will lead to better utilization of all<br />
processing threads.<br />
<br />
Since this option induces additional processing overhead per packet<br />
and additional memory for all internal IP statistics, it should only<br />
be enabled in cases of significant load imbalance.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Global_settings&diff=2845Global settings2020-05-22T15:17:16Z<p>David.Griffiths: /* Email notification */</p>
<hr />
<div>The Global settings section contains parameters for adjusting the behavior of the system.<br />
The settings are split among multiple tabs, described as follows.<br />
<br />
== Generic settings ==<br />
<br />
=== Packet processing mode ===<br />
<br />
This section allows for configuring the main packet processing mode:<br />
<br />
* Bridge mode: In Bridge mode, all received packets will be retransmitted on the corresponding mutual port so that the device can be placed inline between any network component. The device will be transparent and will not modify the traffic in any way. The additional latency will be typically around or less than 1 millisecond.<br />
* Sink mode: In Sink mode, packets are only received and not forwarded. This operation mode allows for installation at a Mirror port of a Switch or when using a network Tap to access the network traffic.<br />
<br />
<br />
The packet processing mode can be changed during runtime.<br />
<br />
=== Webshark support ===<br />
<br />
The Allegro Network Multimeter allows having a preview of the first Megabyte of packets directly in the browser, called Webshark. To support this, the device needs a small amount of system memory for packet processing. This amount of memory (~100MB) will be reserved by the Multimeter and is not available for the In-Memory database used to store metadata, thus the history of stored metadata is a little shorter. If this is not desired, it is possible to disable the Webshark support. Changing this value requires a restart of the processing.<br />
<br />
=== Limit module processing ===<br />
<br />
This setting allows you to configure which modules are active. With this setting, the performance of the Allegro Network Multimeter can be significantly improved and allows a higher throughput if you do not need to select some analysis modules.<br />
<br />
The following modes are possible:<br />
<br />
* Only capturing: Only interface statistics and the capture module is provided. The capture filters are supported except Layer 7 protocol recognition.<br />
* Up to Layer 2: Additionally all Layer 2 related modules are active such as MAC, MAC protocols, ARP and Burst Analysis.<br />
* Up to Layer 3: Additionally all Layer 3 related modules are active such as IP and DHCP statistics.<br />
* Up to Layer 4: Additionally all Layer 4 related modules are active such as TCP and Layer 4 server ports.<br />
* Unlimited: All modules are active.<br />
<br />
When switching to another mode you need to restart the processing in order to activate the new settings.<br />
<br />
=== Graph detail settings ===<br />
<br />
It is possible to modify the detail level of all graphs in the interface. This settings allow you to see a more detailed view (with higher time resolution) or to reduce the detail level so more data can be stored on the device. Changing the default values has an impact on the performance and memory usage. Changing a slider to the left increases the detail level of graphs, but increases memory usage and decreases performance.<br />
<br />
* Best graph resolution: This option configures how detailed the graph information are shown in the best case (the latest information). The default value is one second which means that a graph sample point represents a second of packet time. You can change the resolution up to 1 millisecond which gives a detailed sub-second representation of the traffic. You can also decide to decrease the resolution which enables the Multimeter to store more data for a longer period of time.<br />
<br />
* Reduce graph resolution of old data by up to: The resolution of older graph data is automatically reduced to save memory and to allow a longer view into the traffic history. This option allows you to change this behaviour. With a reduction factor of 1/1 no reduction is done at all which means the selected graph resolution is available for the complete time. <br />
:This reduces the time period to see historical data. You can choose to increase the reduction factor to store more data for a longer period. The time printed in parentheses represents the worst-case graph resolution based on the chosen resolution and reduction factor.<br />
<br />
<br />
Note: Regardless of these settings, the graph values are always converted to represent a value per second (when applicable). For example, the packets per second for IP addresses will always be a value literally per second even if the resolution is larger or smaller than one second. The displayed value is scaled to match this view. Especially with sub-second resolution this might be misleading. <br />
<br />
<br />
For instance, if there is a network element sending one packet per second and the resolution is set to 100 milliseconds, the value might be shown as 10 packets per second as each sample point is scaled to represent an value per second. For a detailed investigation it is recommended to select a specific time interval since the total packet counters shown in all statistics are unscaled and represent the actual values.<br />
<br />
<br />
Performance implications: The performance degradation and memory usage depends on the actual network traffic and is not exactly predictable. <br />
<br />
Here are some examples for reference on a Multimeter 1000 series with different configuration values (under ideal test conditions):<br />
<br />
* 1 second resolution, 1/1 reduction factor: 90% of default performance<br />
* 100 millisecond resolution, 1/1 reduction factor: 50% of default performance,<br />
* 10 millisecond resolution, 1/1 reduction factor: 15% of default performance<br />
* 1 millisecond resolution, 1/1 reduction factor: 10% of default performance<br />
<br />
=== pcap parallel analysis ===<br />
<br />
The pcap parallel analysis feature allows to analyse pcap files or the<br />
packet ring buffer in parallel to the live measurement. The settings<br />
allow to enable the feature and choose how much memory of the main<br />
memory is used for parallel analysis and how many parallel slots can<br />
be used. Detailed description of the configuration values are<br />
described [[pcap parallel analysis|here]].<br />
<br />
== IPFIX settings ==<br />
<br />
The Allegro Network Multimeter may be running as an IPFIX exporter. These settings allows for reporting configuration. When enabled, the following settings are possible:<br />
<br />
* IP address: Address of IPFIX collector.<br />
* Port: Corresponding port.<br />
* Protocol: TCP or UDP.<br />
* Update interval: Interval in seconds for sending a status update of flows.<br />
* UDP resend interval: Interval in seconds for resending IPFIX templates for UDP connections.<br />
* TCP reconnect timeout: When TCP connections could not be established, wait for this time period until the next attempt to establish a connection.<br />
<br />
Individual IPFIX messages can be enabled or disabled by toggling corresponding options. See the NetFlow/IPFIX interface documentation for details about the message types.<br />
<br />
== Time settings ==<br />
<br />
The Allegro Network Multimeter can be configured to use a time synchronization service. NTP is supported for all variants of the Multimeter. PTP service may be used if management interface supports hardware time stamping.<br />
If a GPS-capable PTP grandmaster card is available, GPS time synchronization is available and the antenna cable delay in nanoseconds can be configured.<br />
<br />
To enable a time service, switch to the proper type in the dropdown box.<br />
The time service field will show whether the selected service is running or not.<br />
For NTP time retrieval you can specify and edit dedicated NTP servers. If you do not specify a NTP server, a set of predefined NTP servers will be automatically selected.<br />
For PTP time retrieval, the PTP grandmaster clock identity is shown. This is usually an EUI-64 address. The first and last set of octets of the identity represent the (EUI-48) MAC address of the grandmaster.<br />
<br />
The following settings are possible for PTP and should match the settings of the PTP grandmaster:<br />
<br />
* Delay mechanism: Use end-to-end (E2E), peer-to-peer (P2P) or automatic delay measurement. In case automatic measurement is selected, E2E is used at the beginning and switched to P2P when a peer delay request is received. Default is '''Auto'''.<br />
* Network transport: Use UDPv4, UDPv6 or Layer 2 as network transport. Default is '''UDPv4'''.<br />
* Domain number: The domain number of the grandmaster. This is used to define logical groups of synchronized clocks.<br />
<br />
<br />
The GPS time retrieval option is available if a GPS capable PTP grandmaster card is installed in the Multimeter. <br />
If no time synchronization mechanism is selected the date and time of the device can be manually configured by entering a properly formatted date and time description.<br />
Below the time synchronization settings, the time zone used by the device can be configured. The drop-down list provides a list of cities grouped by world regions to select the appropriate time zone.<br />
To make changes take effect, click on the Save settings button at the bottom of the page. To reload the stored settings, click on Reload settings.<br />
<br />
== Email notification ==<br />
<br />
Certain modules support the sending of email notifications. The following settings are used to globally configure the SMTP server used and the target email address that will receive the notifications:<br />
<br />
* Enable email notifications: globally enables or disables the sending of email notifications.<br />
* SMTP server address: the address of the SMTP server that will be used to send notification emails.<br />
* SMTP server port: the TCP port on which the SMTP server is listening.<br />
* SMTP server uses SSL: must be set to On if the SMTP server expects an SSL connection from the very start. If the SMTP server uses no SSL or STARTTLS this setting must be set to Off.<br />
* Ignore certificate errors: if the SSL certificate should not be validated because e.g. it is a self-signed certificate this setting can be used to turn off certificate validation.<br />
* Allow unencrypted connections: if an unencrypted connection must be allowed because e.g. a legacy SMTP server does not support it this setting can be used.<br />
* Username: the username used to log in to the SMTP server.<br />
* Password: the password used to log in to the SMTP server.<br />
* From email address: the email address from which incident notifications will be sent.<br />
* Target email address: the email address to which incident notifications will be sent.<br />
* Email links base URL: this base URL will be used to generate the HTML links in notification emails. Since the device cannot by itself determine the proper address by which it is visible to the email recipient this setting can be used to set the correct URL prefix for links sent with the notification emails.<br />
* Send periodic system status mail: if set to hourly or daily, a system status email will be sent to the configured target address with the selected frequency. It will contain basic system information and system health status, management interface configuration and a list of detected LLDP neighbours if the management LLDP feature is enabled.<br />
<br />
The Send test email button can be used to verify that the entered settings are working.<br />
<br />
== Expert settings ==<br />
<br />
The Expert settings contains parameter which are often only necessary to change in rare installation scenarios or some specific need for a different operation mode.<br />
<br />
=== Packet length accounting ===<br />
<br />
This setting allows to configure which packet length is used for all traffic counters and incidents. Following modes are possible:<br />
<br />
* Layer 1: Packet length is accounted on layer 1 including preamble (7 Byte), SFD (1 Byte) and inter frame gap (12 Byte)<br />
* Layer 2 without frame check sequence (default): Packet length is accounted on layer 2 without frame check sequence (4 Byte)<br />
* Layer 2 with frame check sequence: Account packet length on layer 2 with frame check sequence (4 Byte) When switching to another mode, it will only be applied on new packets. Older packet size statistics will not be changed.<br />
<br />
=== VLAN handling ===<br />
<br />
The Allegro Network Multimeter can ignore VLAN tags for connection tracking. Enabling this option might be necessary if network traffic is seen on the Network Multimeter that contains changing VLAN tags for the same connection. For example, depending on the configuration of the mirror port to which the Network Multimeter is connected, incoming traffic could contain a VLAN tag while outgoing traffic does not. In this example, a connection would appear two times in the statistics which is often the desired behavior to be able to identify a network misconfiguration. But sometimes this behavior is intended and the user want to see only one connection. In this scenario the option can be enabled to ignore varying VLAN tags for a otherwise identical connection.<br />
<br />
=== Tunnel view mode ===<br />
<br />
The Allegro Network Multimeter can decapsulate ERSPAN type II and type III traffic. In this mode all non-ERSPAN traffic is being discarded. On the dashboard a dropped counter will display dropped non ERSPAN packets for indication if this mode is active. The Multimeter will show the encapsulated content in all analysis modules. When capturing, packets with complete outer layer 2, layer 3, GRE and ERSPAN headers will be stored as seen on the wire.<br />
<br />
=== Database mode settings ===<br />
<br />
The database mode is a special analysis mode for high-performance Network Multimeters with multiple processors to increase the performance on such systems. It is normally enabled automatically but depending on the actual network traffic and system usage, some parameter tweak might be necessary to improve overall system performance. <br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
These settings are only visible if your Network Multimeter is capable of running this mode.<br />
<br />
You can read more about the meaning of the settings [[DB mode|here]].<br />
<br />
=== Network performance ===<br />
<br />
There are several network performance settings available to improve performance on high-performance systems in case of packet drops during very high receive bandwidth. They are only visible if your Network Multimeter is capable of changing these settings.<br />
<br />
* Max RX queues per socket: This setting specifies the amount of threads dedicated to read and write interactions with the network interface controllers. By increasing this value, network receive bandwidth can be increased before packet drops occur. By decreasing this value, data analysis will improve. The default setting of 2 RX queues is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Use Hyper-Threading for RX queues: This setting allows enabling or disabling Hyper-Threading for the threads dedicated to read and write interactions with the network interface controllers. By disabling it, network performance can be improved as the RX queues will be distributed to physical CPU cores only. By enabling it, RX queues will also be distributed to virtual Hyper-Threading CPU cores which is not as efficient as physical CPU cores. By using Hyper-Threading, data analysis will improve as there are more CPU cores available for these tasks. Hyper-Threading is used by default. This is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Preferred Network interface controller: This setting allows fine tuning of network and data analysis performance for dedicated network controllers. The selected set of network controllers will be preferred over the others. Usually the fastest or the network controller with the most traffic should be preferred. The '''Auto''' setting is used by default, preferring the fastest network controller.<br />
<br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
<br />
=== Processing performance ===<br />
<br />
The processing performance may be modified on high-performance systems. This is only visible if your Network Multimeter is capable of changing this setting.<br />
<br />
* Processing performance mode: This setting allows for fine tuning processing performance. By using '''Analysing''', as much processing ressources on all CPUs as possible are used for data analysis. By using '''Capturing''', the focus will be on high data throughput and low latency for capturing purposes by using only the CPU where the preferred newtork controller is attached to. This has an impact on data analysis performance. '''Analysing''' is used by default.<br />
You should only change this parameter in discussion with the Allegro Packets support.<br />
<br />
=== Packet ring buffer timeouts ===<br />
<br />
Two timeout settings related to the packet ring buffer can be adjusted.<br />
<br />
* The long timeout controls after which maximum period of time a packet is actually written to the packet ring buffer. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also increase the amount of unused overhead data in the packet ring buffer.<br />
* The short timeout controls after which period of time smaller batches of packets are written to the packet ring buffer even if waiting for more packets would result in a more efficient operation. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also decrease the performance of the packet ring buffer.<br />
<br />
=== Data retention timeout ===<br />
<br />
When this timeout is set to a value greater than 0, data will be removed from the system after the given number of minutes. This means that entities like IPs, which have been inactive for longer than the timeout, will be removed. History graph data for entities that are still active will be truncated to cover only the given timespan while the absolute values for the whole runtime will be retained. When a packet ring buffer is active, packets which are older than the timeout will be discarded.<br />
<br />
=== L3 tunnel mode ===<br />
<br />
If L3 tunnel mode is enabled for an interface this interface will only process packets encapsulated in GRE or GRE+ERSPAN and targeted for the configured IP address. All other packets received on that interface will be discarded. The system will process the packets as if only the inner encapsulated packet is seen and any traffic captures will only contain the encapsulated packet. An interface with L3 tunnel mode enabled will respond to ARP requests and to ICMP echo requests so it is possible to use ping to verify that the interface is reachable under the configured IP address. Currently only IPv4 L3 tunnels are supported. It must be noted that if the system is running in bridge packet processing mode any links with an interface configured for L3 tunnel mode will not forward traffic.<br />
<br />
=== Multithreaded capture analysis ===<br />
<br />
This option enables the use of multiple CPUs for capture analysis like when<br />
analyzing a PCAP capture file or analyzing the packet ring buffer. Depending<br />
on the number of available CPUs this can speed up the analysis significantly.<br />
<br />
It is possible to dedicate a number a CPUs exclusively to capture analysis.<br />
Since these CPUs are not available for live packet processing the performance of<br />
live traffic analysis may be lower.<br />
When set to 0 a lower priority is used for capture analysis than for live analysis<br />
but it cannot be ruled out that the performance of the live processing is<br />
affected.<br />
<br />
=== Load balancing ===<br />
<br />
This option select the load distribution method. By default, network<br />
traffic is balanced among all processing threads based on the IP<br />
addresses. This is fast and usually the best way for good load<br />
balancing.<br />
<br />
If the network traffic only happens between few IP addresses, this<br />
method can lead to load imbalance so that some threads doing much more<br />
work while other threads may idle. In this scenario the "flow based<br />
balancing" can be enabled to distribute the traffic based on the IP<br />
and port information. This will lead to better utilization of all<br />
processing threads.<br />
<br />
Since this option induces additional processing overhead per packet<br />
and additional memory for all internal IP statistics, it should only<br />
be enabled in cases of significant load imbalance.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Global_settings&diff=2844Global settings2020-05-22T15:14:58Z<p>David.Griffiths: /* Time settings */</p>
<hr />
<div>The Global settings section contains parameters for adjusting the behavior of the system.<br />
The settings are split among multiple tabs, described as follows.<br />
<br />
== Generic settings ==<br />
<br />
=== Packet processing mode ===<br />
<br />
This section allows for configuring the main packet processing mode:<br />
<br />
* Bridge mode: In Bridge mode, all received packets will be retransmitted on the corresponding mutual port so that the device can be placed inline between any network component. The device will be transparent and will not modify the traffic in any way. The additional latency will be typically around or less than 1 millisecond.<br />
* Sink mode: In Sink mode, packets are only received and not forwarded. This operation mode allows for installation at a Mirror port of a Switch or when using a network Tap to access the network traffic.<br />
<br />
<br />
The packet processing mode can be changed during runtime.<br />
<br />
=== Webshark support ===<br />
<br />
The Allegro Network Multimeter allows having a preview of the first Megabyte of packets directly in the browser, called Webshark. To support this, the device needs a small amount of system memory for packet processing. This amount of memory (~100MB) will be reserved by the Multimeter and is not available for the In-Memory database used to store metadata, thus the history of stored metadata is a little shorter. If this is not desired, it is possible to disable the Webshark support. Changing this value requires a restart of the processing.<br />
<br />
=== Limit module processing ===<br />
<br />
This setting allows you to configure which modules are active. With this setting, the performance of the Allegro Network Multimeter can be significantly improved and allows a higher throughput if you do not need to select some analysis modules.<br />
<br />
The following modes are possible:<br />
<br />
* Only capturing: Only interface statistics and the capture module is provided. The capture filters are supported except Layer 7 protocol recognition.<br />
* Up to Layer 2: Additionally all Layer 2 related modules are active such as MAC, MAC protocols, ARP and Burst Analysis.<br />
* Up to Layer 3: Additionally all Layer 3 related modules are active such as IP and DHCP statistics.<br />
* Up to Layer 4: Additionally all Layer 4 related modules are active such as TCP and Layer 4 server ports.<br />
* Unlimited: All modules are active.<br />
<br />
When switching to another mode you need to restart the processing in order to activate the new settings.<br />
<br />
=== Graph detail settings ===<br />
<br />
It is possible to modify the detail level of all graphs in the interface. This settings allow you to see a more detailed view (with higher time resolution) or to reduce the detail level so more data can be stored on the device. Changing the default values has an impact on the performance and memory usage. Changing a slider to the left increases the detail level of graphs, but increases memory usage and decreases performance.<br />
<br />
* Best graph resolution: This option configures how detailed the graph information are shown in the best case (the latest information). The default value is one second which means that a graph sample point represents a second of packet time. You can change the resolution up to 1 millisecond which gives a detailed sub-second representation of the traffic. You can also decide to decrease the resolution which enables the Multimeter to store more data for a longer period of time.<br />
<br />
* Reduce graph resolution of old data by up to: The resolution of older graph data is automatically reduced to save memory and to allow a longer view into the traffic history. This option allows you to change this behaviour. With a reduction factor of 1/1 no reduction is done at all which means the selected graph resolution is available for the complete time. <br />
:This reduces the time period to see historical data. You can choose to increase the reduction factor to store more data for a longer period. The time printed in parentheses represents the worst-case graph resolution based on the chosen resolution and reduction factor.<br />
<br />
<br />
Note: Regardless of these settings, the graph values are always converted to represent a value per second (when applicable). For example, the packets per second for IP addresses will always be a value literally per second even if the resolution is larger or smaller than one second. The displayed value is scaled to match this view. Especially with sub-second resolution this might be misleading. <br />
<br />
<br />
For instance, if there is a network element sending one packet per second and the resolution is set to 100 milliseconds, the value might be shown as 10 packets per second as each sample point is scaled to represent an value per second. For a detailed investigation it is recommended to select a specific time interval since the total packet counters shown in all statistics are unscaled and represent the actual values.<br />
<br />
<br />
Performance implications: The performance degradation and memory usage depends on the actual network traffic and is not exactly predictable. <br />
<br />
Here are some examples for reference on a Multimeter 1000 series with different configuration values (under ideal test conditions):<br />
<br />
* 1 second resolution, 1/1 reduction factor: 90% of default performance<br />
* 100 millisecond resolution, 1/1 reduction factor: 50% of default performance,<br />
* 10 millisecond resolution, 1/1 reduction factor: 15% of default performance<br />
* 1 millisecond resolution, 1/1 reduction factor: 10% of default performance<br />
<br />
=== pcap parallel analysis ===<br />
<br />
The pcap parallel analysis feature allows to analyse pcap files or the<br />
packet ring buffer in parallel to the live measurement. The settings<br />
allow to enable the feature and choose how much memory of the main<br />
memory is used for parallel analysis and how many parallel slots can<br />
be used. Detailed description of the configuration values are<br />
described [[pcap parallel analysis|here]].<br />
<br />
== IPFIX settings ==<br />
<br />
The Allegro Network Multimeter may be running as an IPFIX exporter. These settings allows for reporting configuration. When enabled, the following settings are possible:<br />
<br />
* IP address: Address of IPFIX collector.<br />
* Port: Corresponding port.<br />
* Protocol: TCP or UDP.<br />
* Update interval: Interval in seconds for sending a status update of flows.<br />
* UDP resend interval: Interval in seconds for resending IPFIX templates for UDP connections.<br />
* TCP reconnect timeout: When TCP connections could not be established, wait for this time period until the next attempt to establish a connection.<br />
<br />
Individual IPFIX messages can be enabled or disabled by toggling corresponding options. See the NetFlow/IPFIX interface documentation for details about the message types.<br />
<br />
== Time settings ==<br />
<br />
The Allegro Network Multimeter can be configured to use a time synchronization service. NTP is supported for all variants of the Multimeter. PTP service may be used if management interface supports hardware time stamping.<br />
If a GPS-capable PTP grandmaster card is available, GPS time synchronization is available and the antenna cable delay in nanoseconds can be configured.<br />
<br />
To enable a time service, switch to the proper type in the dropdown box.<br />
The time service field will show whether the selected service is running or not.<br />
For NTP time retrieval you can specify and edit dedicated NTP servers. If you do not specify a NTP server, a set of predefined NTP servers will be automatically selected.<br />
For PTP time retrieval, the PTP grandmaster clock identity is shown. This is usually an EUI-64 address. The first and last set of octets of the identity represent the (EUI-48) MAC address of the grandmaster.<br />
<br />
The following settings are possible for PTP and should match the settings of the PTP grandmaster:<br />
<br />
* Delay mechanism: Use end-to-end (E2E), peer-to-peer (P2P) or automatic delay measurement. In case automatic measurement is selected, E2E is used at the beginning and switched to P2P when a peer delay request is received. Default is '''Auto'''.<br />
* Network transport: Use UDPv4, UDPv6 or Layer 2 as network transport. Default is '''UDPv4'''.<br />
* Domain number: The domain number of the grandmaster. This is used to define logical groups of synchronized clocks.<br />
<br />
<br />
The GPS time retrieval option is available if a GPS capable PTP grandmaster card is installed in the Multimeter. <br />
If no time synchronization mechanism is selected the date and time of the device can be manually configured by entering a properly formatted date and time description.<br />
Below the time synchronization settings, the time zone used by the device can be configured. The drop-down list provides a list of cities grouped by world regions to select the appropriate time zone.<br />
To make changes take effect, click on the Save settings button at the bottom of the page. To reload the stored settings, click on Reload settings.<br />
<br />
== Email notification ==<br />
<br />
Certain modules support the sending of email notifications. The following settings are used to globally configure the used SMTP server and the target email address that will receive the notifications:<br />
<br />
* Enable email notifications: globally enables or disables the sending of email notifications.<br />
* SMTP server address: the address of the SMTP server that will be used to send out notification emails.<br />
* SMTP server port: the TCP port on which the SMTP server is listening.<br />
* SMTP server uses SSL: must be set to On if the SMTP server expects an SSL connection from the very start. If the SMTP server uses no SSL or STARTTLS this setting must be set to Off.<br />
* Ignore certificate errors: if the SSL certificate should not be validated because e.g. it is a self-signed certificate this setting can be used to turn off certificate validation.<br />
* Allow unencrypted connections: if an unencrypted connection must be allowed because e.g. a legacy SMTP server does not support it this setting can be used.<br />
* Username: the username used to log in to the SMTP server.<br />
* Password: the password used to log in to the SMTP server.<br />
* From email address: the email address from which incident notifications will be sent.<br />
* Target email address: the email address to which incident notifications will be sent.<br />
* Email links base URL: this base URL will be used to generate the HTML links in notification emails. Since the device cannot by itself determine the proper address by which it is visible to the email recipient this setting can be used to set the right URL prefix for links sent with the notification emails.<br />
* Send periodic system status mail: if set to hourly or daily a system status email will be sent to the configured target address with the selected frequency. It will contain basic system information and system health status, management interface configuration and a list of detected LLDP neighbors if the management LLDP feature is enabled.<br />
<br />
The Send test email button can be used to verify that the entered settings are working.<br />
<br />
== Expert settings ==<br />
<br />
The Expert settings contains parameter which are often only necessary to change in rare installation scenarios or some specific need for a different operation mode.<br />
<br />
=== Packet length accounting ===<br />
<br />
This setting allows to configure which packet length is used for all traffic counters and incidents. Following modes are possible:<br />
<br />
* Layer 1: Packet length is accounted on layer 1 including preamble (7 Byte), SFD (1 Byte) and inter frame gap (12 Byte)<br />
* Layer 2 without frame check sequence (default): Packet length is accounted on layer 2 without frame check sequence (4 Byte)<br />
* Layer 2 with frame check sequence: Account packet length on layer 2 with frame check sequence (4 Byte) When switching to another mode, it will only be applied on new packets. Older packet size statistics will not be changed.<br />
<br />
=== VLAN handling ===<br />
<br />
The Allegro Network Multimeter can ignore VLAN tags for connection tracking. Enabling this option might be necessary if network traffic is seen on the Network Multimeter that contains changing VLAN tags for the same connection. For example, depending on the configuration of the mirror port to which the Network Multimeter is connected, incoming traffic could contain a VLAN tag while outgoing traffic does not. In this example, a connection would appear two times in the statistics which is often the desired behavior to be able to identify a network misconfiguration. But sometimes this behavior is intended and the user want to see only one connection. In this scenario the option can be enabled to ignore varying VLAN tags for a otherwise identical connection.<br />
<br />
=== Tunnel view mode ===<br />
<br />
The Allegro Network Multimeter can decapsulate ERSPAN type II and type III traffic. In this mode all non-ERSPAN traffic is being discarded. On the dashboard a dropped counter will display dropped non ERSPAN packets for indication if this mode is active. The Multimeter will show the encapsulated content in all analysis modules. When capturing, packets with complete outer layer 2, layer 3, GRE and ERSPAN headers will be stored as seen on the wire.<br />
<br />
=== Database mode settings ===<br />
<br />
The database mode is a special analysis mode for high-performance Network Multimeters with multiple processors to increase the performance on such systems. It is normally enabled automatically but depending on the actual network traffic and system usage, some parameter tweak might be necessary to improve overall system performance. <br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
These settings are only visible if your Network Multimeter is capable of running this mode.<br />
<br />
You can read more about the meaning of the settings [[DB mode|here]].<br />
<br />
=== Network performance ===<br />
<br />
There are several network performance settings available to improve performance on high-performance systems in case of packet drops during very high receive bandwidth. They are only visible if your Network Multimeter is capable of changing these settings.<br />
<br />
* Max RX queues per socket: This setting specifies the amount of threads dedicated to read and write interactions with the network interface controllers. By increasing this value, network receive bandwidth can be increased before packet drops occur. By decreasing this value, data analysis will improve. The default setting of 2 RX queues is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Use Hyper-Threading for RX queues: This setting allows enabling or disabling Hyper-Threading for the threads dedicated to read and write interactions with the network interface controllers. By disabling it, network performance can be improved as the RX queues will be distributed to physical CPU cores only. By enabling it, RX queues will also be distributed to virtual Hyper-Threading CPU cores which is not as efficient as physical CPU cores. By using Hyper-Threading, data analysis will improve as there are more CPU cores available for these tasks. Hyper-Threading is used by default. This is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Preferred Network interface controller: This setting allows fine tuning of network and data analysis performance for dedicated network controllers. The selected set of network controllers will be preferred over the others. Usually the fastest or the network controller with the most traffic should be preferred. The '''Auto''' setting is used by default, preferring the fastest network controller.<br />
<br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
<br />
=== Processing performance ===<br />
<br />
The processing performance may be modified on high-performance systems. This is only visible if your Network Multimeter is capable of changing this setting.<br />
<br />
* Processing performance mode: This setting allows for fine tuning processing performance. By using '''Analysing''', as much processing ressources on all CPUs as possible are used for data analysis. By using '''Capturing''', the focus will be on high data throughput and low latency for capturing purposes by using only the CPU where the preferred newtork controller is attached to. This has an impact on data analysis performance. '''Analysing''' is used by default.<br />
You should only change this parameter in discussion with the Allegro Packets support.<br />
<br />
=== Packet ring buffer timeouts ===<br />
<br />
Two timeout settings related to the packet ring buffer can be adjusted.<br />
<br />
* The long timeout controls after which maximum period of time a packet is actually written to the packet ring buffer. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also increase the amount of unused overhead data in the packet ring buffer.<br />
* The short timeout controls after which period of time smaller batches of packets are written to the packet ring buffer even if waiting for more packets would result in a more efficient operation. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also decrease the performance of the packet ring buffer.<br />
<br />
=== Data retention timeout ===<br />
<br />
When this timeout is set to a value greater than 0, data will be removed from the system after the given number of minutes. This means that entities like IPs, which have been inactive for longer than the timeout, will be removed. History graph data for entities that are still active will be truncated to cover only the given timespan while the absolute values for the whole runtime will be retained. When a packet ring buffer is active, packets which are older than the timeout will be discarded.<br />
<br />
=== L3 tunnel mode ===<br />
<br />
If L3 tunnel mode is enabled for an interface this interface will only process packets encapsulated in GRE or GRE+ERSPAN and targeted for the configured IP address. All other packets received on that interface will be discarded. The system will process the packets as if only the inner encapsulated packet is seen and any traffic captures will only contain the encapsulated packet. An interface with L3 tunnel mode enabled will respond to ARP requests and to ICMP echo requests so it is possible to use ping to verify that the interface is reachable under the configured IP address. Currently only IPv4 L3 tunnels are supported. It must be noted that if the system is running in bridge packet processing mode any links with an interface configured for L3 tunnel mode will not forward traffic.<br />
<br />
=== Multithreaded capture analysis ===<br />
<br />
This option enables the use of multiple CPUs for capture analysis like when<br />
analyzing a PCAP capture file or analyzing the packet ring buffer. Depending<br />
on the number of available CPUs this can speed up the analysis significantly.<br />
<br />
It is possible to dedicate a number a CPUs exclusively to capture analysis.<br />
Since these CPUs are not available for live packet processing the performance of<br />
live traffic analysis may be lower.<br />
When set to 0 a lower priority is used for capture analysis than for live analysis<br />
but it cannot be ruled out that the performance of the live processing is<br />
affected.<br />
<br />
=== Load balancing ===<br />
<br />
This option select the load distribution method. By default, network<br />
traffic is balanced among all processing threads based on the IP<br />
addresses. This is fast and usually the best way for good load<br />
balancing.<br />
<br />
If the network traffic only happens between few IP addresses, this<br />
method can lead to load imbalance so that some threads doing much more<br />
work while other threads may idle. In this scenario the "flow based<br />
balancing" can be enabled to distribute the traffic based on the IP<br />
and port information. This will lead to better utilization of all<br />
processing threads.<br />
<br />
Since this option induces additional processing overhead per packet<br />
and additional memory for all internal IP statistics, it should only<br />
be enabled in cases of significant load imbalance.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Global_settings&diff=2843Global settings2020-05-22T15:11:45Z<p>David.Griffiths: /* IPFIX settings */</p>
<hr />
<div>The Global settings section contains parameters for adjusting the behavior of the system.<br />
The settings are split among multiple tabs, described as follows.<br />
<br />
== Generic settings ==<br />
<br />
=== Packet processing mode ===<br />
<br />
This section allows for configuring the main packet processing mode:<br />
<br />
* Bridge mode: In Bridge mode, all received packets will be retransmitted on the corresponding mutual port so that the device can be placed inline between any network component. The device will be transparent and will not modify the traffic in any way. The additional latency will be typically around or less than 1 millisecond.<br />
* Sink mode: In Sink mode, packets are only received and not forwarded. This operation mode allows for installation at a Mirror port of a Switch or when using a network Tap to access the network traffic.<br />
<br />
<br />
The packet processing mode can be changed during runtime.<br />
<br />
=== Webshark support ===<br />
<br />
The Allegro Network Multimeter allows having a preview of the first Megabyte of packets directly in the browser, called Webshark. To support this, the device needs a small amount of system memory for packet processing. This amount of memory (~100MB) will be reserved by the Multimeter and is not available for the In-Memory database used to store metadata, thus the history of stored metadata is a little shorter. If this is not desired, it is possible to disable the Webshark support. Changing this value requires a restart of the processing.<br />
<br />
=== Limit module processing ===<br />
<br />
This setting allows you to configure which modules are active. With this setting, the performance of the Allegro Network Multimeter can be significantly improved and allows a higher throughput if you do not need to select some analysis modules.<br />
<br />
The following modes are possible:<br />
<br />
* Only capturing: Only interface statistics and the capture module is provided. The capture filters are supported except Layer 7 protocol recognition.<br />
* Up to Layer 2: Additionally all Layer 2 related modules are active such as MAC, MAC protocols, ARP and Burst Analysis.<br />
* Up to Layer 3: Additionally all Layer 3 related modules are active such as IP and DHCP statistics.<br />
* Up to Layer 4: Additionally all Layer 4 related modules are active such as TCP and Layer 4 server ports.<br />
* Unlimited: All modules are active.<br />
<br />
When switching to another mode you need to restart the processing in order to activate the new settings.<br />
<br />
=== Graph detail settings ===<br />
<br />
It is possible to modify the detail level of all graphs in the interface. This settings allow you to see a more detailed view (with higher time resolution) or to reduce the detail level so more data can be stored on the device. Changing the default values has an impact on the performance and memory usage. Changing a slider to the left increases the detail level of graphs, but increases memory usage and decreases performance.<br />
<br />
* Best graph resolution: This option configures how detailed the graph information are shown in the best case (the latest information). The default value is one second which means that a graph sample point represents a second of packet time. You can change the resolution up to 1 millisecond which gives a detailed sub-second representation of the traffic. You can also decide to decrease the resolution which enables the Multimeter to store more data for a longer period of time.<br />
<br />
* Reduce graph resolution of old data by up to: The resolution of older graph data is automatically reduced to save memory and to allow a longer view into the traffic history. This option allows you to change this behaviour. With a reduction factor of 1/1 no reduction is done at all which means the selected graph resolution is available for the complete time. <br />
:This reduces the time period to see historical data. You can choose to increase the reduction factor to store more data for a longer period. The time printed in parentheses represents the worst-case graph resolution based on the chosen resolution and reduction factor.<br />
<br />
<br />
Note: Regardless of these settings, the graph values are always converted to represent a value per second (when applicable). For example, the packets per second for IP addresses will always be a value literally per second even if the resolution is larger or smaller than one second. The displayed value is scaled to match this view. Especially with sub-second resolution this might be misleading. <br />
<br />
<br />
For instance, if there is a network element sending one packet per second and the resolution is set to 100 milliseconds, the value might be shown as 10 packets per second as each sample point is scaled to represent an value per second. For a detailed investigation it is recommended to select a specific time interval since the total packet counters shown in all statistics are unscaled and represent the actual values.<br />
<br />
<br />
Performance implications: The performance degradation and memory usage depends on the actual network traffic and is not exactly predictable. <br />
<br />
Here are some examples for reference on a Multimeter 1000 series with different configuration values (under ideal test conditions):<br />
<br />
* 1 second resolution, 1/1 reduction factor: 90% of default performance<br />
* 100 millisecond resolution, 1/1 reduction factor: 50% of default performance,<br />
* 10 millisecond resolution, 1/1 reduction factor: 15% of default performance<br />
* 1 millisecond resolution, 1/1 reduction factor: 10% of default performance<br />
<br />
=== pcap parallel analysis ===<br />
<br />
The pcap parallel analysis feature allows to analyse pcap files or the<br />
packet ring buffer in parallel to the live measurement. The settings<br />
allow to enable the feature and choose how much memory of the main<br />
memory is used for parallel analysis and how many parallel slots can<br />
be used. Detailed description of the configuration values are<br />
described [[pcap parallel analysis|here]].<br />
<br />
== IPFIX settings ==<br />
<br />
The Allegro Network Multimeter may be running as an IPFIX exporter. These settings allows for reporting configuration. When enabled, the following settings are possible:<br />
<br />
* IP address: Address of IPFIX collector.<br />
* Port: Corresponding port.<br />
* Protocol: TCP or UDP.<br />
* Update interval: Interval in seconds for sending a status update of flows.<br />
* UDP resend interval: Interval in seconds for resending IPFIX templates for UDP connections.<br />
* TCP reconnect timeout: When TCP connections could not be established, wait for this time period until the next attempt to establish a connection.<br />
<br />
Individual IPFIX messages can be enabled or disabled by toggling corresponding options. See the NetFlow/IPFIX interface documentation for details about the message types.<br />
<br />
== Time settings ==<br />
<br />
The Allegro Network Multimeter can be configured to use a time synchronization service. NTP is supported for all variants of the Multimeter, PTP service may be used if management interface supports hardware time stamping.<br />
In case a GPS capable PTP grandmaster card is available, GPS time synchronization is available and the antenna cable delay in nanoseconds can be configured.<br />
<br />
To enable a time service, switch to the proper type in the dropdown box.<br />
The time service field will show whether the selected service is running or not.<br />
For NTP time retrieval you can specify and edit dedicated NTP servers. If you do not specify a NTP server, a set of predefined NTP servers will be taken automatically.<br />
For PTP time retrieval, the PTP grandmaster clock identity is shown. This is usually an EUI-64 address. The first and last set of octets of the identity represent the (EUI-48) MAC address of the grandmaster.<br />
<br />
Following settings are possible for PTP and should match to the settings of the PTP grandmaster:<br />
<br />
* Delay mechanism: Use end-to-end (E2E), peer-to-peer (P2P) or automatic delay measurement. In case automatic measurement is selected, E2E is used at the beginning and switched to P2P when a peer delay request is received. Default is '''Auto'''.<br />
* Network transport: Use UDPv4, UDPv6 or Layer 2 as network transport. Default is '''UDPv4'''.<br />
* Domain number: The domain number of the grandmaster. This is used to define logical groups of synchronized clocks.<br />
<br />
<br />
The GPS time retrieval option is available if a GPS capable PTP grandmaster card is installed in the Multimeter. <br />
If no time synchronization mechanism is selected the date and time of the device can be configured manually by entering a properly formatted date and time description.<br />
Below the time synchronization settings the time zone used by the device can be configured. The drop-down list provides a list of cities grouped by world regions to select the appropriate time zone from.<br />
To make changes take effect, click on the Save settings button on the bottom of the page. To reload the stored settings, click on Reload settings.<br />
<br />
== Email notification ==<br />
<br />
Certain modules support the sending of email notifications. The following settings are used to globally configure the used SMTP server and the target email address that will receive the notifications:<br />
<br />
* Enable email notifications: globally enables or disables the sending of email notifications.<br />
* SMTP server address: the address of the SMTP server that will be used to send out notification emails.<br />
* SMTP server port: the TCP port on which the SMTP server is listening.<br />
* SMTP server uses SSL: must be set to On if the SMTP server expects an SSL connection from the very start. If the SMTP server uses no SSL or STARTTLS this setting must be set to Off.<br />
* Ignore certificate errors: if the SSL certificate should not be validated because e.g. it is a self-signed certificate this setting can be used to turn off certificate validation.<br />
* Allow unencrypted connections: if an unencrypted connection must be allowed because e.g. a legacy SMTP server does not support it this setting can be used.<br />
* Username: the username used to log in to the SMTP server.<br />
* Password: the password used to log in to the SMTP server.<br />
* From email address: the email address from which incident notifications will be sent.<br />
* Target email address: the email address to which incident notifications will be sent.<br />
* Email links base URL: this base URL will be used to generate the HTML links in notification emails. Since the device cannot by itself determine the proper address by which it is visible to the email recipient this setting can be used to set the right URL prefix for links sent with the notification emails.<br />
* Send periodic system status mail: if set to hourly or daily a system status email will be sent to the configured target address with the selected frequency. It will contain basic system information and system health status, management interface configuration and a list of detected LLDP neighbors if the management LLDP feature is enabled.<br />
<br />
The Send test email button can be used to verify that the entered settings are working.<br />
<br />
== Expert settings ==<br />
<br />
The Expert settings contains parameter which are often only necessary to change in rare installation scenarios or some specific need for a different operation mode.<br />
<br />
=== Packet length accounting ===<br />
<br />
This setting allows to configure which packet length is used for all traffic counters and incidents. Following modes are possible:<br />
<br />
* Layer 1: Packet length is accounted on layer 1 including preamble (7 Byte), SFD (1 Byte) and inter frame gap (12 Byte)<br />
* Layer 2 without frame check sequence (default): Packet length is accounted on layer 2 without frame check sequence (4 Byte)<br />
* Layer 2 with frame check sequence: Account packet length on layer 2 with frame check sequence (4 Byte) When switching to another mode, it will only be applied on new packets. Older packet size statistics will not be changed.<br />
<br />
=== VLAN handling ===<br />
<br />
The Allegro Network Multimeter can ignore VLAN tags for connection tracking. Enabling this option might be necessary if network traffic is seen on the Network Multimeter that contains changing VLAN tags for the same connection. For example, depending on the configuration of the mirror port to which the Network Multimeter is connected, incoming traffic could contain a VLAN tag while outgoing traffic does not. In this example, a connection would appear two times in the statistics which is often the desired behavior to be able to identify a network misconfiguration. But sometimes this behavior is intended and the user want to see only one connection. In this scenario the option can be enabled to ignore varying VLAN tags for a otherwise identical connection.<br />
<br />
=== Tunnel view mode ===<br />
<br />
The Allegro Network Multimeter can decapsulate ERSPAN type II and type III traffic. In this mode all non-ERSPAN traffic is being discarded. On the dashboard a dropped counter will display dropped non ERSPAN packets for indication if this mode is active. The Multimeter will show the encapsulated content in all analysis modules. When capturing, packets with complete outer layer 2, layer 3, GRE and ERSPAN headers will be stored as seen on the wire.<br />
<br />
=== Database mode settings ===<br />
<br />
The database mode is a special analysis mode for high-performance Network Multimeters with multiple processors to increase the performance on such systems. It is normally enabled automatically but depending on the actual network traffic and system usage, some parameter tweak might be necessary to improve overall system performance. <br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
These settings are only visible if your Network Multimeter is capable of running this mode.<br />
<br />
You can read more about the meaning of the settings [[DB mode|here]].<br />
<br />
=== Network performance ===<br />
<br />
There are several network performance settings available to improve performance on high-performance systems in case of packet drops during very high receive bandwidth. They are only visible if your Network Multimeter is capable of changing these settings.<br />
<br />
* Max RX queues per socket: This setting specifies the amount of threads dedicated to read and write interactions with the network interface controllers. By increasing this value, network receive bandwidth can be increased before packet drops occur. By decreasing this value, data analysis will improve. The default setting of 2 RX queues is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Use Hyper-Threading for RX queues: This setting allows enabling or disabling Hyper-Threading for the threads dedicated to read and write interactions with the network interface controllers. By disabling it, network performance can be improved as the RX queues will be distributed to physical CPU cores only. By enabling it, RX queues will also be distributed to virtual Hyper-Threading CPU cores which is not as efficient as physical CPU cores. By using Hyper-Threading, data analysis will improve as there are more CPU cores available for these tasks. Hyper-Threading is used by default. This is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Preferred Network interface controller: This setting allows fine tuning of network and data analysis performance for dedicated network controllers. The selected set of network controllers will be preferred over the others. Usually the fastest or the network controller with the most traffic should be preferred. The '''Auto''' setting is used by default, preferring the fastest network controller.<br />
<br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
<br />
=== Processing performance ===<br />
<br />
The processing performance may be modified on high-performance systems. This is only visible if your Network Multimeter is capable of changing this setting.<br />
<br />
* Processing performance mode: This setting allows for fine tuning processing performance. By using '''Analysing''', as much processing ressources on all CPUs as possible are used for data analysis. By using '''Capturing''', the focus will be on high data throughput and low latency for capturing purposes by using only the CPU where the preferred newtork controller is attached to. This has an impact on data analysis performance. '''Analysing''' is used by default.<br />
You should only change this parameter in discussion with the Allegro Packets support.<br />
<br />
=== Packet ring buffer timeouts ===<br />
<br />
Two timeout settings related to the packet ring buffer can be adjusted.<br />
<br />
* The long timeout controls after which maximum period of time a packet is actually written to the packet ring buffer. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also increase the amount of unused overhead data in the packet ring buffer.<br />
* The short timeout controls after which period of time smaller batches of packets are written to the packet ring buffer even if waiting for more packets would result in a more efficient operation. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also decrease the performance of the packet ring buffer.<br />
<br />
=== Data retention timeout ===<br />
<br />
When this timeout is set to a value greater than 0, data will be removed from the system after the given number of minutes. This means that entities like IPs, which have been inactive for longer than the timeout, will be removed. History graph data for entities that are still active will be truncated to cover only the given timespan while the absolute values for the whole runtime will be retained. When a packet ring buffer is active, packets which are older than the timeout will be discarded.<br />
<br />
=== L3 tunnel mode ===<br />
<br />
If L3 tunnel mode is enabled for an interface this interface will only process packets encapsulated in GRE or GRE+ERSPAN and targeted for the configured IP address. All other packets received on that interface will be discarded. The system will process the packets as if only the inner encapsulated packet is seen and any traffic captures will only contain the encapsulated packet. An interface with L3 tunnel mode enabled will respond to ARP requests and to ICMP echo requests so it is possible to use ping to verify that the interface is reachable under the configured IP address. Currently only IPv4 L3 tunnels are supported. It must be noted that if the system is running in bridge packet processing mode any links with an interface configured for L3 tunnel mode will not forward traffic.<br />
<br />
=== Multithreaded capture analysis ===<br />
<br />
This option enables the use of multiple CPUs for capture analysis like when<br />
analyzing a PCAP capture file or analyzing the packet ring buffer. Depending<br />
on the number of available CPUs this can speed up the analysis significantly.<br />
<br />
It is possible to dedicate a number a CPUs exclusively to capture analysis.<br />
Since these CPUs are not available for live packet processing the performance of<br />
live traffic analysis may be lower.<br />
When set to 0 a lower priority is used for capture analysis than for live analysis<br />
but it cannot be ruled out that the performance of the live processing is<br />
affected.<br />
<br />
=== Load balancing ===<br />
<br />
This option select the load distribution method. By default, network<br />
traffic is balanced among all processing threads based on the IP<br />
addresses. This is fast and usually the best way for good load<br />
balancing.<br />
<br />
If the network traffic only happens between few IP addresses, this<br />
method can lead to load imbalance so that some threads doing much more<br />
work while other threads may idle. In this scenario the "flow based<br />
balancing" can be enabled to distribute the traffic based on the IP<br />
and port information. This will lead to better utilization of all<br />
processing threads.<br />
<br />
Since this option induces additional processing overhead per packet<br />
and additional memory for all internal IP statistics, it should only<br />
be enabled in cases of significant load imbalance.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Global_settings&diff=2842Global settings2020-05-22T15:09:55Z<p>David.Griffiths: /* Graph detail settings */</p>
<hr />
<div>The Global settings section contains parameters for adjusting the behavior of the system.<br />
The settings are split among multiple tabs, described as follows.<br />
<br />
== Generic settings ==<br />
<br />
=== Packet processing mode ===<br />
<br />
This section allows for configuring the main packet processing mode:<br />
<br />
* Bridge mode: In Bridge mode, all received packets will be retransmitted on the corresponding mutual port so that the device can be placed inline between any network component. The device will be transparent and will not modify the traffic in any way. The additional latency will be typically around or less than 1 millisecond.<br />
* Sink mode: In Sink mode, packets are only received and not forwarded. This operation mode allows for installation at a Mirror port of a Switch or when using a network Tap to access the network traffic.<br />
<br />
<br />
The packet processing mode can be changed during runtime.<br />
<br />
=== Webshark support ===<br />
<br />
The Allegro Network Multimeter allows having a preview of the first Megabyte of packets directly in the browser, called Webshark. To support this, the device needs a small amount of system memory for packet processing. This amount of memory (~100MB) will be reserved by the Multimeter and is not available for the In-Memory database used to store metadata, thus the history of stored metadata is a little shorter. If this is not desired, it is possible to disable the Webshark support. Changing this value requires a restart of the processing.<br />
<br />
=== Limit module processing ===<br />
<br />
This setting allows you to configure which modules are active. With this setting, the performance of the Allegro Network Multimeter can be significantly improved and allows a higher throughput if you do not need to select some analysis modules.<br />
<br />
The following modes are possible:<br />
<br />
* Only capturing: Only interface statistics and the capture module is provided. The capture filters are supported except Layer 7 protocol recognition.<br />
* Up to Layer 2: Additionally all Layer 2 related modules are active such as MAC, MAC protocols, ARP and Burst Analysis.<br />
* Up to Layer 3: Additionally all Layer 3 related modules are active such as IP and DHCP statistics.<br />
* Up to Layer 4: Additionally all Layer 4 related modules are active such as TCP and Layer 4 server ports.<br />
* Unlimited: All modules are active.<br />
<br />
When switching to another mode you need to restart the processing in order to activate the new settings.<br />
<br />
=== Graph detail settings ===<br />
<br />
It is possible to modify the detail level of all graphs in the interface. This settings allow you to see a more detailed view (with higher time resolution) or to reduce the detail level so more data can be stored on the device. Changing the default values has an impact on the performance and memory usage. Changing a slider to the left increases the detail level of graphs, but increases memory usage and decreases performance.<br />
<br />
* Best graph resolution: This option configures how detailed the graph information are shown in the best case (the latest information). The default value is one second which means that a graph sample point represents a second of packet time. You can change the resolution up to 1 millisecond which gives a detailed sub-second representation of the traffic. You can also decide to decrease the resolution which enables the Multimeter to store more data for a longer period of time.<br />
<br />
* Reduce graph resolution of old data by up to: The resolution of older graph data is automatically reduced to save memory and to allow a longer view into the traffic history. This option allows you to change this behaviour. With a reduction factor of 1/1 no reduction is done at all which means the selected graph resolution is available for the complete time. <br />
:This reduces the time period to see historical data. You can choose to increase the reduction factor to store more data for a longer period. The time printed in parentheses represents the worst-case graph resolution based on the chosen resolution and reduction factor.<br />
<br />
<br />
Note: Regardless of these settings, the graph values are always converted to represent a value per second (when applicable). For example, the packets per second for IP addresses will always be a value literally per second even if the resolution is larger or smaller than one second. The displayed value is scaled to match this view. Especially with sub-second resolution this might be misleading. <br />
<br />
<br />
For instance, if there is a network element sending one packet per second and the resolution is set to 100 milliseconds, the value might be shown as 10 packets per second as each sample point is scaled to represent an value per second. For a detailed investigation it is recommended to select a specific time interval since the total packet counters shown in all statistics are unscaled and represent the actual values.<br />
<br />
<br />
Performance implications: The performance degradation and memory usage depends on the actual network traffic and is not exactly predictable. <br />
<br />
Here are some examples for reference on a Multimeter 1000 series with different configuration values (under ideal test conditions):<br />
<br />
* 1 second resolution, 1/1 reduction factor: 90% of default performance<br />
* 100 millisecond resolution, 1/1 reduction factor: 50% of default performance,<br />
* 10 millisecond resolution, 1/1 reduction factor: 15% of default performance<br />
* 1 millisecond resolution, 1/1 reduction factor: 10% of default performance<br />
<br />
=== pcap parallel analysis ===<br />
<br />
The pcap parallel analysis feature allows to analyse pcap files or the<br />
packet ring buffer in parallel to the live measurement. The settings<br />
allow to enable the feature and choose how much memory of the main<br />
memory is used for parallel analysis and how many parallel slots can<br />
be used. Detailed description of the configuration values are<br />
described [[pcap parallel analysis|here]].<br />
<br />
== IPFIX settings ==<br />
<br />
The Allegro Network Multimeter may be running as an IPFIX exporter. These settings allows configuration of reporting. When enabled, following settings are possible:<br />
<br />
* IP address: Address of IPFIX collector<br />
* Port: Corresponding port<br />
* Protocol: TCP or UDP<br />
* Update interval: Interval in seconds for sending a status update of flows<br />
* UDP resend interval: Interval in seconds for resending IPFIX templates for UDP connections<br />
* TCP reconnect timeout: When TCP connection could not be established, wait for this time period until next try to establish a connection.<br />
<br />
Individual IPFIX messages can be enabled or disabled by toggling corresponding options. See the NetFlow/IPFIX interface documentation for details about the message types.<br />
<br />
== Time settings ==<br />
<br />
The Allegro Network Multimeter can be configured to use a time synchronization service. NTP is supported for all variants of the Multimeter, PTP service may be used if management interface supports hardware time stamping.<br />
In case a GPS capable PTP grandmaster card is available, GPS time synchronization is available and the antenna cable delay in nanoseconds can be configured.<br />
<br />
To enable a time service, switch to the proper type in the dropdown box.<br />
The time service field will show whether the selected service is running or not.<br />
For NTP time retrieval you can specify and edit dedicated NTP servers. If you do not specify a NTP server, a set of predefined NTP servers will be taken automatically.<br />
For PTP time retrieval, the PTP grandmaster clock identity is shown. This is usually an EUI-64 address. The first and last set of octets of the identity represent the (EUI-48) MAC address of the grandmaster.<br />
<br />
Following settings are possible for PTP and should match to the settings of the PTP grandmaster:<br />
<br />
* Delay mechanism: Use end-to-end (E2E), peer-to-peer (P2P) or automatic delay measurement. In case automatic measurement is selected, E2E is used at the beginning and switched to P2P when a peer delay request is received. Default is '''Auto'''.<br />
* Network transport: Use UDPv4, UDPv6 or Layer 2 as network transport. Default is '''UDPv4'''.<br />
* Domain number: The domain number of the grandmaster. This is used to define logical groups of synchronized clocks.<br />
<br />
<br />
The GPS time retrieval option is available if a GPS capable PTP grandmaster card is installed in the Multimeter. <br />
If no time synchronization mechanism is selected the date and time of the device can be configured manually by entering a properly formatted date and time description.<br />
Below the time synchronization settings the time zone used by the device can be configured. The drop-down list provides a list of cities grouped by world regions to select the appropriate time zone from.<br />
To make changes take effect, click on the Save settings button on the bottom of the page. To reload the stored settings, click on Reload settings.<br />
<br />
== Email notification ==<br />
<br />
Certain modules support the sending of email notifications. The following settings are used to globally configure the used SMTP server and the target email address that will receive the notifications:<br />
<br />
* Enable email notifications: globally enables or disables the sending of email notifications.<br />
* SMTP server address: the address of the SMTP server that will be used to send out notification emails.<br />
* SMTP server port: the TCP port on which the SMTP server is listening.<br />
* SMTP server uses SSL: must be set to On if the SMTP server expects an SSL connection from the very start. If the SMTP server uses no SSL or STARTTLS this setting must be set to Off.<br />
* Ignore certificate errors: if the SSL certificate should not be validated because e.g. it is a self-signed certificate this setting can be used to turn off certificate validation.<br />
* Allow unencrypted connections: if an unencrypted connection must be allowed because e.g. a legacy SMTP server does not support it this setting can be used.<br />
* Username: the username used to log in to the SMTP server.<br />
* Password: the password used to log in to the SMTP server.<br />
* From email address: the email address from which incident notifications will be sent.<br />
* Target email address: the email address to which incident notifications will be sent.<br />
* Email links base URL: this base URL will be used to generate the HTML links in notification emails. Since the device cannot by itself determine the proper address by which it is visible to the email recipient this setting can be used to set the right URL prefix for links sent with the notification emails.<br />
* Send periodic system status mail: if set to hourly or daily a system status email will be sent to the configured target address with the selected frequency. It will contain basic system information and system health status, management interface configuration and a list of detected LLDP neighbors if the management LLDP feature is enabled.<br />
<br />
The Send test email button can be used to verify that the entered settings are working.<br />
<br />
== Expert settings ==<br />
<br />
The Expert settings contains parameter which are often only necessary to change in rare installation scenarios or some specific need for a different operation mode.<br />
<br />
=== Packet length accounting ===<br />
<br />
This setting allows to configure which packet length is used for all traffic counters and incidents. Following modes are possible:<br />
<br />
* Layer 1: Packet length is accounted on layer 1 including preamble (7 Byte), SFD (1 Byte) and inter frame gap (12 Byte)<br />
* Layer 2 without frame check sequence (default): Packet length is accounted on layer 2 without frame check sequence (4 Byte)<br />
* Layer 2 with frame check sequence: Account packet length on layer 2 with frame check sequence (4 Byte) When switching to another mode, it will only be applied on new packets. Older packet size statistics will not be changed.<br />
<br />
=== VLAN handling ===<br />
<br />
The Allegro Network Multimeter can ignore VLAN tags for connection tracking. Enabling this option might be necessary if network traffic is seen on the Network Multimeter that contains changing VLAN tags for the same connection. For example, depending on the configuration of the mirror port to which the Network Multimeter is connected, incoming traffic could contain a VLAN tag while outgoing traffic does not. In this example, a connection would appear two times in the statistics which is often the desired behavior to be able to identify a network misconfiguration. But sometimes this behavior is intended and the user want to see only one connection. In this scenario the option can be enabled to ignore varying VLAN tags for a otherwise identical connection.<br />
<br />
=== Tunnel view mode ===<br />
<br />
The Allegro Network Multimeter can decapsulate ERSPAN type II and type III traffic. In this mode all non-ERSPAN traffic is being discarded. On the dashboard a dropped counter will display dropped non ERSPAN packets for indication if this mode is active. The Multimeter will show the encapsulated content in all analysis modules. When capturing, packets with complete outer layer 2, layer 3, GRE and ERSPAN headers will be stored as seen on the wire.<br />
<br />
=== Database mode settings ===<br />
<br />
The database mode is a special analysis mode for high-performance Network Multimeters with multiple processors to increase the performance on such systems. It is normally enabled automatically but depending on the actual network traffic and system usage, some parameter tweak might be necessary to improve overall system performance. <br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
These settings are only visible if your Network Multimeter is capable of running this mode.<br />
<br />
You can read more about the meaning of the settings [[DB mode|here]].<br />
<br />
=== Network performance ===<br />
<br />
There are several network performance settings available to improve performance on high-performance systems in case of packet drops during very high receive bandwidth. They are only visible if your Network Multimeter is capable of changing these settings.<br />
<br />
* Max RX queues per socket: This setting specifies the amount of threads dedicated to read and write interactions with the network interface controllers. By increasing this value, network receive bandwidth can be increased before packet drops occur. By decreasing this value, data analysis will improve. The default setting of 2 RX queues is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Use Hyper-Threading for RX queues: This setting allows enabling or disabling Hyper-Threading for the threads dedicated to read and write interactions with the network interface controllers. By disabling it, network performance can be improved as the RX queues will be distributed to physical CPU cores only. By enabling it, RX queues will also be distributed to virtual Hyper-Threading CPU cores which is not as efficient as physical CPU cores. By using Hyper-Threading, data analysis will improve as there are more CPU cores available for these tasks. Hyper-Threading is used by default. This is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Preferred Network interface controller: This setting allows fine tuning of network and data analysis performance for dedicated network controllers. The selected set of network controllers will be preferred over the others. Usually the fastest or the network controller with the most traffic should be preferred. The '''Auto''' setting is used by default, preferring the fastest network controller.<br />
<br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
<br />
=== Processing performance ===<br />
<br />
The processing performance may be modified on high-performance systems. This is only visible if your Network Multimeter is capable of changing this setting.<br />
<br />
* Processing performance mode: This setting allows for fine tuning processing performance. By using '''Analysing''', as much processing ressources on all CPUs as possible are used for data analysis. By using '''Capturing''', the focus will be on high data throughput and low latency for capturing purposes by using only the CPU where the preferred newtork controller is attached to. This has an impact on data analysis performance. '''Analysing''' is used by default.<br />
You should only change this parameter in discussion with the Allegro Packets support.<br />
<br />
=== Packet ring buffer timeouts ===<br />
<br />
Two timeout settings related to the packet ring buffer can be adjusted.<br />
<br />
* The long timeout controls after which maximum period of time a packet is actually written to the packet ring buffer. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also increase the amount of unused overhead data in the packet ring buffer.<br />
* The short timeout controls after which period of time smaller batches of packets are written to the packet ring buffer even if waiting for more packets would result in a more efficient operation. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also decrease the performance of the packet ring buffer.<br />
<br />
=== Data retention timeout ===<br />
<br />
When this timeout is set to a value greater than 0, data will be removed from the system after the given number of minutes. This means that entities like IPs, which have been inactive for longer than the timeout, will be removed. History graph data for entities that are still active will be truncated to cover only the given timespan while the absolute values for the whole runtime will be retained. When a packet ring buffer is active, packets which are older than the timeout will be discarded.<br />
<br />
=== L3 tunnel mode ===<br />
<br />
If L3 tunnel mode is enabled for an interface this interface will only process packets encapsulated in GRE or GRE+ERSPAN and targeted for the configured IP address. All other packets received on that interface will be discarded. The system will process the packets as if only the inner encapsulated packet is seen and any traffic captures will only contain the encapsulated packet. An interface with L3 tunnel mode enabled will respond to ARP requests and to ICMP echo requests so it is possible to use ping to verify that the interface is reachable under the configured IP address. Currently only IPv4 L3 tunnels are supported. It must be noted that if the system is running in bridge packet processing mode any links with an interface configured for L3 tunnel mode will not forward traffic.<br />
<br />
=== Multithreaded capture analysis ===<br />
<br />
This option enables the use of multiple CPUs for capture analysis like when<br />
analyzing a PCAP capture file or analyzing the packet ring buffer. Depending<br />
on the number of available CPUs this can speed up the analysis significantly.<br />
<br />
It is possible to dedicate a number a CPUs exclusively to capture analysis.<br />
Since these CPUs are not available for live packet processing the performance of<br />
live traffic analysis may be lower.<br />
When set to 0 a lower priority is used for capture analysis than for live analysis<br />
but it cannot be ruled out that the performance of the live processing is<br />
affected.<br />
<br />
=== Load balancing ===<br />
<br />
This option select the load distribution method. By default, network<br />
traffic is balanced among all processing threads based on the IP<br />
addresses. This is fast and usually the best way for good load<br />
balancing.<br />
<br />
If the network traffic only happens between few IP addresses, this<br />
method can lead to load imbalance so that some threads doing much more<br />
work while other threads may idle. In this scenario the "flow based<br />
balancing" can be enabled to distribute the traffic based on the IP<br />
and port information. This will lead to better utilization of all<br />
processing threads.<br />
<br />
Since this option induces additional processing overhead per packet<br />
and additional memory for all internal IP statistics, it should only<br />
be enabled in cases of significant load imbalance.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Global_settings&diff=2841Global settings2020-05-22T15:05:42Z<p>David.Griffiths: /* Limit module processing */</p>
<hr />
<div>The Global settings section contains parameters for adjusting the behavior of the system.<br />
The settings are split among multiple tabs, described as follows.<br />
<br />
== Generic settings ==<br />
<br />
=== Packet processing mode ===<br />
<br />
This section allows for configuring the main packet processing mode:<br />
<br />
* Bridge mode: In Bridge mode, all received packets will be retransmitted on the corresponding mutual port so that the device can be placed inline between any network component. The device will be transparent and will not modify the traffic in any way. The additional latency will be typically around or less than 1 millisecond.<br />
* Sink mode: In Sink mode, packets are only received and not forwarded. This operation mode allows for installation at a Mirror port of a Switch or when using a network Tap to access the network traffic.<br />
<br />
<br />
The packet processing mode can be changed during runtime.<br />
<br />
=== Webshark support ===<br />
<br />
The Allegro Network Multimeter allows having a preview of the first Megabyte of packets directly in the browser, called Webshark. To support this, the device needs a small amount of system memory for packet processing. This amount of memory (~100MB) will be reserved by the Multimeter and is not available for the In-Memory database used to store metadata, thus the history of stored metadata is a little shorter. If this is not desired, it is possible to disable the Webshark support. Changing this value requires a restart of the processing.<br />
<br />
=== Limit module processing ===<br />
<br />
This setting allows you to configure which modules are active. With this setting, the performance of the Allegro Network Multimeter can be significantly improved and allows a higher throughput if you do not need to select some analysis modules.<br />
<br />
The following modes are possible:<br />
<br />
* Only capturing: Only interface statistics and the capture module is provided. The capture filters are supported except Layer 7 protocol recognition.<br />
* Up to Layer 2: Additionally all Layer 2 related modules are active such as MAC, MAC protocols, ARP and Burst Analysis.<br />
* Up to Layer 3: Additionally all Layer 3 related modules are active such as IP and DHCP statistics.<br />
* Up to Layer 4: Additionally all Layer 4 related modules are active such as TCP and Layer 4 server ports.<br />
* Unlimited: All modules are active.<br />
<br />
When switching to another mode you need to restart the processing in order to activate the new settings.<br />
<br />
=== Graph detail settings ===<br />
<br />
It is possible to modify the detail level of all graphs in the interface. This settings allow to get a more detailed view (with higher time resolution) or to reduce the detail level so that more data can be stored on the device. Changing the default values have an impact on the performance and memory usage. Changing a slider to the left increases detail level of graphs, but also increases the memory usage and decreases the performance.<br />
<br />
* Best graph resolution: This option configures how detailed the graph information are shown in the best case (the latest information). The default value is one second which means that a graph sample point represents a second of packet time. You can change the resolution up to 1 millisecond which gives a detailed sub-second representation of the traffic. You can also decide to decrease the resolution which enables the Multimeter to store more data for a longer period of time.<br />
<br />
* Reduce graph resolution of old data by up to: The resolution of older graph data is automatically reduced to save memory and to allow a longer view into the traffic history. This option allows to change this behavior. With a reduction factor of 1/1 no reduction is done at all which means the selected graph resolution is available for the complete time. <br />
:This of course reduces the time period to see historical data. You can also choose to increase the reduction factor to be able to store more data for a longer time. The time printed in parentheses represents the worst-case graph resolution based on the chosen resolution and reduction factor.<br />
<br />
<br />
Note: Regardless of these settings, the graph values are always converted to represent a value per second (when applicable). For example, the packets per second for IP addresses will always be a value literally per second even if the resolution is larger or smaller than one second. The shown value is scaled to match this view. Especially with sub-second resolution this might be misleading. <br />
<br />
<br />
For instance, if there is a network element sending one packet per second and the resolution is set to 100 millisecond, the value might be shown as 10 packets per second as each sample point is scaled to represent an value per second. For a detailed investigation it is recommended to select a specific time interval since the total packet counters shown in all statistics are unscaled and represent the actual values.<br />
<br />
<br />
Performance implications: The performance degradation and memory usage depends on the actual network traffic and is not exactly predictable. <br />
<br />
Here are some examples for reference on a Multimeter 1000 series with different configuration values (under ideal test conditions):<br />
<br />
* 1 second resolution, 1/1 reduction factor: 90% of default performance<br />
* 100 millisecond resolution, 1/1 reduction factor: 50% of default performance,<br />
* 10 millisecond resolution, 1/1 reduction factor: 15% of default performance<br />
* 1 millisecond resolution, 1/1 reduction factor: 10% of default performance<br />
<br />
=== pcap parallel analysis ===<br />
<br />
The pcap parallel analysis feature allows to analyse pcap files or the<br />
packet ring buffer in parallel to the live measurement. The settings<br />
allow to enable the feature and choose how much memory of the main<br />
memory is used for parallel analysis and how many parallel slots can<br />
be used. Detailed description of the configuration values are<br />
described [[pcap parallel analysis|here]].<br />
<br />
== IPFIX settings ==<br />
<br />
The Allegro Network Multimeter may be running as an IPFIX exporter. These settings allows configuration of reporting. When enabled, following settings are possible:<br />
<br />
* IP address: Address of IPFIX collector<br />
* Port: Corresponding port<br />
* Protocol: TCP or UDP<br />
* Update interval: Interval in seconds for sending a status update of flows<br />
* UDP resend interval: Interval in seconds for resending IPFIX templates for UDP connections<br />
* TCP reconnect timeout: When TCP connection could not be established, wait for this time period until next try to establish a connection.<br />
<br />
Individual IPFIX messages can be enabled or disabled by toggling corresponding options. See the NetFlow/IPFIX interface documentation for details about the message types.<br />
<br />
== Time settings ==<br />
<br />
The Allegro Network Multimeter can be configured to use a time synchronization service. NTP is supported for all variants of the Multimeter, PTP service may be used if management interface supports hardware time stamping.<br />
In case a GPS capable PTP grandmaster card is available, GPS time synchronization is available and the antenna cable delay in nanoseconds can be configured.<br />
<br />
To enable a time service, switch to the proper type in the dropdown box.<br />
The time service field will show whether the selected service is running or not.<br />
For NTP time retrieval you can specify and edit dedicated NTP servers. If you do not specify a NTP server, a set of predefined NTP servers will be taken automatically.<br />
For PTP time retrieval, the PTP grandmaster clock identity is shown. This is usually an EUI-64 address. The first and last set of octets of the identity represent the (EUI-48) MAC address of the grandmaster.<br />
<br />
Following settings are possible for PTP and should match to the settings of the PTP grandmaster:<br />
<br />
* Delay mechanism: Use end-to-end (E2E), peer-to-peer (P2P) or automatic delay measurement. In case automatic measurement is selected, E2E is used at the beginning and switched to P2P when a peer delay request is received. Default is '''Auto'''.<br />
* Network transport: Use UDPv4, UDPv6 or Layer 2 as network transport. Default is '''UDPv4'''.<br />
* Domain number: The domain number of the grandmaster. This is used to define logical groups of synchronized clocks.<br />
<br />
<br />
The GPS time retrieval option is available if a GPS capable PTP grandmaster card is installed in the Multimeter. <br />
If no time synchronization mechanism is selected the date and time of the device can be configured manually by entering a properly formatted date and time description.<br />
Below the time synchronization settings the time zone used by the device can be configured. The drop-down list provides a list of cities grouped by world regions to select the appropriate time zone from.<br />
To make changes take effect, click on the Save settings button on the bottom of the page. To reload the stored settings, click on Reload settings.<br />
<br />
== Email notification ==<br />
<br />
Certain modules support the sending of email notifications. The following settings are used to globally configure the used SMTP server and the target email address that will receive the notifications:<br />
<br />
* Enable email notifications: globally enables or disables the sending of email notifications.<br />
* SMTP server address: the address of the SMTP server that will be used to send out notification emails.<br />
* SMTP server port: the TCP port on which the SMTP server is listening.<br />
* SMTP server uses SSL: must be set to On if the SMTP server expects an SSL connection from the very start. If the SMTP server uses no SSL or STARTTLS this setting must be set to Off.<br />
* Ignore certificate errors: if the SSL certificate should not be validated because e.g. it is a self-signed certificate this setting can be used to turn off certificate validation.<br />
* Allow unencrypted connections: if an unencrypted connection must be allowed because e.g. a legacy SMTP server does not support it this setting can be used.<br />
* Username: the username used to log in to the SMTP server.<br />
* Password: the password used to log in to the SMTP server.<br />
* From email address: the email address from which incident notifications will be sent.<br />
* Target email address: the email address to which incident notifications will be sent.<br />
* Email links base URL: this base URL will be used to generate the HTML links in notification emails. Since the device cannot by itself determine the proper address by which it is visible to the email recipient this setting can be used to set the right URL prefix for links sent with the notification emails.<br />
* Send periodic system status mail: if set to hourly or daily a system status email will be sent to the configured target address with the selected frequency. It will contain basic system information and system health status, management interface configuration and a list of detected LLDP neighbors if the management LLDP feature is enabled.<br />
<br />
The Send test email button can be used to verify that the entered settings are working.<br />
<br />
== Expert settings ==<br />
<br />
The Expert settings contains parameter which are often only necessary to change in rare installation scenarios or some specific need for a different operation mode.<br />
<br />
=== Packet length accounting ===<br />
<br />
This setting allows to configure which packet length is used for all traffic counters and incidents. Following modes are possible:<br />
<br />
* Layer 1: Packet length is accounted on layer 1 including preamble (7 Byte), SFD (1 Byte) and inter frame gap (12 Byte)<br />
* Layer 2 without frame check sequence (default): Packet length is accounted on layer 2 without frame check sequence (4 Byte)<br />
* Layer 2 with frame check sequence: Account packet length on layer 2 with frame check sequence (4 Byte) When switching to another mode, it will only be applied on new packets. Older packet size statistics will not be changed.<br />
<br />
=== VLAN handling ===<br />
<br />
The Allegro Network Multimeter can ignore VLAN tags for connection tracking. Enabling this option might be necessary if network traffic is seen on the Network Multimeter that contains changing VLAN tags for the same connection. For example, depending on the configuration of the mirror port to which the Network Multimeter is connected, incoming traffic could contain a VLAN tag while outgoing traffic does not. In this example, a connection would appear two times in the statistics which is often the desired behavior to be able to identify a network misconfiguration. But sometimes this behavior is intended and the user want to see only one connection. In this scenario the option can be enabled to ignore varying VLAN tags for a otherwise identical connection.<br />
<br />
=== Tunnel view mode ===<br />
<br />
The Allegro Network Multimeter can decapsulate ERSPAN type II and type III traffic. In this mode all non-ERSPAN traffic is being discarded. On the dashboard a dropped counter will display dropped non ERSPAN packets for indication if this mode is active. The Multimeter will show the encapsulated content in all analysis modules. When capturing, packets with complete outer layer 2, layer 3, GRE and ERSPAN headers will be stored as seen on the wire.<br />
<br />
=== Database mode settings ===<br />
<br />
The database mode is a special analysis mode for high-performance Network Multimeters with multiple processors to increase the performance on such systems. It is normally enabled automatically but depending on the actual network traffic and system usage, some parameter tweak might be necessary to improve overall system performance. <br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
These settings are only visible if your Network Multimeter is capable of running this mode.<br />
<br />
You can read more about the meaning of the settings [[DB mode|here]].<br />
<br />
=== Network performance ===<br />
<br />
There are several network performance settings available to improve performance on high-performance systems in case of packet drops during very high receive bandwidth. They are only visible if your Network Multimeter is capable of changing these settings.<br />
<br />
* Max RX queues per socket: This setting specifies the amount of threads dedicated to read and write interactions with the network interface controllers. By increasing this value, network receive bandwidth can be increased before packet drops occur. By decreasing this value, data analysis will improve. The default setting of 2 RX queues is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Use Hyper-Threading for RX queues: This setting allows enabling or disabling Hyper-Threading for the threads dedicated to read and write interactions with the network interface controllers. By disabling it, network performance can be improved as the RX queues will be distributed to physical CPU cores only. By enabling it, RX queues will also be distributed to virtual Hyper-Threading CPU cores which is not as efficient as physical CPU cores. By using Hyper-Threading, data analysis will improve as there are more CPU cores available for these tasks. Hyper-Threading is used by default. This is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Preferred Network interface controller: This setting allows fine tuning of network and data analysis performance for dedicated network controllers. The selected set of network controllers will be preferred over the others. Usually the fastest or the network controller with the most traffic should be preferred. The '''Auto''' setting is used by default, preferring the fastest network controller.<br />
<br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
<br />
=== Processing performance ===<br />
<br />
The processing performance may be modified on high-performance systems. This is only visible if your Network Multimeter is capable of changing this setting.<br />
<br />
* Processing performance mode: This setting allows for fine tuning processing performance. By using '''Analysing''', as much processing ressources on all CPUs as possible are used for data analysis. By using '''Capturing''', the focus will be on high data throughput and low latency for capturing purposes by using only the CPU where the preferred newtork controller is attached to. This has an impact on data analysis performance. '''Analysing''' is used by default.<br />
You should only change this parameter in discussion with the Allegro Packets support.<br />
<br />
=== Packet ring buffer timeouts ===<br />
<br />
Two timeout settings related to the packet ring buffer can be adjusted.<br />
<br />
* The long timeout controls after which maximum period of time a packet is actually written to the packet ring buffer. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also increase the amount of unused overhead data in the packet ring buffer.<br />
* The short timeout controls after which period of time smaller batches of packets are written to the packet ring buffer even if waiting for more packets would result in a more efficient operation. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also decrease the performance of the packet ring buffer.<br />
<br />
=== Data retention timeout ===<br />
<br />
When this timeout is set to a value greater than 0, data will be removed from the system after the given number of minutes. This means that entities like IPs, which have been inactive for longer than the timeout, will be removed. History graph data for entities that are still active will be truncated to cover only the given timespan while the absolute values for the whole runtime will be retained. When a packet ring buffer is active, packets which are older than the timeout will be discarded.<br />
<br />
=== L3 tunnel mode ===<br />
<br />
If L3 tunnel mode is enabled for an interface this interface will only process packets encapsulated in GRE or GRE+ERSPAN and targeted for the configured IP address. All other packets received on that interface will be discarded. The system will process the packets as if only the inner encapsulated packet is seen and any traffic captures will only contain the encapsulated packet. An interface with L3 tunnel mode enabled will respond to ARP requests and to ICMP echo requests so it is possible to use ping to verify that the interface is reachable under the configured IP address. Currently only IPv4 L3 tunnels are supported. It must be noted that if the system is running in bridge packet processing mode any links with an interface configured for L3 tunnel mode will not forward traffic.<br />
<br />
=== Multithreaded capture analysis ===<br />
<br />
This option enables the use of multiple CPUs for capture analysis like when<br />
analyzing a PCAP capture file or analyzing the packet ring buffer. Depending<br />
on the number of available CPUs this can speed up the analysis significantly.<br />
<br />
It is possible to dedicate a number a CPUs exclusively to capture analysis.<br />
Since these CPUs are not available for live packet processing the performance of<br />
live traffic analysis may be lower.<br />
When set to 0 a lower priority is used for capture analysis than for live analysis<br />
but it cannot be ruled out that the performance of the live processing is<br />
affected.<br />
<br />
=== Load balancing ===<br />
<br />
This option select the load distribution method. By default, network<br />
traffic is balanced among all processing threads based on the IP<br />
addresses. This is fast and usually the best way for good load<br />
balancing.<br />
<br />
If the network traffic only happens between few IP addresses, this<br />
method can lead to load imbalance so that some threads doing much more<br />
work while other threads may idle. In this scenario the "flow based<br />
balancing" can be enabled to distribute the traffic based on the IP<br />
and port information. This will lead to better utilization of all<br />
processing threads.<br />
<br />
Since this option induces additional processing overhead per packet<br />
and additional memory for all internal IP statistics, it should only<br />
be enabled in cases of significant load imbalance.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Global_settings&diff=2840Global settings2020-05-22T15:02:57Z<p>David.Griffiths: /* Webshark support */</p>
<hr />
<div>The Global settings section contains parameters for adjusting the behavior of the system.<br />
The settings are split among multiple tabs, described as follows.<br />
<br />
== Generic settings ==<br />
<br />
=== Packet processing mode ===<br />
<br />
This section allows for configuring the main packet processing mode:<br />
<br />
* Bridge mode: In Bridge mode, all received packets will be retransmitted on the corresponding mutual port so that the device can be placed inline between any network component. The device will be transparent and will not modify the traffic in any way. The additional latency will be typically around or less than 1 millisecond.<br />
* Sink mode: In Sink mode, packets are only received and not forwarded. This operation mode allows for installation at a Mirror port of a Switch or when using a network Tap to access the network traffic.<br />
<br />
<br />
The packet processing mode can be changed during runtime.<br />
<br />
=== Webshark support ===<br />
<br />
The Allegro Network Multimeter allows having a preview of the first Megabyte of packets directly in the browser, called Webshark. To support this, the device needs a small amount of system memory for packet processing. This amount of memory (~100MB) will be reserved by the Multimeter and is not available for the In-Memory database used to store metadata, thus the history of stored metadata is a little shorter. If this is not desired, it is possible to disable the Webshark support. Changing this value requires a restart of the processing.<br />
<br />
=== Limit module processing ===<br />
<br />
This setting allows to configure which modules are active. With this setting, the performance of the Allegro Network Multimeter can be drastically improved and allows a higher throughput if you don’t need some analysis modules.<br />
<br />
Following modes are possible:<br />
<br />
* Only capturing: Only interface statistics and the capture module is provided. The capture filters are support except layer 7 protocol recognition.<br />
* Up to layer 2: Additionally all layer 2 related modules are active such as MAC, MAC protocols, ARP and Burst Analysis.<br />
* Up to layer 3: Additionally all layer 3 related modules are active such as IP and DHCP statistics.<br />
* Up to layer 4: Additionally all layer 4 related modules are active such as TCP and Layer 4 server ports.<br />
* Unlimited: All modules are active.<br />
<br />
When switching to another mode you have to restart the processing in order to activate the new settings.<br />
<br />
=== Graph detail settings ===<br />
<br />
It is possible to modify the detail level of all graphs in the interface. This settings allow to get a more detailed view (with higher time resolution) or to reduce the detail level so that more data can be stored on the device. Changing the default values have an impact on the performance and memory usage. Changing a slider to the left increases detail level of graphs, but also increases the memory usage and decreases the performance.<br />
<br />
* Best graph resolution: This option configures how detailed the graph information are shown in the best case (the latest information). The default value is one second which means that a graph sample point represents a second of packet time. You can change the resolution up to 1 millisecond which gives a detailed sub-second representation of the traffic. You can also decide to decrease the resolution which enables the Multimeter to store more data for a longer period of time.<br />
<br />
* Reduce graph resolution of old data by up to: The resolution of older graph data is automatically reduced to save memory and to allow a longer view into the traffic history. This option allows to change this behavior. With a reduction factor of 1/1 no reduction is done at all which means the selected graph resolution is available for the complete time. <br />
:This of course reduces the time period to see historical data. You can also choose to increase the reduction factor to be able to store more data for a longer time. The time printed in parentheses represents the worst-case graph resolution based on the chosen resolution and reduction factor.<br />
<br />
<br />
Note: Regardless of these settings, the graph values are always converted to represent a value per second (when applicable). For example, the packets per second for IP addresses will always be a value literally per second even if the resolution is larger or smaller than one second. The shown value is scaled to match this view. Especially with sub-second resolution this might be misleading. <br />
<br />
<br />
For instance, if there is a network element sending one packet per second and the resolution is set to 100 millisecond, the value might be shown as 10 packets per second as each sample point is scaled to represent an value per second. For a detailed investigation it is recommended to select a specific time interval since the total packet counters shown in all statistics are unscaled and represent the actual values.<br />
<br />
<br />
Performance implications: The performance degradation and memory usage depends on the actual network traffic and is not exactly predictable. <br />
<br />
Here are some examples for reference on a Multimeter 1000 series with different configuration values (under ideal test conditions):<br />
<br />
* 1 second resolution, 1/1 reduction factor: 90% of default performance<br />
* 100 millisecond resolution, 1/1 reduction factor: 50% of default performance,<br />
* 10 millisecond resolution, 1/1 reduction factor: 15% of default performance<br />
* 1 millisecond resolution, 1/1 reduction factor: 10% of default performance<br />
<br />
=== pcap parallel analysis ===<br />
<br />
The pcap parallel analysis feature allows to analyse pcap files or the<br />
packet ring buffer in parallel to the live measurement. The settings<br />
allow to enable the feature and choose how much memory of the main<br />
memory is used for parallel analysis and how many parallel slots can<br />
be used. Detailed description of the configuration values are<br />
described [[pcap parallel analysis|here]].<br />
<br />
== IPFIX settings ==<br />
<br />
The Allegro Network Multimeter may be running as an IPFIX exporter. These settings allows configuration of reporting. When enabled, following settings are possible:<br />
<br />
* IP address: Address of IPFIX collector<br />
* Port: Corresponding port<br />
* Protocol: TCP or UDP<br />
* Update interval: Interval in seconds for sending a status update of flows<br />
* UDP resend interval: Interval in seconds for resending IPFIX templates for UDP connections<br />
* TCP reconnect timeout: When TCP connection could not be established, wait for this time period until next try to establish a connection.<br />
<br />
Individual IPFIX messages can be enabled or disabled by toggling corresponding options. See the NetFlow/IPFIX interface documentation for details about the message types.<br />
<br />
== Time settings ==<br />
<br />
The Allegro Network Multimeter can be configured to use a time synchronization service. NTP is supported for all variants of the Multimeter, PTP service may be used if management interface supports hardware time stamping.<br />
In case a GPS capable PTP grandmaster card is available, GPS time synchronization is available and the antenna cable delay in nanoseconds can be configured.<br />
<br />
To enable a time service, switch to the proper type in the dropdown box.<br />
The time service field will show whether the selected service is running or not.<br />
For NTP time retrieval you can specify and edit dedicated NTP servers. If you do not specify a NTP server, a set of predefined NTP servers will be taken automatically.<br />
For PTP time retrieval, the PTP grandmaster clock identity is shown. This is usually an EUI-64 address. The first and last set of octets of the identity represent the (EUI-48) MAC address of the grandmaster.<br />
<br />
Following settings are possible for PTP and should match to the settings of the PTP grandmaster:<br />
<br />
* Delay mechanism: Use end-to-end (E2E), peer-to-peer (P2P) or automatic delay measurement. In case automatic measurement is selected, E2E is used at the beginning and switched to P2P when a peer delay request is received. Default is '''Auto'''.<br />
* Network transport: Use UDPv4, UDPv6 or Layer 2 as network transport. Default is '''UDPv4'''.<br />
* Domain number: The domain number of the grandmaster. This is used to define logical groups of synchronized clocks.<br />
<br />
<br />
The GPS time retrieval option is available if a GPS capable PTP grandmaster card is installed in the Multimeter. <br />
If no time synchronization mechanism is selected the date and time of the device can be configured manually by entering a properly formatted date and time description.<br />
Below the time synchronization settings the time zone used by the device can be configured. The drop-down list provides a list of cities grouped by world regions to select the appropriate time zone from.<br />
To make changes take effect, click on the Save settings button on the bottom of the page. To reload the stored settings, click on Reload settings.<br />
<br />
== Email notification ==<br />
<br />
Certain modules support the sending of email notifications. The following settings are used to globally configure the used SMTP server and the target email address that will receive the notifications:<br />
<br />
* Enable email notifications: globally enables or disables the sending of email notifications.<br />
* SMTP server address: the address of the SMTP server that will be used to send out notification emails.<br />
* SMTP server port: the TCP port on which the SMTP server is listening.<br />
* SMTP server uses SSL: must be set to On if the SMTP server expects an SSL connection from the very start. If the SMTP server uses no SSL or STARTTLS this setting must be set to Off.<br />
* Ignore certificate errors: if the SSL certificate should not be validated because e.g. it is a self-signed certificate this setting can be used to turn off certificate validation.<br />
* Allow unencrypted connections: if an unencrypted connection must be allowed because e.g. a legacy SMTP server does not support it this setting can be used.<br />
* Username: the username used to log in to the SMTP server.<br />
* Password: the password used to log in to the SMTP server.<br />
* From email address: the email address from which incident notifications will be sent.<br />
* Target email address: the email address to which incident notifications will be sent.<br />
* Email links base URL: this base URL will be used to generate the HTML links in notification emails. Since the device cannot by itself determine the proper address by which it is visible to the email recipient this setting can be used to set the right URL prefix for links sent with the notification emails.<br />
* Send periodic system status mail: if set to hourly or daily a system status email will be sent to the configured target address with the selected frequency. It will contain basic system information and system health status, management interface configuration and a list of detected LLDP neighbors if the management LLDP feature is enabled.<br />
<br />
The Send test email button can be used to verify that the entered settings are working.<br />
<br />
== Expert settings ==<br />
<br />
The Expert settings contains parameter which are often only necessary to change in rare installation scenarios or some specific need for a different operation mode.<br />
<br />
=== Packet length accounting ===<br />
<br />
This setting allows to configure which packet length is used for all traffic counters and incidents. Following modes are possible:<br />
<br />
* Layer 1: Packet length is accounted on layer 1 including preamble (7 Byte), SFD (1 Byte) and inter frame gap (12 Byte)<br />
* Layer 2 without frame check sequence (default): Packet length is accounted on layer 2 without frame check sequence (4 Byte)<br />
* Layer 2 with frame check sequence: Account packet length on layer 2 with frame check sequence (4 Byte) When switching to another mode, it will only be applied on new packets. Older packet size statistics will not be changed.<br />
<br />
=== VLAN handling ===<br />
<br />
The Allegro Network Multimeter can ignore VLAN tags for connection tracking. Enabling this option might be necessary if network traffic is seen on the Network Multimeter that contains changing VLAN tags for the same connection. For example, depending on the configuration of the mirror port to which the Network Multimeter is connected, incoming traffic could contain a VLAN tag while outgoing traffic does not. In this example, a connection would appear two times in the statistics which is often the desired behavior to be able to identify a network misconfiguration. But sometimes this behavior is intended and the user want to see only one connection. In this scenario the option can be enabled to ignore varying VLAN tags for a otherwise identical connection.<br />
<br />
=== Tunnel view mode ===<br />
<br />
The Allegro Network Multimeter can decapsulate ERSPAN type II and type III traffic. In this mode all non-ERSPAN traffic is being discarded. On the dashboard a dropped counter will display dropped non ERSPAN packets for indication if this mode is active. The Multimeter will show the encapsulated content in all analysis modules. When capturing, packets with complete outer layer 2, layer 3, GRE and ERSPAN headers will be stored as seen on the wire.<br />
<br />
=== Database mode settings ===<br />
<br />
The database mode is a special analysis mode for high-performance Network Multimeters with multiple processors to increase the performance on such systems. It is normally enabled automatically but depending on the actual network traffic and system usage, some parameter tweak might be necessary to improve overall system performance. <br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
These settings are only visible if your Network Multimeter is capable of running this mode.<br />
<br />
You can read more about the meaning of the settings [[DB mode|here]].<br />
<br />
=== Network performance ===<br />
<br />
There are several network performance settings available to improve performance on high-performance systems in case of packet drops during very high receive bandwidth. They are only visible if your Network Multimeter is capable of changing these settings.<br />
<br />
* Max RX queues per socket: This setting specifies the amount of threads dedicated to read and write interactions with the network interface controllers. By increasing this value, network receive bandwidth can be increased before packet drops occur. By decreasing this value, data analysis will improve. The default setting of 2 RX queues is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Use Hyper-Threading for RX queues: This setting allows enabling or disabling Hyper-Threading for the threads dedicated to read and write interactions with the network interface controllers. By disabling it, network performance can be improved as the RX queues will be distributed to physical CPU cores only. By enabling it, RX queues will also be distributed to virtual Hyper-Threading CPU cores which is not as efficient as physical CPU cores. By using Hyper-Threading, data analysis will improve as there are more CPU cores available for these tasks. Hyper-Threading is used by default. This is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Preferred Network interface controller: This setting allows fine tuning of network and data analysis performance for dedicated network controllers. The selected set of network controllers will be preferred over the others. Usually the fastest or the network controller with the most traffic should be preferred. The '''Auto''' setting is used by default, preferring the fastest network controller.<br />
<br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
<br />
=== Processing performance ===<br />
<br />
The processing performance may be modified on high-performance systems. This is only visible if your Network Multimeter is capable of changing this setting.<br />
<br />
* Processing performance mode: This setting allows for fine tuning processing performance. By using '''Analysing''', as much processing ressources on all CPUs as possible are used for data analysis. By using '''Capturing''', the focus will be on high data throughput and low latency for capturing purposes by using only the CPU where the preferred newtork controller is attached to. This has an impact on data analysis performance. '''Analysing''' is used by default.<br />
You should only change this parameter in discussion with the Allegro Packets support.<br />
<br />
=== Packet ring buffer timeouts ===<br />
<br />
Two timeout settings related to the packet ring buffer can be adjusted.<br />
<br />
* The long timeout controls after which maximum period of time a packet is actually written to the packet ring buffer. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also increase the amount of unused overhead data in the packet ring buffer.<br />
* The short timeout controls after which period of time smaller batches of packets are written to the packet ring buffer even if waiting for more packets would result in a more efficient operation. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also decrease the performance of the packet ring buffer.<br />
<br />
=== Data retention timeout ===<br />
<br />
When this timeout is set to a value greater than 0, data will be removed from the system after the given number of minutes. This means that entities like IPs, which have been inactive for longer than the timeout, will be removed. History graph data for entities that are still active will be truncated to cover only the given timespan while the absolute values for the whole runtime will be retained. When a packet ring buffer is active, packets which are older than the timeout will be discarded.<br />
<br />
=== L3 tunnel mode ===<br />
<br />
If L3 tunnel mode is enabled for an interface this interface will only process packets encapsulated in GRE or GRE+ERSPAN and targeted for the configured IP address. All other packets received on that interface will be discarded. The system will process the packets as if only the inner encapsulated packet is seen and any traffic captures will only contain the encapsulated packet. An interface with L3 tunnel mode enabled will respond to ARP requests and to ICMP echo requests so it is possible to use ping to verify that the interface is reachable under the configured IP address. Currently only IPv4 L3 tunnels are supported. It must be noted that if the system is running in bridge packet processing mode any links with an interface configured for L3 tunnel mode will not forward traffic.<br />
<br />
=== Multithreaded capture analysis ===<br />
<br />
This option enables the use of multiple CPUs for capture analysis like when<br />
analyzing a PCAP capture file or analyzing the packet ring buffer. Depending<br />
on the number of available CPUs this can speed up the analysis significantly.<br />
<br />
It is possible to dedicate a number a CPUs exclusively to capture analysis.<br />
Since these CPUs are not available for live packet processing the performance of<br />
live traffic analysis may be lower.<br />
When set to 0 a lower priority is used for capture analysis than for live analysis<br />
but it cannot be ruled out that the performance of the live processing is<br />
affected.<br />
<br />
=== Load balancing ===<br />
<br />
This option select the load distribution method. By default, network<br />
traffic is balanced among all processing threads based on the IP<br />
addresses. This is fast and usually the best way for good load<br />
balancing.<br />
<br />
If the network traffic only happens between few IP addresses, this<br />
method can lead to load imbalance so that some threads doing much more<br />
work while other threads may idle. In this scenario the "flow based<br />
balancing" can be enabled to distribute the traffic based on the IP<br />
and port information. This will lead to better utilization of all<br />
processing threads.<br />
<br />
Since this option induces additional processing overhead per packet<br />
and additional memory for all internal IP statistics, it should only<br />
be enabled in cases of significant load imbalance.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Global_settings&diff=2839Global settings2020-05-22T15:01:15Z<p>David.Griffiths: /* Packet processing mode */</p>
<hr />
<div>The Global settings section contains parameters for adjusting the behavior of the system.<br />
The settings are split among multiple tabs, described as follows.<br />
<br />
== Generic settings ==<br />
<br />
=== Packet processing mode ===<br />
<br />
This section allows for configuring the main packet processing mode:<br />
<br />
* Bridge mode: In Bridge mode, all received packets will be retransmitted on the corresponding mutual port so that the device can be placed inline between any network component. The device will be transparent and will not modify the traffic in any way. The additional latency will be typically around or less than 1 millisecond.<br />
* Sink mode: In Sink mode, packets are only received and not forwarded. This operation mode allows for installation at a Mirror port of a Switch or when using a network Tap to access the network traffic.<br />
<br />
<br />
The packet processing mode can be changed during runtime.<br />
<br />
=== Webshark support ===<br />
<br />
The Allegro Network Multimeter allows having a preview of the first Megabyte of packets directly in the browser, called Webshark. To support this, the system needs a small amount of system memory to process the packets. This amount of memory (~100MB) will be reserved by the system and is not available for the In-Memory database used to store metadata, thus the history of stored metadata is a bit shorter. If this is not desired, it is possible to disable the Webshark support. Changing this value requires a restart of the processing.<br />
<br />
=== Limit module processing ===<br />
<br />
This setting allows to configure which modules are active. With this setting, the performance of the Allegro Network Multimeter can be drastically improved and allows a higher throughput if you don’t need some analysis modules.<br />
<br />
Following modes are possible:<br />
<br />
* Only capturing: Only interface statistics and the capture module is provided. The capture filters are support except layer 7 protocol recognition.<br />
* Up to layer 2: Additionally all layer 2 related modules are active such as MAC, MAC protocols, ARP and Burst Analysis.<br />
* Up to layer 3: Additionally all layer 3 related modules are active such as IP and DHCP statistics.<br />
* Up to layer 4: Additionally all layer 4 related modules are active such as TCP and Layer 4 server ports.<br />
* Unlimited: All modules are active.<br />
<br />
When switching to another mode you have to restart the processing in order to activate the new settings.<br />
<br />
=== Graph detail settings ===<br />
<br />
It is possible to modify the detail level of all graphs in the interface. This settings allow to get a more detailed view (with higher time resolution) or to reduce the detail level so that more data can be stored on the device. Changing the default values have an impact on the performance and memory usage. Changing a slider to the left increases detail level of graphs, but also increases the memory usage and decreases the performance.<br />
<br />
* Best graph resolution: This option configures how detailed the graph information are shown in the best case (the latest information). The default value is one second which means that a graph sample point represents a second of packet time. You can change the resolution up to 1 millisecond which gives a detailed sub-second representation of the traffic. You can also decide to decrease the resolution which enables the Multimeter to store more data for a longer period of time.<br />
<br />
* Reduce graph resolution of old data by up to: The resolution of older graph data is automatically reduced to save memory and to allow a longer view into the traffic history. This option allows to change this behavior. With a reduction factor of 1/1 no reduction is done at all which means the selected graph resolution is available for the complete time. <br />
:This of course reduces the time period to see historical data. You can also choose to increase the reduction factor to be able to store more data for a longer time. The time printed in parentheses represents the worst-case graph resolution based on the chosen resolution and reduction factor.<br />
<br />
<br />
Note: Regardless of these settings, the graph values are always converted to represent a value per second (when applicable). For example, the packets per second for IP addresses will always be a value literally per second even if the resolution is larger or smaller than one second. The shown value is scaled to match this view. Especially with sub-second resolution this might be misleading. <br />
<br />
<br />
For instance, if there is a network element sending one packet per second and the resolution is set to 100 millisecond, the value might be shown as 10 packets per second as each sample point is scaled to represent an value per second. For a detailed investigation it is recommended to select a specific time interval since the total packet counters shown in all statistics are unscaled and represent the actual values.<br />
<br />
<br />
Performance implications: The performance degradation and memory usage depends on the actual network traffic and is not exactly predictable. <br />
<br />
Here are some examples for reference on a Multimeter 1000 series with different configuration values (under ideal test conditions):<br />
<br />
* 1 second resolution, 1/1 reduction factor: 90% of default performance<br />
* 100 millisecond resolution, 1/1 reduction factor: 50% of default performance,<br />
* 10 millisecond resolution, 1/1 reduction factor: 15% of default performance<br />
* 1 millisecond resolution, 1/1 reduction factor: 10% of default performance<br />
<br />
=== pcap parallel analysis ===<br />
<br />
The pcap parallel analysis feature allows to analyse pcap files or the<br />
packet ring buffer in parallel to the live measurement. The settings<br />
allow to enable the feature and choose how much memory of the main<br />
memory is used for parallel analysis and how many parallel slots can<br />
be used. Detailed description of the configuration values are<br />
described [[pcap parallel analysis|here]].<br />
<br />
== IPFIX settings ==<br />
<br />
The Allegro Network Multimeter may be running as an IPFIX exporter. These settings allows configuration of reporting. When enabled, following settings are possible:<br />
<br />
* IP address: Address of IPFIX collector<br />
* Port: Corresponding port<br />
* Protocol: TCP or UDP<br />
* Update interval: Interval in seconds for sending a status update of flows<br />
* UDP resend interval: Interval in seconds for resending IPFIX templates for UDP connections<br />
* TCP reconnect timeout: When TCP connection could not be established, wait for this time period until next try to establish a connection.<br />
<br />
Individual IPFIX messages can be enabled or disabled by toggling corresponding options. See the NetFlow/IPFIX interface documentation for details about the message types.<br />
<br />
== Time settings ==<br />
<br />
The Allegro Network Multimeter can be configured to use a time synchronization service. NTP is supported for all variants of the Multimeter, PTP service may be used if management interface supports hardware time stamping.<br />
In case a GPS capable PTP grandmaster card is available, GPS time synchronization is available and the antenna cable delay in nanoseconds can be configured.<br />
<br />
To enable a time service, switch to the proper type in the dropdown box.<br />
The time service field will show whether the selected service is running or not.<br />
For NTP time retrieval you can specify and edit dedicated NTP servers. If you do not specify a NTP server, a set of predefined NTP servers will be taken automatically.<br />
For PTP time retrieval, the PTP grandmaster clock identity is shown. This is usually an EUI-64 address. The first and last set of octets of the identity represent the (EUI-48) MAC address of the grandmaster.<br />
<br />
Following settings are possible for PTP and should match to the settings of the PTP grandmaster:<br />
<br />
* Delay mechanism: Use end-to-end (E2E), peer-to-peer (P2P) or automatic delay measurement. In case automatic measurement is selected, E2E is used at the beginning and switched to P2P when a peer delay request is received. Default is '''Auto'''.<br />
* Network transport: Use UDPv4, UDPv6 or Layer 2 as network transport. Default is '''UDPv4'''.<br />
* Domain number: The domain number of the grandmaster. This is used to define logical groups of synchronized clocks.<br />
<br />
<br />
The GPS time retrieval option is available if a GPS capable PTP grandmaster card is installed in the Multimeter. <br />
If no time synchronization mechanism is selected the date and time of the device can be configured manually by entering a properly formatted date and time description.<br />
Below the time synchronization settings the time zone used by the device can be configured. The drop-down list provides a list of cities grouped by world regions to select the appropriate time zone from.<br />
To make changes take effect, click on the Save settings button on the bottom of the page. To reload the stored settings, click on Reload settings.<br />
<br />
== Email notification ==<br />
<br />
Certain modules support the sending of email notifications. The following settings are used to globally configure the used SMTP server and the target email address that will receive the notifications:<br />
<br />
* Enable email notifications: globally enables or disables the sending of email notifications.<br />
* SMTP server address: the address of the SMTP server that will be used to send out notification emails.<br />
* SMTP server port: the TCP port on which the SMTP server is listening.<br />
* SMTP server uses SSL: must be set to On if the SMTP server expects an SSL connection from the very start. If the SMTP server uses no SSL or STARTTLS this setting must be set to Off.<br />
* Ignore certificate errors: if the SSL certificate should not be validated because e.g. it is a self-signed certificate this setting can be used to turn off certificate validation.<br />
* Allow unencrypted connections: if an unencrypted connection must be allowed because e.g. a legacy SMTP server does not support it this setting can be used.<br />
* Username: the username used to log in to the SMTP server.<br />
* Password: the password used to log in to the SMTP server.<br />
* From email address: the email address from which incident notifications will be sent.<br />
* Target email address: the email address to which incident notifications will be sent.<br />
* Email links base URL: this base URL will be used to generate the HTML links in notification emails. Since the device cannot by itself determine the proper address by which it is visible to the email recipient this setting can be used to set the right URL prefix for links sent with the notification emails.<br />
* Send periodic system status mail: if set to hourly or daily a system status email will be sent to the configured target address with the selected frequency. It will contain basic system information and system health status, management interface configuration and a list of detected LLDP neighbors if the management LLDP feature is enabled.<br />
<br />
The Send test email button can be used to verify that the entered settings are working.<br />
<br />
== Expert settings ==<br />
<br />
The Expert settings contains parameter which are often only necessary to change in rare installation scenarios or some specific need for a different operation mode.<br />
<br />
=== Packet length accounting ===<br />
<br />
This setting allows to configure which packet length is used for all traffic counters and incidents. Following modes are possible:<br />
<br />
* Layer 1: Packet length is accounted on layer 1 including preamble (7 Byte), SFD (1 Byte) and inter frame gap (12 Byte)<br />
* Layer 2 without frame check sequence (default): Packet length is accounted on layer 2 without frame check sequence (4 Byte)<br />
* Layer 2 with frame check sequence: Account packet length on layer 2 with frame check sequence (4 Byte) When switching to another mode, it will only be applied on new packets. Older packet size statistics will not be changed.<br />
<br />
=== VLAN handling ===<br />
<br />
The Allegro Network Multimeter can ignore VLAN tags for connection tracking. Enabling this option might be necessary if network traffic is seen on the Network Multimeter that contains changing VLAN tags for the same connection. For example, depending on the configuration of the mirror port to which the Network Multimeter is connected, incoming traffic could contain a VLAN tag while outgoing traffic does not. In this example, a connection would appear two times in the statistics which is often the desired behavior to be able to identify a network misconfiguration. But sometimes this behavior is intended and the user want to see only one connection. In this scenario the option can be enabled to ignore varying VLAN tags for a otherwise identical connection.<br />
<br />
=== Tunnel view mode ===<br />
<br />
The Allegro Network Multimeter can decapsulate ERSPAN type II and type III traffic. In this mode all non-ERSPAN traffic is being discarded. On the dashboard a dropped counter will display dropped non ERSPAN packets for indication if this mode is active. The Multimeter will show the encapsulated content in all analysis modules. When capturing, packets with complete outer layer 2, layer 3, GRE and ERSPAN headers will be stored as seen on the wire.<br />
<br />
=== Database mode settings ===<br />
<br />
The database mode is a special analysis mode for high-performance Network Multimeters with multiple processors to increase the performance on such systems. It is normally enabled automatically but depending on the actual network traffic and system usage, some parameter tweak might be necessary to improve overall system performance. <br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
These settings are only visible if your Network Multimeter is capable of running this mode.<br />
<br />
You can read more about the meaning of the settings [[DB mode|here]].<br />
<br />
=== Network performance ===<br />
<br />
There are several network performance settings available to improve performance on high-performance systems in case of packet drops during very high receive bandwidth. They are only visible if your Network Multimeter is capable of changing these settings.<br />
<br />
* Max RX queues per socket: This setting specifies the amount of threads dedicated to read and write interactions with the network interface controllers. By increasing this value, network receive bandwidth can be increased before packet drops occur. By decreasing this value, data analysis will improve. The default setting of 2 RX queues is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Use Hyper-Threading for RX queues: This setting allows enabling or disabling Hyper-Threading for the threads dedicated to read and write interactions with the network interface controllers. By disabling it, network performance can be improved as the RX queues will be distributed to physical CPU cores only. By enabling it, RX queues will also be distributed to virtual Hyper-Threading CPU cores which is not as efficient as physical CPU cores. By using Hyper-Threading, data analysis will improve as there are more CPU cores available for these tasks. Hyper-Threading is used by default. This is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Preferred Network interface controller: This setting allows fine tuning of network and data analysis performance for dedicated network controllers. The selected set of network controllers will be preferred over the others. Usually the fastest or the network controller with the most traffic should be preferred. The '''Auto''' setting is used by default, preferring the fastest network controller.<br />
<br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
<br />
=== Processing performance ===<br />
<br />
The processing performance may be modified on high-performance systems. This is only visible if your Network Multimeter is capable of changing this setting.<br />
<br />
* Processing performance mode: This setting allows for fine tuning processing performance. By using '''Analysing''', as much processing ressources on all CPUs as possible are used for data analysis. By using '''Capturing''', the focus will be on high data throughput and low latency for capturing purposes by using only the CPU where the preferred newtork controller is attached to. This has an impact on data analysis performance. '''Analysing''' is used by default.<br />
You should only change this parameter in discussion with the Allegro Packets support.<br />
<br />
=== Packet ring buffer timeouts ===<br />
<br />
Two timeout settings related to the packet ring buffer can be adjusted.<br />
<br />
* The long timeout controls after which maximum period of time a packet is actually written to the packet ring buffer. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also increase the amount of unused overhead data in the packet ring buffer.<br />
* The short timeout controls after which period of time smaller batches of packets are written to the packet ring buffer even if waiting for more packets would result in a more efficient operation. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also decrease the performance of the packet ring buffer.<br />
<br />
=== Data retention timeout ===<br />
<br />
When this timeout is set to a value greater than 0, data will be removed from the system after the given number of minutes. This means that entities like IPs, which have been inactive for longer than the timeout, will be removed. History graph data for entities that are still active will be truncated to cover only the given timespan while the absolute values for the whole runtime will be retained. When a packet ring buffer is active, packets which are older than the timeout will be discarded.<br />
<br />
=== L3 tunnel mode ===<br />
<br />
If L3 tunnel mode is enabled for an interface this interface will only process packets encapsulated in GRE or GRE+ERSPAN and targeted for the configured IP address. All other packets received on that interface will be discarded. The system will process the packets as if only the inner encapsulated packet is seen and any traffic captures will only contain the encapsulated packet. An interface with L3 tunnel mode enabled will respond to ARP requests and to ICMP echo requests so it is possible to use ping to verify that the interface is reachable under the configured IP address. Currently only IPv4 L3 tunnels are supported. It must be noted that if the system is running in bridge packet processing mode any links with an interface configured for L3 tunnel mode will not forward traffic.<br />
<br />
=== Multithreaded capture analysis ===<br />
<br />
This option enables the use of multiple CPUs for capture analysis like when<br />
analyzing a PCAP capture file or analyzing the packet ring buffer. Depending<br />
on the number of available CPUs this can speed up the analysis significantly.<br />
<br />
It is possible to dedicate a number a CPUs exclusively to capture analysis.<br />
Since these CPUs are not available for live packet processing the performance of<br />
live traffic analysis may be lower.<br />
When set to 0 a lower priority is used for capture analysis than for live analysis<br />
but it cannot be ruled out that the performance of the live processing is<br />
affected.<br />
<br />
=== Load balancing ===<br />
<br />
This option select the load distribution method. By default, network<br />
traffic is balanced among all processing threads based on the IP<br />
addresses. This is fast and usually the best way for good load<br />
balancing.<br />
<br />
If the network traffic only happens between few IP addresses, this<br />
method can lead to load imbalance so that some threads doing much more<br />
work while other threads may idle. In this scenario the "flow based<br />
balancing" can be enabled to distribute the traffic based on the IP<br />
and port information. This will lead to better utilization of all<br />
processing threads.<br />
<br />
Since this option induces additional processing overhead per packet<br />
and additional memory for all internal IP statistics, it should only<br />
be enabled in cases of significant load imbalance.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Global_settings&diff=2838Global settings2020-05-22T14:59:04Z<p>David.Griffiths: /* PCAP parallel analysis */</p>
<hr />
<div>The Global settings section contains parameters for adjusting the behavior of the system.<br />
The settings are split among multiple tabs, described as follows.<br />
<br />
== Generic settings ==<br />
<br />
=== Packet processing mode ===<br />
<br />
This section allows for configuring the main packet processing mode:<br />
<br />
* Bridge mode: In bridge mode, all received packets will be transmitted again on the corresponding mutual port so that the device can be placed in-line between any network component. The device will be transparent and will not modify the traffic in any way. The additional latency will be typically around or less than 1 millisecond.<br />
* Sink mode: In sink mode, packets are only received and not forwarded. This operation mode allows for installation at a mirror port of a switch or when using a network tap to access the network traffic.<br />
<br />
<br />
The packet processing mode can be changed during run-time.<br />
<br />
=== Webshark support ===<br />
<br />
The Allegro Network Multimeter allows having a preview of the first Megabyte of packets directly in the browser, called Webshark. To support this, the system needs a small amount of system memory to process the packets. This amount of memory (~100MB) will be reserved by the system and is not available for the In-Memory database used to store metadata, thus the history of stored metadata is a bit shorter. If this is not desired, it is possible to disable the Webshark support. Changing this value requires a restart of the processing.<br />
<br />
=== Limit module processing ===<br />
<br />
This setting allows to configure which modules are active. With this setting, the performance of the Allegro Network Multimeter can be drastically improved and allows a higher throughput if you don’t need some analysis modules.<br />
<br />
Following modes are possible:<br />
<br />
* Only capturing: Only interface statistics and the capture module is provided. The capture filters are support except layer 7 protocol recognition.<br />
* Up to layer 2: Additionally all layer 2 related modules are active such as MAC, MAC protocols, ARP and Burst Analysis.<br />
* Up to layer 3: Additionally all layer 3 related modules are active such as IP and DHCP statistics.<br />
* Up to layer 4: Additionally all layer 4 related modules are active such as TCP and Layer 4 server ports.<br />
* Unlimited: All modules are active.<br />
<br />
When switching to another mode you have to restart the processing in order to activate the new settings.<br />
<br />
=== Graph detail settings ===<br />
<br />
It is possible to modify the detail level of all graphs in the interface. This settings allow to get a more detailed view (with higher time resolution) or to reduce the detail level so that more data can be stored on the device. Changing the default values have an impact on the performance and memory usage. Changing a slider to the left increases detail level of graphs, but also increases the memory usage and decreases the performance.<br />
<br />
* Best graph resolution: This option configures how detailed the graph information are shown in the best case (the latest information). The default value is one second which means that a graph sample point represents a second of packet time. You can change the resolution up to 1 millisecond which gives a detailed sub-second representation of the traffic. You can also decide to decrease the resolution which enables the Multimeter to store more data for a longer period of time.<br />
<br />
* Reduce graph resolution of old data by up to: The resolution of older graph data is automatically reduced to save memory and to allow a longer view into the traffic history. This option allows to change this behavior. With a reduction factor of 1/1 no reduction is done at all which means the selected graph resolution is available for the complete time. <br />
:This of course reduces the time period to see historical data. You can also choose to increase the reduction factor to be able to store more data for a longer time. The time printed in parentheses represents the worst-case graph resolution based on the chosen resolution and reduction factor.<br />
<br />
<br />
Note: Regardless of these settings, the graph values are always converted to represent a value per second (when applicable). For example, the packets per second for IP addresses will always be a value literally per second even if the resolution is larger or smaller than one second. The shown value is scaled to match this view. Especially with sub-second resolution this might be misleading. <br />
<br />
<br />
For instance, if there is a network element sending one packet per second and the resolution is set to 100 millisecond, the value might be shown as 10 packets per second as each sample point is scaled to represent an value per second. For a detailed investigation it is recommended to select a specific time interval since the total packet counters shown in all statistics are unscaled and represent the actual values.<br />
<br />
<br />
Performance implications: The performance degradation and memory usage depends on the actual network traffic and is not exactly predictable. <br />
<br />
Here are some examples for reference on a Multimeter 1000 series with different configuration values (under ideal test conditions):<br />
<br />
* 1 second resolution, 1/1 reduction factor: 90% of default performance<br />
* 100 millisecond resolution, 1/1 reduction factor: 50% of default performance,<br />
* 10 millisecond resolution, 1/1 reduction factor: 15% of default performance<br />
* 1 millisecond resolution, 1/1 reduction factor: 10% of default performance<br />
<br />
=== pcap parallel analysis ===<br />
<br />
The pcap parallel analysis feature allows to analyse pcap files or the<br />
packet ring buffer in parallel to the live measurement. The settings<br />
allow to enable the feature and choose how much memory of the main<br />
memory is used for parallel analysis and how many parallel slots can<br />
be used. Detailed description of the configuration values are<br />
described [[pcap parallel analysis|here]].<br />
<br />
== IPFIX settings ==<br />
<br />
The Allegro Network Multimeter may be running as an IPFIX exporter. These settings allows configuration of reporting. When enabled, following settings are possible:<br />
<br />
* IP address: Address of IPFIX collector<br />
* Port: Corresponding port<br />
* Protocol: TCP or UDP<br />
* Update interval: Interval in seconds for sending a status update of flows<br />
* UDP resend interval: Interval in seconds for resending IPFIX templates for UDP connections<br />
* TCP reconnect timeout: When TCP connection could not be established, wait for this time period until next try to establish a connection.<br />
<br />
Individual IPFIX messages can be enabled or disabled by toggling corresponding options. See the NetFlow/IPFIX interface documentation for details about the message types.<br />
<br />
== Time settings ==<br />
<br />
The Allegro Network Multimeter can be configured to use a time synchronization service. NTP is supported for all variants of the Multimeter, PTP service may be used if management interface supports hardware time stamping.<br />
In case a GPS capable PTP grandmaster card is available, GPS time synchronization is available and the antenna cable delay in nanoseconds can be configured.<br />
<br />
To enable a time service, switch to the proper type in the dropdown box.<br />
The time service field will show whether the selected service is running or not.<br />
For NTP time retrieval you can specify and edit dedicated NTP servers. If you do not specify a NTP server, a set of predefined NTP servers will be taken automatically.<br />
For PTP time retrieval, the PTP grandmaster clock identity is shown. This is usually an EUI-64 address. The first and last set of octets of the identity represent the (EUI-48) MAC address of the grandmaster.<br />
<br />
Following settings are possible for PTP and should match to the settings of the PTP grandmaster:<br />
<br />
* Delay mechanism: Use end-to-end (E2E), peer-to-peer (P2P) or automatic delay measurement. In case automatic measurement is selected, E2E is used at the beginning and switched to P2P when a peer delay request is received. Default is '''Auto'''.<br />
* Network transport: Use UDPv4, UDPv6 or Layer 2 as network transport. Default is '''UDPv4'''.<br />
* Domain number: The domain number of the grandmaster. This is used to define logical groups of synchronized clocks.<br />
<br />
<br />
The GPS time retrieval option is available if a GPS capable PTP grandmaster card is installed in the Multimeter. <br />
If no time synchronization mechanism is selected the date and time of the device can be configured manually by entering a properly formatted date and time description.<br />
Below the time synchronization settings the time zone used by the device can be configured. The drop-down list provides a list of cities grouped by world regions to select the appropriate time zone from.<br />
To make changes take effect, click on the Save settings button on the bottom of the page. To reload the stored settings, click on Reload settings.<br />
<br />
== Email notification ==<br />
<br />
Certain modules support the sending of email notifications. The following settings are used to globally configure the used SMTP server and the target email address that will receive the notifications:<br />
<br />
* Enable email notifications: globally enables or disables the sending of email notifications.<br />
* SMTP server address: the address of the SMTP server that will be used to send out notification emails.<br />
* SMTP server port: the TCP port on which the SMTP server is listening.<br />
* SMTP server uses SSL: must be set to On if the SMTP server expects an SSL connection from the very start. If the SMTP server uses no SSL or STARTTLS this setting must be set to Off.<br />
* Ignore certificate errors: if the SSL certificate should not be validated because e.g. it is a self-signed certificate this setting can be used to turn off certificate validation.<br />
* Allow unencrypted connections: if an unencrypted connection must be allowed because e.g. a legacy SMTP server does not support it this setting can be used.<br />
* Username: the username used to log in to the SMTP server.<br />
* Password: the password used to log in to the SMTP server.<br />
* From email address: the email address from which incident notifications will be sent.<br />
* Target email address: the email address to which incident notifications will be sent.<br />
* Email links base URL: this base URL will be used to generate the HTML links in notification emails. Since the device cannot by itself determine the proper address by which it is visible to the email recipient this setting can be used to set the right URL prefix for links sent with the notification emails.<br />
* Send periodic system status mail: if set to hourly or daily a system status email will be sent to the configured target address with the selected frequency. It will contain basic system information and system health status, management interface configuration and a list of detected LLDP neighbors if the management LLDP feature is enabled.<br />
<br />
The Send test email button can be used to verify that the entered settings are working.<br />
<br />
== Expert settings ==<br />
<br />
The Expert settings contains parameter which are often only necessary to change in rare installation scenarios or some specific need for a different operation mode.<br />
<br />
=== Packet length accounting ===<br />
<br />
This setting allows to configure which packet length is used for all traffic counters and incidents. Following modes are possible:<br />
<br />
* Layer 1: Packet length is accounted on layer 1 including preamble (7 Byte), SFD (1 Byte) and inter frame gap (12 Byte)<br />
* Layer 2 without frame check sequence (default): Packet length is accounted on layer 2 without frame check sequence (4 Byte)<br />
* Layer 2 with frame check sequence: Account packet length on layer 2 with frame check sequence (4 Byte) When switching to another mode, it will only be applied on new packets. Older packet size statistics will not be changed.<br />
<br />
=== VLAN handling ===<br />
<br />
The Allegro Network Multimeter can ignore VLAN tags for connection tracking. Enabling this option might be necessary if network traffic is seen on the Network Multimeter that contains changing VLAN tags for the same connection. For example, depending on the configuration of the mirror port to which the Network Multimeter is connected, incoming traffic could contain a VLAN tag while outgoing traffic does not. In this example, a connection would appear two times in the statistics which is often the desired behavior to be able to identify a network misconfiguration. But sometimes this behavior is intended and the user want to see only one connection. In this scenario the option can be enabled to ignore varying VLAN tags for a otherwise identical connection.<br />
<br />
=== Tunnel view mode ===<br />
<br />
The Allegro Network Multimeter can decapsulate ERSPAN type II and type III traffic. In this mode all non-ERSPAN traffic is being discarded. On the dashboard a dropped counter will display dropped non ERSPAN packets for indication if this mode is active. The Multimeter will show the encapsulated content in all analysis modules. When capturing, packets with complete outer layer 2, layer 3, GRE and ERSPAN headers will be stored as seen on the wire.<br />
<br />
=== Database mode settings ===<br />
<br />
The database mode is a special analysis mode for high-performance Network Multimeters with multiple processors to increase the performance on such systems. It is normally enabled automatically but depending on the actual network traffic and system usage, some parameter tweak might be necessary to improve overall system performance. <br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
These settings are only visible if your Network Multimeter is capable of running this mode.<br />
<br />
You can read more about the meaning of the settings [[DB mode|here]].<br />
<br />
=== Network performance ===<br />
<br />
There are several network performance settings available to improve performance on high-performance systems in case of packet drops during very high receive bandwidth. They are only visible if your Network Multimeter is capable of changing these settings.<br />
<br />
* Max RX queues per socket: This setting specifies the amount of threads dedicated to read and write interactions with the network interface controllers. By increasing this value, network receive bandwidth can be increased before packet drops occur. By decreasing this value, data analysis will improve. The default setting of 2 RX queues is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Use Hyper-Threading for RX queues: This setting allows enabling or disabling Hyper-Threading for the threads dedicated to read and write interactions with the network interface controllers. By disabling it, network performance can be improved as the RX queues will be distributed to physical CPU cores only. By enabling it, RX queues will also be distributed to virtual Hyper-Threading CPU cores which is not as efficient as physical CPU cores. By using Hyper-Threading, data analysis will improve as there are more CPU cores available for these tasks. Hyper-Threading is used by default. This is suitable for most configurations as data analysis typically needs much more processing ressources.<br />
* Preferred Network interface controller: This setting allows fine tuning of network and data analysis performance for dedicated network controllers. The selected set of network controllers will be preferred over the others. Usually the fastest or the network controller with the most traffic should be preferred. The '''Auto''' setting is used by default, preferring the fastest network controller.<br />
<br />
You should only change these parameters in discussion with the Allegro Packets support.<br />
<br />
=== Processing performance ===<br />
<br />
The processing performance may be modified on high-performance systems. This is only visible if your Network Multimeter is capable of changing this setting.<br />
<br />
* Processing performance mode: This setting allows for fine tuning processing performance. By using '''Analysing''', as much processing ressources on all CPUs as possible are used for data analysis. By using '''Capturing''', the focus will be on high data throughput and low latency for capturing purposes by using only the CPU where the preferred newtork controller is attached to. This has an impact on data analysis performance. '''Analysing''' is used by default.<br />
You should only change this parameter in discussion with the Allegro Packets support.<br />
<br />
=== Packet ring buffer timeouts ===<br />
<br />
Two timeout settings related to the packet ring buffer can be adjusted.<br />
<br />
* The long timeout controls after which maximum period of time a packet is actually written to the packet ring buffer. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also increase the amount of unused overhead data in the packet ring buffer.<br />
* The short timeout controls after which period of time smaller batches of packets are written to the packet ring buffer even if waiting for more packets would result in a more efficient operation. A lower value may decrease the time difference by which packets are stored out of their real order in the packet ring buffer but it may also decrease the performance of the packet ring buffer.<br />
<br />
=== Data retention timeout ===<br />
<br />
When this timeout is set to a value greater than 0, data will be removed from the system after the given number of minutes. This means that entities like IPs, which have been inactive for longer than the timeout, will be removed. History graph data for entities that are still active will be truncated to cover only the given timespan while the absolute values for the whole runtime will be retained. When a packet ring buffer is active, packets which are older than the timeout will be discarded.<br />
<br />
=== L3 tunnel mode ===<br />
<br />
If L3 tunnel mode is enabled for an interface this interface will only process packets encapsulated in GRE or GRE+ERSPAN and targeted for the configured IP address. All other packets received on that interface will be discarded. The system will process the packets as if only the inner encapsulated packet is seen and any traffic captures will only contain the encapsulated packet. An interface with L3 tunnel mode enabled will respond to ARP requests and to ICMP echo requests so it is possible to use ping to verify that the interface is reachable under the configured IP address. Currently only IPv4 L3 tunnels are supported. It must be noted that if the system is running in bridge packet processing mode any links with an interface configured for L3 tunnel mode will not forward traffic.<br />
<br />
=== Multithreaded capture analysis ===<br />
<br />
This option enables the use of multiple CPUs for capture analysis like when<br />
analyzing a PCAP capture file or analyzing the packet ring buffer. Depending<br />
on the number of available CPUs this can speed up the analysis significantly.<br />
<br />
It is possible to dedicate a number a CPUs exclusively to capture analysis.<br />
Since these CPUs are not available for live packet processing the performance of<br />
live traffic analysis may be lower.<br />
When set to 0 a lower priority is used for capture analysis than for live analysis<br />
but it cannot be ruled out that the performance of the live processing is<br />
affected.<br />
<br />
=== Load balancing ===<br />
<br />
This option select the load distribution method. By default, network<br />
traffic is balanced among all processing threads based on the IP<br />
addresses. This is fast and usually the best way for good load<br />
balancing.<br />
<br />
If the network traffic only happens between few IP addresses, this<br />
method can lead to load imbalance so that some threads doing much more<br />
work while other threads may idle. In this scenario the "flow based<br />
balancing" can be enabled to distribute the traffic based on the IP<br />
and port information. This will lead to better utilization of all<br />
processing threads.<br />
<br />
Since this option induces additional processing overhead per packet<br />
and additional memory for all internal IP statistics, it should only<br />
be enabled in cases of significant load imbalance.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Multi-device_settings&diff=2837Multi-device settings2020-05-22T14:28:07Z<p>David.Griffiths: </p>
<hr />
<div>The multi-device feature allows you to access multiple Allegro Network<br />
Multimeters from a single master appliance. Access to the remote<br />
Multimeters is routed through the master appliance so the web user does not<br />
need to have direct access to the target devices.<br />
<br />
Features like the [[Path measurement]] also use the multi-device<br />
settings to access the remote appliance for the measurement.<br />
<br />
As soon as a remote multi-device is active, the top menu shows a<br />
drop-down menu for you to be able to select the current view. All measurement<br />
data shown in the web interface are from the selected device.<br />
<br />
[[File:Ap-mm-multi-device-settings.png|500px|frame|Multi device settings]]<br />
<br />
== List of remote devices ==<br />
<br />
The first part of the page contains the list of all configured remote<br />
devices. It shows the host name or IP address for the corresponding device and<br />
an arbitrary description for each device which can also be changed.<br />
<br />
Next to the description, details of the SSL certificate of the remote<br />
device is shown so it is possible to verify the correct<br />
certificate.<br />
<br />
The last column allows you to activate or deactivate devices and remove<br />
them completely from the list. Only activated devices are actually<br />
contacted and made available in the top selection box.<br />
<br />
== Add a remote Multimeter ==<br />
<br />
Below the list of registered Multimeters, new devices can be added by<br />
entering the host name or IP address, optionally setting a description<br />
for the device, and the login credentials.<br />
<br />
== Master device description ==<br />
<br />
The master device can also have an arbitrary description to make it<br />
easier to select it from the top selection box.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Administration&diff=2836Administration2020-05-22T14:24:08Z<p>David.Griffiths: </p>
<hr />
<div>The administration page allows the following actions:<br />
<br />
{| class="wikitable sortable"<br />
|- <br />
| [[File:Administration.png|800px|none|right]]<br />
|}<br />
<br />
=== Power ===<br />
<br />
Reboot or power off the Allegro Network Multimeter.<br />
<br />
After clicking on the buttons, a confirmation dialogue will appear. Most of the time, rebooting is not necessary since it takes a significant time. If packet processing needs to be restarted because some options cannot be changed during runtime, the next option is a better choice since it minimizes downtime.<br />
<br />
=== Processing ===<br />
<br />
Restart the Allegro Network Multimeter processing software. This will reset all measured statistics.<br />
<br />
Choosing this option will stop packet processing but the machine and its web interface is still available as the device itself is not rebooted. The packet processing core is restarted with the current settings and will begin processing packets after a few seconds.<br />
<br />
=== Configuration ===<br />
<br />
By clicking on Reset '''System Configuration''' all settings including the network configuration will be reset to factory default and the system will be restarted.<br />
<br />
The "Export System Configuration" button allows you to export the entire configuration of the *Allegro Network Multimeter*. A zip compressed file can be downloaded and used for import.<br />
<br />
The "Import System Configuration" button allows you to select several configuration items:<br />
* All settings: All settings of global settings, module settings, incident settings, user defined names, virtual link groups, NIC filter and IP groups, excluding management interface settings, multi-device settings, and user settings. It is possible to import these settings to all configured remote devices.<br />
* Management interface settings: All settings of the management interface (e.g. Wi-Fi, LAN, hostname).<br />
* Multi device settings: All settings on the configured remote devices.<br />
* Users: All users and their passwords. The admin user cannot be changed and cannot be deleted by a configuration import.<br />
<br />
=== SSL certificate ===<br />
<br />
The appliance comes with a pre-installed generic SSL certificate but an own certificate can be installed:<br />
The '''Install SSL certificate''' button will open a dialogue that will allow you to upload a X.509 certificate file and a RSA key file. Upon successful upload, this certificate will be used to serve the user interface. <br />
The '''Reset to default SSL certificate''' button will remove any user-provided SSL certificate and the user interface will be served using the default SSL certificate.<br />
It is currently not possible to issue a signing request procedure. To use a certificate which needs to be signed by a company CA, the user has to create that certificate on a separate machine, create the signing request, and deploy the final certificate to the appliance using the above option.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Ingress_filter&diff=2835Ingress filter2020-05-22T14:16:26Z<p>David.Griffiths: </p>
<hr />
<div>'''Web interface'''<br />
<br />
{| class="wikitable sortable"<br />
|-<br />
| [[File:NIC filter.png|1000px|none|right]]<br />
|}<br />
<br />
<br />
The filter page allows setting a processing filter for live traffic. The traffic may be filtered before it is processed.<br />
Filters can be applied for:<br />
* IP addresses (with possible subnet mask).<br />
* pairs of IP addresses (with possible subnet mask).<br />
* MAC addresses.<br />
* VLAN tags (or none for no VLAN tag).<br />
* specific TCP/UDP ports.<br />
* physical interface IDs (as listed in Interface statistics).<br />
<br />
They can all be set to either blacklist or whitelist mode. <br />
Filtering will be evaluated for every packet in tab order. <br />
The more restrictive filter will be applied. <br />
For instance; if no IP address is denied but a specific MAC address is on the blacklist, no traffic for that MAC address will be processed.<br />
The processing filter is applied on live traffic only. When replaying a pcap or using the remote traffic capture feature, filtering is not used.<br />
<br />
=== IP filters ===<br />
<br />
The IP filter page allows importing an IP list in the format:<br />
<br />
#A line with a comment<br />
1.2.3.1<br />
1.2.3.2<br />
1.2.3.3<br />
<br />
By clicking on '''Import list''' a dialogue box will be opened where you can choose to download such a list from a given URL or specify a file from your system. The IP addresses are added to the existing ones up to a maximum of 10000 addresses.<br />
<br />
The '''Export list''' button allows for exporting the IP filter list in the same format as the import.<br />
<br />
The '''Delete all''' button allows for deleting all IP addresses from the filter list.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Remote_access_and_export&diff=2834Remote access and export2020-05-22T14:07:39Z<p>David.Griffiths: /* PCAP Export via SFTP */</p>
<hr />
<div>== Statistics Export ==<br />
<br />
See [[Statistics Export via POST]] for details about exporting the measurement data via HTTP POST requests.<br />
<br />
== SSH port forwarding ==<br />
<br />
This option allows to use an external SSH server as an proxy to access the device. Via port forwarding the client PC accesses the SSH proxy which forwards the traffic to the actual Allegro Network Multimeter. See [[Self-hosted_SSH_proxy]] for detailed information how to set up such a server.<br />
<br />
== Allegro Remote Service ==<br />
<br />
The Allegro Remote Service is similar to the SSH Port Forwarding feature, but the SSH server is provided by Allegro Packets as a public service. Traffic through is proxy is still end-to-end encrypted via your SSL certificate so the data is only accessible to you.<br />
<br />
See [[Using the Allegro Remote Service]] for detailed information.<br />
<br />
== SNMP ==<br />
<br />
See [[SNMP]] for details about SNMP support.<br />
<br />
== pcap export via SFTP ==<br />
<br />
The '''Allegro Network Multimeter''' allows the export of captured pcaps via SFTP.<br />
pcap files can be stored in an upload queue and be automatically uploaded to a remote host<br />
once a day.<br />
<br />
This feature only works if a disk is attached to the device.<br />
<br />
When ''PCAP Export via SFTP'' is enabled, a new checkbox ''Save to SFTP export directory'' is<br />
added to the capture dialogue. If checked, the pcap will be stored to a special<br />
upload directory.<br />
<br />
In the configuration view, it is possible to see the files in the upload queue and<br />
delete them or trigger an immediate upload.<br />
<br />
SFTP export allows SFTP authentication via public key or via password. The public key<br />
is printed at the top of the configuration view. For public key authentication, the<br />
password field in the SFTP connection parameters can be left empty.<br />
<br />
A "Test uplaod" button uploads a file '''allegro-upload-test.txt''' into the configured<br />
target directory on the remote host.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Remote_access_and_export&diff=2833Remote access and export2020-05-22T14:07:15Z<p>David.Griffiths: /* PCAP Export via SFTP */</p>
<hr />
<div>== Statistics Export ==<br />
<br />
See [[Statistics Export via POST]] for details about exporting the measurement data via HTTP POST requests.<br />
<br />
== SSH port forwarding ==<br />
<br />
This option allows to use an external SSH server as an proxy to access the device. Via port forwarding the client PC accesses the SSH proxy which forwards the traffic to the actual Allegro Network Multimeter. See [[Self-hosted_SSH_proxy]] for detailed information how to set up such a server.<br />
<br />
== Allegro Remote Service ==<br />
<br />
The Allegro Remote Service is similar to the SSH Port Forwarding feature, but the SSH server is provided by Allegro Packets as a public service. Traffic through is proxy is still end-to-end encrypted via your SSL certificate so the data is only accessible to you.<br />
<br />
See [[Using the Allegro Remote Service]] for detailed information.<br />
<br />
== SNMP ==<br />
<br />
See [[SNMP]] for details about SNMP support.<br />
<br />
== PCAP Export via SFTP ==<br />
<br />
The '''Allegro Network Multimeter''' allows the export of captured pcaps via SFTP.<br />
pcap files can be stored in an upload queue and be automatically uploaded to a remote host<br />
once a day.<br />
<br />
This feature only works if a disk is attached to the device.<br />
<br />
When ''PCAP Export via SFTP'' is enabled, a new checkbox ''Save to SFTP export directory'' is<br />
added to the capture dialogue. If checked, the pcap will be stored to a special<br />
upload directory.<br />
<br />
In the configuration view, it is possible to see the files in the upload queue and<br />
delete them or trigger an immediate upload.<br />
<br />
SFTP export allows SFTP authentication via public key or via password. The public key<br />
is printed at the top of the configuration view. For public key authentication, the<br />
password field in the SFTP connection parameters can be left empty.<br />
<br />
A "Test uplaod" button uploads a file '''allegro-upload-test.txt''' into the configured<br />
target directory on the remote host.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=License_upload&diff=2832License upload2020-05-22T11:55:39Z<p>David.Griffiths: </p>
<hr />
<div>'''Web interface'''<br />
<br />
{| class="wikitable sortable"<br />
|-<br />
|[[File:License details.png|800px|none|right]]<br />
|}<br />
The Allegro Network Multimeter comes with an installed License which may have some limitations according to the support contract details. A new License can be uploaded by clicking on the upload button and selecting the file from your hard disc. A valid License takes immediate effect.<br />
<br />
The shown system serial needs to be sent to Allegro Packets in order to generate a new License if required.<br />
<br />
In case of an invalid or expired License, the appliance will stop analyzing traffic; instead it will bypass all packets in Bridge mode to allow continued network connection.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=Self-hosted_SSH_Proxy&diff=2831Self-hosted SSH Proxy2020-05-22T11:49:37Z<p>David.Griffiths: /* Option 2: With HTTPS proxy */</p>
<hr />
<div>== SSH Port Forwarding ==<br />
<br />
The Allegro Network Multimeter can be configured to to use SSH Port Forwarding to allow remote access to the device behind a NAT. <br />
The Multimeter will create a tunnel to an SSH endpoint and will open a listening port on the SSH server. <br />
This port can now be used to send HTTPS requests to the Multimeter.<br />
<br />
=== Preparing the SSH server ===<br />
<br />
==== Create a user ====<br />
<br />
The user on the SSH server does not need any special rights and does not need a login shell. Example:<br />
<br />
$> useradd -m -s /usr/sbin/nologin mmremote<br />
<br />
==== Allow SSH access via public key ====<br />
<br />
The Allegro Network Multimeter uses SSH public key authentication to log in to the SSH server. The public key can be found in the '''SSH public key''' field in the '''SSH Port Forwarding''' settings dialogue.<br />
<br />
$> mkdir /home/mmremote/.ssh<br />
$> chown mmremote: /home/mmremote/.ssh<br />
$> nano /etc/mmremote/.ssh/authorized_keys<br />
<br />
Paste the line into the file and save/close the file.<br />
There are two options to access the Multimeter:<br />
<br />
==== Option 1: No proxy ====<br />
<br />
Advantage:<br />
* no additional software required.<br />
<br />
Disadvantage:<br />
* no port < 1024 (as non-root user).<br />
* Default HTTPS port 443 is not possible.<br />
<br />
The SSH server can be configured to allow only local listening ports. This has to be changed to allow listening on any subnet.<br />
<br />
Edit the SSH configuration file '''/etc/ssh/sshd_config''' and activate the following line:<br />
<br />
<code>GatewayPorts clientspecified</code><br />
<br />
Save and close the configuration file and restart the SSH service.<br />
<br />
==== Option 2: With HTTPS proxy ====<br />
<br />
Advantage:<br />
* uses default HTTPS port 443.<br />
* uses several filter mechanisms provided by the proxy software.<br />
* uses the same SSH server as proxy for several Multimeters through SNI routing.<br />
<br />
Disadvantage:<br />
* additional configuration required.<br />
<br />
The following block shows a sample configuration for the '''nginx''' proxy server:<br />
<br />
server {<br />
listen 443 ssl;<br />
listen [::]:443 ssl;<br />
<br />
server_name allegro-mm-1234.mm-remote.company.com;<br />
<br />
ssl_certificate /etc/letsencrypt/live/allegro-mm-1234.mm-remote.company.com/fullchain.pem;<br />
ssl_certificate_key /etc/letsencrypt/live/allegro-mm-1234.mm-remote.company.com/privkey.pem;<br />
<br />
location / {<br />
proxy_pass https://localhost:55443; # 55443 =configured listen port on multimeter<br />
}<br />
client_max_body_size 200M; # for firmware uploads<br />
}<br />
server {<br />
listen 80;<br />
listen [::]:80;<br />
<br />
server_name allegro-mm-1234.mm-remote.company.com;<br />
<br />
return 301 https://$host$request_uri;<br />
}<br />
<br />
Forwarding to the Allegro Network Multimeter uses the configured server name. In this example, requests to '''allegro-mm-1234.mm-remote.company.com''' will be forwarded to the Multimeter.<br />
This requires that the hostname is resolved by the DNS server. This can be solved by a wildcard DNS CNAME entry to point at the SSH server.<br />
<br />
=== Configuration of the Multimeter ===<br />
<br />
In the configuration dialogue, insert the parameters to access the SSH server. For example:<br />
<br />
* SSH Host: '''mm-remote.company.com'''<br />
* SSH Port: '''22'''<br />
* SSH User: '''mmremote'''<br />
* Listening HTTPS Port on SSH Host: '''55443'''<br />
<br />
The settings have to match the above configuration. '''Every Multimeter requires a separate HTTPS listening port..'''<br />
If the '''SSH user''' is not '''root, no port below 1024''' is possible. Otherwise, an error message will appear when trying to connect.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=FAQ&diff=2824FAQ2020-05-14T13:13:53Z<p>David.Griffiths: /* How can I print statistics? */</p>
<hr />
<div>== Setup == <br />
==== What is the difference between the Monitor interfaces and the Management interfaces? ==== <br />
<br />
The Monitor interfaces are used to passively analyze traffic and cannot be used for management functions such as accessing<br />
the user interface. These interfaces do not generate any traffic apart from forwarding traffic received on the adjacent<br />
interface if configured to Bridge mode.<br />
The Management interface on the other hand, is dedicated for management functions like accessing the user interface,<br />
downloading and uploading pcaps, streaming captured data to the device for analysis and so on. The Management<br />
interface actively participates in the network it is connected to.<br />
<br />
==== How can I monitor the traffic of a single computer? ====<br />
<br />
The easiest way of monitoring and analyzing the traffic of a single device like a computer is to configure the<br />
Allegro Network Multimeter in Bridge mode. The device to be monitored is connected to one interface of a bridged pair<br />
of interfaces on the Allegro Network Multimeter. The other interface of the bridged pair is connected to the<br />
network to which the device would normally be directly connected.<br />
<br />
In a setup like this, the Allegro Network Multimeter transparently forwards traffic between the device and the<br />
network while providing full insight into the traffic between the device and the network.<br />
<br />
==== What is the difference between Bridge mode and Sink mode? ====<br />
<br />
If the Allegro Network Multimeter is configured to Sink mode, all Monitor interfaces act in a similar way in that they <br />
receive traffic which is then analyzed by the appliance but not forwarded. The appliance acts as a traffic<br />
sink, as it receives packets, analyzes them and discards them. This mode is ideally suited for situations<br />
where traffic is already a copy; for example, on a Mirror Port of a Switch or on a network traffic Tap.<br />
<br />
If configured in Bridge mode, the Allegro Network Multimeter transparently forwards all traffic between adjacent Monitor<br />
interfaces while simultaneously analyzing the forwarded traffic. The appliance acts as a network Bridge and can <br />
be connected between two network devices which would normally be connected directly to each other. This mode<br />
is suited for inserting the Allegro Network Multimeter directly into a point of the network without the need of a separate network<br />
Tap or other means of providing a copy of the network traffic.<br />
<br />
==== I have used the LAN Management interface but I do not know the leased IP. How can I get the assigned IP address? ====<br />
<br />
===== DHCP server =====<br />
<br />
If the selected DHCP server provides some kind of log output or an overview of devices for which IP address leases have<br />
been granted, it might help to search for a device with a hostname that starts with '''allegro-mm-''' followed by a four<br />
digit hexadecimal number. The Allegro Network Multimeter announces itself with this hostname when it requests a<br />
DHCP lease and should be traceable in the DHCP server info.<br />
<br />
===== WI-FI =====<br />
<br />
Every Allegro Network Multimeter comes with an USB to Wi-Fi adapter. In the factory default configuration the adapter will<br />
create a wi-Fi Access Point when connected to the appliance. This Access Point shows up as '''allegro-mm-xxxx''' where the<br />
'''xxxx''' part consists of a hexadecimal number which is unique to the device. In factory default settings the password<br />
for the Wi-Fi network is '''Allegro-MM''' (without the quotes). As soon as there is a connection to Wi-Fi, the user<br />
interface of the device can be accessed by either browsing to https://allegro or https://192.168.4.1.<br />
When access to the user interface is established, the IP address of the LAN Management interface can be found under<br />
'''Settings''' -> '''Management interface settings''' in the '''Active interfaces''' section.<br />
<br />
===== Display =====<br />
<br />
The Allegro Network Multimeter 200 comes with a HDMI connector and<br />
the 1000 and 3000 series come with a VGA connector. When a compatible<br />
display is connected, the console displays information about the running<br />
Firmware version along with information on the configured<br />
management network IP addresses. On the 200 model the<br />
display must be connected before starting the appliance to obtain the output.<br />
<br />
===== KVM =====<br />
<br />
The video output of the device displaying the management IP addresses can be viewed over the network using the [[IPMI KVM on Allegro series 1000+|KVM/IPMI management module of the 1000 or 3000 series]]. Please see the FAQ entry '''What can I do with the integrated KVM port?''' on how to get started.<br />
<br />
==== What can I do with the integrated KVM port? ====<br />
<br />
The Allegro Network Multimeter 1000 and 3000 series devices contain a KVM/IPMI management module from Supermicro by<br />
which several hardware management functions like powering the device on and off, system health messages and much<br />
more can be accessed. It is also possible to view the video output of the device over the network from which the<br />
current active management IP addresses can be retrieved.<br />
<br />
By default the KVM/IPMI management module will obtain an IP address through DHCP and the default user name as well<br />
as default password is '''ADMIN''' (without the quotes).<br />
<br />
See [[IPMI KVM on Allegro series 1000+]] for additional information.<br />
<br />
==== I do not have a Wi-Fi client and I do not have a DHCP server. How can I access the Allegro Network Multimeter? ==== <br />
<br />
It is possible to make the Allegro Network Multimeter set a temporary static address on the LAN management interface.<br />
It will return to the configured behaviour for the LAN management interface following the next restart.<br />
<br />
To enable the temporary static IP address, a USB keyboard is needed. When the keyboard is attached to one of the USB<br />
ports of the Allegro, start the device. Wait for two minutes to make sure that the device is fully operational.<br />
Then press and hold the '''shift''' key while pressing the '''s''' key. After this procedure the device will be configured to<br />
use the IP address '''192.168.0.1''' on the LAN management interface. It is now possible to e.g. connect another<br />
computer to the LAN management interface with an IP address statically configured to e.g. '''192.168.0.100''' and from<br />
that computer the user interface of the Allegro is accessible at https://192.168.0.1.<br />
If for some reason the IP address '''192.168.0.1''' is already used in the network, the Allegro will try to<br />
set another IP address in the range of '''192.168.0.2''' - '''192.168.0.10'''.<br />
<br />
Once access to the user interface is established, a static IP address can be configured under '''Settings''' -><br />
'''Management interface settings'''.<br />
<br />
== Data protection ==<br />
<br />
==== What kind of user data is stored on the Allegro Network Multimeter ====<br />
<br />
All metadata and statistics are stored in the device's main memory and are deleted as soon as the device is rebooted,<br />
powered off, or packet processing is restarted. Any user data that can be derived from these statistics is therefore<br />
only stored for the duration of continuous operation. If, however, reports are generated and stored on the device, these<br />
reports exist until manually deleted or until a device configuration reset is performed.<br />
<br />
Raw packet data in the packet ring buffer or in stored pcap capture files will persist on the internal or external<br />
storage until overwritten or deleted. If it is important that captured or deleted data must not be retrieved by someone<br />
with physical access to the storage devices, it is possible to format the storage device with industry-standard full<br />
disk encryption.<br />
<br />
==== How can I reset the Allegro Network Multimeter to a default configuration? ====<br />
<br />
There are two ways to reset the configuration of the appliance.<br />
<br />
The first option is to use the '''Reset System Configuration''' button which can be found under '''Settings''' -><br />
'''Administration''' in the user interface. After confirmation, this will trigger a restart of the system and afterward the<br />
appliance will revert to the factory default settings.<br />
<br />
If, for some reason, the user interface is not accessible, a configuration reset can be performed by attaching<br />
a USB keyboard and a HDMI/VGA display to the appliance. When booting the device, there is a short period when a GNU GRUB<br />
menu is displayed. The arrow up and arrow down keys can be used to select an entry and the selected entry can be chosen<br />
by pressing the '''enter''' key. Below the default '''multimeter''' entry, there is a '''configuration-reset''' option which will<br />
perform a reset to default configuration and then reboot the appliance.<br />
<br />
Keep in mind that a reset to the default configuration does not delete any<br />
packet ring buffer data or captured files from internal or external<br />
storage.<br />
<br />
== System behaviour ==<br />
<br />
==== Where does the Allegro Network Multimeter display L1 issues like bad CRC frames? ====<br />
<br />
Issues like these are accounted for the Monitoring interface on which the issue was encountered and the respective<br />
statistics are available on the '''Interface stats''' page in the '''Errors''' column. For an explanation of the error<br />
counters, refer to the [[Interface_statistics|Interface statistics]] manual page.<br />
<br />
==== What happens in the case of a system overload? ====<br />
<br />
In the case of a system overload, a prominent warning is displayed at the top of the user interface for a few seconds<br />
and this warning and the time when the error occurred can be reviewed on the '''Info''' -> '''Status''' page. As long as there are<br />
still notifications on the '''Info''' -> '''Status''' page, this is indicated by coloured icons at the top of the user interface.<br />
<br />
If a system overload occurs and not all packets can be analyzed, these packets are accounted at the Monitoring<br />
interface on which they were received. The counter can be found on the '''Interface stats''' page in the '''Errors''' column<br />
under the '''Not processed''' section and titled '''due to overload'''.<br />
<br />
When the Allegro Network Multimeter is operating in Bridge mode and packets cannot be processed due to a system<br />
overload, a software bypass will ensure that these packets are still forwarded to the adjacent Monitoring interface.<br />
<br />
==== What happens if the maximum number of stored connections has been reached? ====<br />
<br />
In this case, the Allegro Network Multimeter will start freeing up memory by removing historic statistical data which<br />
lies before a certain point in time. This cut-off time is constantly adjusted to provide the best possible use of the<br />
available memory. For how far back-in-time historical statistics are currently available, can be reviewed on the<br />
'''Info''' -> '''System Info''' page.<br />
<br />
==== I can only see the traffic of the last day. How can I increase this period? ====<br />
<br />
If the system does not provide a sufficient look back-in-time with the given traffic, it may help to deactivate certain<br />
features that provide very detailed information but also consume a large amount of memory. Features that typically<br />
fit into this category are different settings of the '''IP statistics'''. These settings can be accessed by navigating to<br />
'''IP''' -> '''IP Statistics''' and clicking the '''Settings''' button at the top of the page. Especially turning off the<br />
'''Store connection information for every IP''' and '''Store traffic history graph for IP peers''' settings can help saving<br />
a lot of memory.<br />
<br />
==== What happens to the data after shutdown, reboot, or restart processing? ====<br />
<br />
The Allegro Network Multimeter uses an In-Memory database to store the<br />
metadata of the packets it processes. This metadata will be lost when the<br />
processing is stopped (shutdown, reboot, restart processing). This metadata<br />
is also lost in case of an unexpected power loss.<br />
<br />
When using a packet ring buffer (see [[Storage|storage]]), the packets will be<br />
stored on the attached hard disk drive. This data is not lost after the<br />
processing is stopped. It is possible to reanalyze the packet ringbuffer, but<br />
this will interrupt the '''live''' mode, so no new packets will be processed when this is in operation.<br />
<br />
== Allegro hardware ==<br />
<br />
==== What types of SFP modules are supported? ====<br />
<br />
See [[List_of_Supported_Transceiver_Modules|List of supported transceiver modules]] for details.<br />
<br />
== Bypass ==<br />
<br />
==== What bypass options are available? ====<br />
<br />
Two bypass options are available:<br />
<br />
* a quad-port RJ45 1Gbps copper option supporting 1000BaseT and 100BaseT speeds. Each pair of interfaces makes up a bridged link with bypass.<br />
* a dual-port 10Gbps fiber option with builtin SR transceivers and LC connectors. The two interfaces make up a bridged link with bypass.<br />
<br />
==== How does the bypass work? ====<br />
<br />
If the Allegro Network Multimeter contains a bypass option, it is only active when the device is configured to operate<br />
in Bridge mode. The bypass activates when the device is powered off, when the device is starting but is not yet<br />
processing traffic or when an unexpected failure like a crash or a power loss occurs. If the bypass is active, the<br />
two interfaces that make up a bypass link will be physically connected to each other so that devices connected on<br />
either side will always find a working link.<br />
<br />
If the device is operating in Sink mode, the bypass interfaces will act just like all the other interfaces on the device<br />
and the bypass will never be activated.<br />
<br />
== User interface ==<br />
<br />
==== What does the question mark on packets/bytes counters mean? ====<br />
<br />
The Allegro Network Multimeter stores historical traffic data in<br />
different time resolutions depending on the age of the data.<br />
<br />
When zooming into a specific time window, packet and byte counters are<br />
shown for this specific time interval only. Since the time resolution<br />
available internally might be coarser than the selected zoom level,<br />
the shown packet and byte values might not exactly represent the time<br />
interval.<br />
<br />
If this is the case, the actual interval time is shown in square<br />
brackets (for example [120s]). This means that the value represents<br />
the time between the end of the selected interval (the right end of<br />
the graph) and the shown number of seconds in the past.<br />
<br />
This value is shown to avoid confusion about unexpected values due to<br />
interactive graph zooming.<br />
<br />
==== How can I print statistics? ====<br />
<br />
The Allegro Network Multimeter web interface can be printed by using<br />
the built-in printing support of your browser. Navigate to the desired<br />
statistics and click on the printing button (Ctrl+P in most browsers). The pages<br />
are optimized for printing. Tabs, pcap and navigation buttons are hidden in<br />
print mode.<br />
<br />
If the browser is truncating the page in print preview, you can try the<br />
'''Shrink to fit''' option (Firefox) or use a smaller scaling than 100% (Chrome).<br />
You can also use another page orientation and change between '''landscape''' or '''portrait'''.<br />
<br />
== Packet ring buffer ==<br />
<br />
==== Which time stamps are used during packet ring buffer replay? ==== <br />
<br />
Packet ring buffer replay will use the original time stamps of the packets as they were captured. Therefore the replay<br />
recreates the original sequence and timing of packets in the displayed statistics.<br />
<br />
== Capturing ==<br />
<br />
==== How many captures can be used in parallel? ====<br />
<br />
The Allegro Network Multimeter 200 supports up to 3 parallel and the<br />
1000/3000 model supports up to 4 parallel captures. If the memory<br />
usage is too high, the number of parallel captures might be lower.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=FAQ&diff=2823FAQ2020-05-14T13:12:25Z<p>David.Griffiths: /* How does the bypass work? */</p>
<hr />
<div>== Setup == <br />
==== What is the difference between the Monitor interfaces and the Management interfaces? ==== <br />
<br />
The Monitor interfaces are used to passively analyze traffic and cannot be used for management functions such as accessing<br />
the user interface. These interfaces do not generate any traffic apart from forwarding traffic received on the adjacent<br />
interface if configured to Bridge mode.<br />
The Management interface on the other hand, is dedicated for management functions like accessing the user interface,<br />
downloading and uploading pcaps, streaming captured data to the device for analysis and so on. The Management<br />
interface actively participates in the network it is connected to.<br />
<br />
==== How can I monitor the traffic of a single computer? ====<br />
<br />
The easiest way of monitoring and analyzing the traffic of a single device like a computer is to configure the<br />
Allegro Network Multimeter in Bridge mode. The device to be monitored is connected to one interface of a bridged pair<br />
of interfaces on the Allegro Network Multimeter. The other interface of the bridged pair is connected to the<br />
network to which the device would normally be directly connected.<br />
<br />
In a setup like this, the Allegro Network Multimeter transparently forwards traffic between the device and the<br />
network while providing full insight into the traffic between the device and the network.<br />
<br />
==== What is the difference between Bridge mode and Sink mode? ====<br />
<br />
If the Allegro Network Multimeter is configured to Sink mode, all Monitor interfaces act in a similar way in that they <br />
receive traffic which is then analyzed by the appliance but not forwarded. The appliance acts as a traffic<br />
sink, as it receives packets, analyzes them and discards them. This mode is ideally suited for situations<br />
where traffic is already a copy; for example, on a Mirror Port of a Switch or on a network traffic Tap.<br />
<br />
If configured in Bridge mode, the Allegro Network Multimeter transparently forwards all traffic between adjacent Monitor<br />
interfaces while simultaneously analyzing the forwarded traffic. The appliance acts as a network Bridge and can <br />
be connected between two network devices which would normally be connected directly to each other. This mode<br />
is suited for inserting the Allegro Network Multimeter directly into a point of the network without the need of a separate network<br />
Tap or other means of providing a copy of the network traffic.<br />
<br />
==== I have used the LAN Management interface but I do not know the leased IP. How can I get the assigned IP address? ====<br />
<br />
===== DHCP server =====<br />
<br />
If the selected DHCP server provides some kind of log output or an overview of devices for which IP address leases have<br />
been granted, it might help to search for a device with a hostname that starts with '''allegro-mm-''' followed by a four<br />
digit hexadecimal number. The Allegro Network Multimeter announces itself with this hostname when it requests a<br />
DHCP lease and should be traceable in the DHCP server info.<br />
<br />
===== WI-FI =====<br />
<br />
Every Allegro Network Multimeter comes with an USB to Wi-Fi adapter. In the factory default configuration the adapter will<br />
create a wi-Fi Access Point when connected to the appliance. This Access Point shows up as '''allegro-mm-xxxx''' where the<br />
'''xxxx''' part consists of a hexadecimal number which is unique to the device. In factory default settings the password<br />
for the Wi-Fi network is '''Allegro-MM''' (without the quotes). As soon as there is a connection to Wi-Fi, the user<br />
interface of the device can be accessed by either browsing to https://allegro or https://192.168.4.1.<br />
When access to the user interface is established, the IP address of the LAN Management interface can be found under<br />
'''Settings''' -> '''Management interface settings''' in the '''Active interfaces''' section.<br />
<br />
===== Display =====<br />
<br />
The Allegro Network Multimeter 200 comes with a HDMI connector and<br />
the 1000 and 3000 series come with a VGA connector. When a compatible<br />
display is connected, the console displays information about the running<br />
Firmware version along with information on the configured<br />
management network IP addresses. On the 200 model the<br />
display must be connected before starting the appliance to obtain the output.<br />
<br />
===== KVM =====<br />
<br />
The video output of the device displaying the management IP addresses can be viewed over the network using the [[IPMI KVM on Allegro series 1000+|KVM/IPMI management module of the 1000 or 3000 series]]. Please see the FAQ entry '''What can I do with the integrated KVM port?''' on how to get started.<br />
<br />
==== What can I do with the integrated KVM port? ====<br />
<br />
The Allegro Network Multimeter 1000 and 3000 series devices contain a KVM/IPMI management module from Supermicro by<br />
which several hardware management functions like powering the device on and off, system health messages and much<br />
more can be accessed. It is also possible to view the video output of the device over the network from which the<br />
current active management IP addresses can be retrieved.<br />
<br />
By default the KVM/IPMI management module will obtain an IP address through DHCP and the default user name as well<br />
as default password is '''ADMIN''' (without the quotes).<br />
<br />
See [[IPMI KVM on Allegro series 1000+]] for additional information.<br />
<br />
==== I do not have a Wi-Fi client and I do not have a DHCP server. How can I access the Allegro Network Multimeter? ==== <br />
<br />
It is possible to make the Allegro Network Multimeter set a temporary static address on the LAN management interface.<br />
It will return to the configured behaviour for the LAN management interface following the next restart.<br />
<br />
To enable the temporary static IP address, a USB keyboard is needed. When the keyboard is attached to one of the USB<br />
ports of the Allegro, start the device. Wait for two minutes to make sure that the device is fully operational.<br />
Then press and hold the '''shift''' key while pressing the '''s''' key. After this procedure the device will be configured to<br />
use the IP address '''192.168.0.1''' on the LAN management interface. It is now possible to e.g. connect another<br />
computer to the LAN management interface with an IP address statically configured to e.g. '''192.168.0.100''' and from<br />
that computer the user interface of the Allegro is accessible at https://192.168.0.1.<br />
If for some reason the IP address '''192.168.0.1''' is already used in the network, the Allegro will try to<br />
set another IP address in the range of '''192.168.0.2''' - '''192.168.0.10'''.<br />
<br />
Once access to the user interface is established, a static IP address can be configured under '''Settings''' -><br />
'''Management interface settings'''.<br />
<br />
== Data protection ==<br />
<br />
==== What kind of user data is stored on the Allegro Network Multimeter ====<br />
<br />
All metadata and statistics are stored in the device's main memory and are deleted as soon as the device is rebooted,<br />
powered off, or packet processing is restarted. Any user data that can be derived from these statistics is therefore<br />
only stored for the duration of continuous operation. If, however, reports are generated and stored on the device, these<br />
reports exist until manually deleted or until a device configuration reset is performed.<br />
<br />
Raw packet data in the packet ring buffer or in stored pcap capture files will persist on the internal or external<br />
storage until overwritten or deleted. If it is important that captured or deleted data must not be retrieved by someone<br />
with physical access to the storage devices, it is possible to format the storage device with industry-standard full<br />
disk encryption.<br />
<br />
==== How can I reset the Allegro Network Multimeter to a default configuration? ====<br />
<br />
There are two ways to reset the configuration of the appliance.<br />
<br />
The first option is to use the '''Reset System Configuration''' button which can be found under '''Settings''' -><br />
'''Administration''' in the user interface. After confirmation, this will trigger a restart of the system and afterward the<br />
appliance will revert to the factory default settings.<br />
<br />
If, for some reason, the user interface is not accessible, a configuration reset can be performed by attaching<br />
a USB keyboard and a HDMI/VGA display to the appliance. When booting the device, there is a short period when a GNU GRUB<br />
menu is displayed. The arrow up and arrow down keys can be used to select an entry and the selected entry can be chosen<br />
by pressing the '''enter''' key. Below the default '''multimeter''' entry, there is a '''configuration-reset''' option which will<br />
perform a reset to default configuration and then reboot the appliance.<br />
<br />
Keep in mind that a reset to the default configuration does not delete any<br />
packet ring buffer data or captured files from internal or external<br />
storage.<br />
<br />
== System behaviour ==<br />
<br />
==== Where does the Allegro Network Multimeter display L1 issues like bad CRC frames? ====<br />
<br />
Issues like these are accounted for the Monitoring interface on which the issue was encountered and the respective<br />
statistics are available on the '''Interface stats''' page in the '''Errors''' column. For an explanation of the error<br />
counters, refer to the [[Interface_statistics|Interface statistics]] manual page.<br />
<br />
==== What happens in the case of a system overload? ====<br />
<br />
In the case of a system overload, a prominent warning is displayed at the top of the user interface for a few seconds<br />
and this warning and the time when the error occurred can be reviewed on the '''Info''' -> '''Status''' page. As long as there are<br />
still notifications on the '''Info''' -> '''Status''' page, this is indicated by coloured icons at the top of the user interface.<br />
<br />
If a system overload occurs and not all packets can be analyzed, these packets are accounted at the Monitoring<br />
interface on which they were received. The counter can be found on the '''Interface stats''' page in the '''Errors''' column<br />
under the '''Not processed''' section and titled '''due to overload'''.<br />
<br />
When the Allegro Network Multimeter is operating in Bridge mode and packets cannot be processed due to a system<br />
overload, a software bypass will ensure that these packets are still forwarded to the adjacent Monitoring interface.<br />
<br />
==== What happens if the maximum number of stored connections has been reached? ====<br />
<br />
In this case, the Allegro Network Multimeter will start freeing up memory by removing historic statistical data which<br />
lies before a certain point in time. This cut-off time is constantly adjusted to provide the best possible use of the<br />
available memory. For how far back-in-time historical statistics are currently available, can be reviewed on the<br />
'''Info''' -> '''System Info''' page.<br />
<br />
==== I can only see the traffic of the last day. How can I increase this period? ====<br />
<br />
If the system does not provide a sufficient look back-in-time with the given traffic, it may help to deactivate certain<br />
features that provide very detailed information but also consume a large amount of memory. Features that typically<br />
fit into this category are different settings of the '''IP statistics'''. These settings can be accessed by navigating to<br />
'''IP''' -> '''IP Statistics''' and clicking the '''Settings''' button at the top of the page. Especially turning off the<br />
'''Store connection information for every IP''' and '''Store traffic history graph for IP peers''' settings can help saving<br />
a lot of memory.<br />
<br />
==== What happens to the data after shutdown, reboot, or restart processing? ====<br />
<br />
The Allegro Network Multimeter uses an In-Memory database to store the<br />
metadata of the packets it processes. This metadata will be lost when the<br />
processing is stopped (shutdown, reboot, restart processing). This metadata<br />
is also lost in case of an unexpected power loss.<br />
<br />
When using a packet ring buffer (see [[Storage|storage]]), the packets will be<br />
stored on the attached hard disk drive. This data is not lost after the<br />
processing is stopped. It is possible to reanalyze the packet ringbuffer, but<br />
this will interrupt the '''live''' mode, so no new packets will be processed when this is in operation.<br />
<br />
== Allegro hardware ==<br />
<br />
==== What types of SFP modules are supported? ====<br />
<br />
See [[List_of_Supported_Transceiver_Modules|List of supported transceiver modules]] for details.<br />
<br />
== Bypass ==<br />
<br />
==== What bypass options are available? ====<br />
<br />
Two bypass options are available:<br />
<br />
* a quad-port RJ45 1Gbps copper option supporting 1000BaseT and 100BaseT speeds. Each pair of interfaces makes up a bridged link with bypass.<br />
* a dual-port 10Gbps fiber option with builtin SR transceivers and LC connectors. The two interfaces make up a bridged link with bypass.<br />
<br />
==== How does the bypass work? ====<br />
<br />
If the Allegro Network Multimeter contains a bypass option, it is only active when the device is configured to operate<br />
in Bridge mode. The bypass activates when the device is powered off, when the device is starting but is not yet<br />
processing traffic or when an unexpected failure like a crash or a power loss occurs. If the bypass is active, the<br />
two interfaces that make up a bypass link will be physically connected to each other so that devices connected on<br />
either side will always find a working link.<br />
<br />
If the device is operating in Sink mode, the bypass interfaces will act just like all the other interfaces on the device<br />
and the bypass will never be activated.<br />
<br />
== User interface ==<br />
<br />
==== What does the question mark on packets/bytes counters mean? ====<br />
<br />
The Allegro Network Multimeter stores historical traffic data in<br />
different time resolutions depending on the age of the data.<br />
<br />
When zooming into a specific time window, packet and byte counters are<br />
shown for this specific time interval only. Since the time resolution<br />
available internally might be coarser than the selected zoom level,<br />
the shown packet and byte values might not exactly represent the time<br />
interval.<br />
<br />
If this is the case, the actual interval time is shown in square<br />
brackets (for example [120s]). This means that the value represents<br />
the time between the end of the selected interval (the right end of<br />
the graph) and the shown number of seconds in the past.<br />
<br />
This value is shown to avoid confusion about unexpected values due to<br />
interactive graph zooming.<br />
<br />
==== How can I print statistics? ====<br />
<br />
The Allegro Network Multimeter web interface can be printed by using<br />
the built-in printing support of your browser. Just navigate to the desired<br />
statistics and click on the printing button (Ctrl+P in most browsers). The pages<br />
are optimized for printing. Tabs, PCAP and navigation buttons are hidden in<br />
print mode.<br />
<br />
If the browser is truncating the page in print preview, you can try to use<br />
'''Shrink to fit''' option (Firefox) or use a smaller scaling than 100% (Chrome).<br />
You can also use another page orientation and change between '''landscape''' or '''portrait'''.<br />
<br />
== Packet ring buffer ==<br />
<br />
==== Which time stamps are used during packet ring buffer replay? ==== <br />
<br />
Packet ring buffer replay will use the original time stamps of the packets as they were captured. Therefore the replay<br />
recreates the original sequence and timing of packets in the displayed statistics.<br />
<br />
== Capturing ==<br />
<br />
==== How many captures can be used in parallel? ====<br />
<br />
The Allegro Network Multimeter 200 supports up to 3 parallel and the<br />
1000/3000 model supports up to 4 parallel captures. If the memory<br />
usage is too high, the number of parallel captures might be lower.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=FAQ&diff=2822FAQ2020-05-14T13:11:05Z<p>David.Griffiths: /* System behavior */</p>
<hr />
<div>== Setup == <br />
==== What is the difference between the Monitor interfaces and the Management interfaces? ==== <br />
<br />
The Monitor interfaces are used to passively analyze traffic and cannot be used for management functions such as accessing<br />
the user interface. These interfaces do not generate any traffic apart from forwarding traffic received on the adjacent<br />
interface if configured to Bridge mode.<br />
The Management interface on the other hand, is dedicated for management functions like accessing the user interface,<br />
downloading and uploading pcaps, streaming captured data to the device for analysis and so on. The Management<br />
interface actively participates in the network it is connected to.<br />
<br />
==== How can I monitor the traffic of a single computer? ====<br />
<br />
The easiest way of monitoring and analyzing the traffic of a single device like a computer is to configure the<br />
Allegro Network Multimeter in Bridge mode. The device to be monitored is connected to one interface of a bridged pair<br />
of interfaces on the Allegro Network Multimeter. The other interface of the bridged pair is connected to the<br />
network to which the device would normally be directly connected.<br />
<br />
In a setup like this, the Allegro Network Multimeter transparently forwards traffic between the device and the<br />
network while providing full insight into the traffic between the device and the network.<br />
<br />
==== What is the difference between Bridge mode and Sink mode? ====<br />
<br />
If the Allegro Network Multimeter is configured to Sink mode, all Monitor interfaces act in a similar way in that they <br />
receive traffic which is then analyzed by the appliance but not forwarded. The appliance acts as a traffic<br />
sink, as it receives packets, analyzes them and discards them. This mode is ideally suited for situations<br />
where traffic is already a copy; for example, on a Mirror Port of a Switch or on a network traffic Tap.<br />
<br />
If configured in Bridge mode, the Allegro Network Multimeter transparently forwards all traffic between adjacent Monitor<br />
interfaces while simultaneously analyzing the forwarded traffic. The appliance acts as a network Bridge and can <br />
be connected between two network devices which would normally be connected directly to each other. This mode<br />
is suited for inserting the Allegro Network Multimeter directly into a point of the network without the need of a separate network<br />
Tap or other means of providing a copy of the network traffic.<br />
<br />
==== I have used the LAN Management interface but I do not know the leased IP. How can I get the assigned IP address? ====<br />
<br />
===== DHCP server =====<br />
<br />
If the selected DHCP server provides some kind of log output or an overview of devices for which IP address leases have<br />
been granted, it might help to search for a device with a hostname that starts with '''allegro-mm-''' followed by a four<br />
digit hexadecimal number. The Allegro Network Multimeter announces itself with this hostname when it requests a<br />
DHCP lease and should be traceable in the DHCP server info.<br />
<br />
===== WI-FI =====<br />
<br />
Every Allegro Network Multimeter comes with an USB to Wi-Fi adapter. In the factory default configuration the adapter will<br />
create a wi-Fi Access Point when connected to the appliance. This Access Point shows up as '''allegro-mm-xxxx''' where the<br />
'''xxxx''' part consists of a hexadecimal number which is unique to the device. In factory default settings the password<br />
for the Wi-Fi network is '''Allegro-MM''' (without the quotes). As soon as there is a connection to Wi-Fi, the user<br />
interface of the device can be accessed by either browsing to https://allegro or https://192.168.4.1.<br />
When access to the user interface is established, the IP address of the LAN Management interface can be found under<br />
'''Settings''' -> '''Management interface settings''' in the '''Active interfaces''' section.<br />
<br />
===== Display =====<br />
<br />
The Allegro Network Multimeter 200 comes with a HDMI connector and<br />
the 1000 and 3000 series come with a VGA connector. When a compatible<br />
display is connected, the console displays information about the running<br />
Firmware version along with information on the configured<br />
management network IP addresses. On the 200 model the<br />
display must be connected before starting the appliance to obtain the output.<br />
<br />
===== KVM =====<br />
<br />
The video output of the device displaying the management IP addresses can be viewed over the network using the [[IPMI KVM on Allegro series 1000+|KVM/IPMI management module of the 1000 or 3000 series]]. Please see the FAQ entry '''What can I do with the integrated KVM port?''' on how to get started.<br />
<br />
==== What can I do with the integrated KVM port? ====<br />
<br />
The Allegro Network Multimeter 1000 and 3000 series devices contain a KVM/IPMI management module from Supermicro by<br />
which several hardware management functions like powering the device on and off, system health messages and much<br />
more can be accessed. It is also possible to view the video output of the device over the network from which the<br />
current active management IP addresses can be retrieved.<br />
<br />
By default the KVM/IPMI management module will obtain an IP address through DHCP and the default user name as well<br />
as default password is '''ADMIN''' (without the quotes).<br />
<br />
See [[IPMI KVM on Allegro series 1000+]] for additional information.<br />
<br />
==== I do not have a Wi-Fi client and I do not have a DHCP server. How can I access the Allegro Network Multimeter? ==== <br />
<br />
It is possible to make the Allegro Network Multimeter set a temporary static address on the LAN management interface.<br />
It will return to the configured behaviour for the LAN management interface following the next restart.<br />
<br />
To enable the temporary static IP address, a USB keyboard is needed. When the keyboard is attached to one of the USB<br />
ports of the Allegro, start the device. Wait for two minutes to make sure that the device is fully operational.<br />
Then press and hold the '''shift''' key while pressing the '''s''' key. After this procedure the device will be configured to<br />
use the IP address '''192.168.0.1''' on the LAN management interface. It is now possible to e.g. connect another<br />
computer to the LAN management interface with an IP address statically configured to e.g. '''192.168.0.100''' and from<br />
that computer the user interface of the Allegro is accessible at https://192.168.0.1.<br />
If for some reason the IP address '''192.168.0.1''' is already used in the network, the Allegro will try to<br />
set another IP address in the range of '''192.168.0.2''' - '''192.168.0.10'''.<br />
<br />
Once access to the user interface is established, a static IP address can be configured under '''Settings''' -><br />
'''Management interface settings'''.<br />
<br />
== Data protection ==<br />
<br />
==== What kind of user data is stored on the Allegro Network Multimeter ====<br />
<br />
All metadata and statistics are stored in the device's main memory and are deleted as soon as the device is rebooted,<br />
powered off, or packet processing is restarted. Any user data that can be derived from these statistics is therefore<br />
only stored for the duration of continuous operation. If, however, reports are generated and stored on the device, these<br />
reports exist until manually deleted or until a device configuration reset is performed.<br />
<br />
Raw packet data in the packet ring buffer or in stored pcap capture files will persist on the internal or external<br />
storage until overwritten or deleted. If it is important that captured or deleted data must not be retrieved by someone<br />
with physical access to the storage devices, it is possible to format the storage device with industry-standard full<br />
disk encryption.<br />
<br />
==== How can I reset the Allegro Network Multimeter to a default configuration? ====<br />
<br />
There are two ways to reset the configuration of the appliance.<br />
<br />
The first option is to use the '''Reset System Configuration''' button which can be found under '''Settings''' -><br />
'''Administration''' in the user interface. After confirmation, this will trigger a restart of the system and afterward the<br />
appliance will revert to the factory default settings.<br />
<br />
If, for some reason, the user interface is not accessible, a configuration reset can be performed by attaching<br />
a USB keyboard and a HDMI/VGA display to the appliance. When booting the device, there is a short period when a GNU GRUB<br />
menu is displayed. The arrow up and arrow down keys can be used to select an entry and the selected entry can be chosen<br />
by pressing the '''enter''' key. Below the default '''multimeter''' entry, there is a '''configuration-reset''' option which will<br />
perform a reset to default configuration and then reboot the appliance.<br />
<br />
Keep in mind that a reset to the default configuration does not delete any<br />
packet ring buffer data or captured files from internal or external<br />
storage.<br />
<br />
== System behaviour ==<br />
<br />
==== Where does the Allegro Network Multimeter display L1 issues like bad CRC frames? ====<br />
<br />
Issues like these are accounted for the Monitoring interface on which the issue was encountered and the respective<br />
statistics are available on the '''Interface stats''' page in the '''Errors''' column. For an explanation of the error<br />
counters, refer to the [[Interface_statistics|Interface statistics]] manual page.<br />
<br />
==== What happens in the case of a system overload? ====<br />
<br />
In the case of a system overload, a prominent warning is displayed at the top of the user interface for a few seconds<br />
and this warning and the time when the error occurred can be reviewed on the '''Info''' -> '''Status''' page. As long as there are<br />
still notifications on the '''Info''' -> '''Status''' page, this is indicated by coloured icons at the top of the user interface.<br />
<br />
If a system overload occurs and not all packets can be analyzed, these packets are accounted at the Monitoring<br />
interface on which they were received. The counter can be found on the '''Interface stats''' page in the '''Errors''' column<br />
under the '''Not processed''' section and titled '''due to overload'''.<br />
<br />
When the Allegro Network Multimeter is operating in Bridge mode and packets cannot be processed due to a system<br />
overload, a software bypass will ensure that these packets are still forwarded to the adjacent Monitoring interface.<br />
<br />
==== What happens if the maximum number of stored connections has been reached? ====<br />
<br />
In this case, the Allegro Network Multimeter will start freeing up memory by removing historic statistical data which<br />
lies before a certain point in time. This cut-off time is constantly adjusted to provide the best possible use of the<br />
available memory. For how far back-in-time historical statistics are currently available, can be reviewed on the<br />
'''Info''' -> '''System Info''' page.<br />
<br />
==== I can only see the traffic of the last day. How can I increase this period? ====<br />
<br />
If the system does not provide a sufficient look back-in-time with the given traffic, it may help to deactivate certain<br />
features that provide very detailed information but also consume a large amount of memory. Features that typically<br />
fit into this category are different settings of the '''IP statistics'''. These settings can be accessed by navigating to<br />
'''IP''' -> '''IP Statistics''' and clicking the '''Settings''' button at the top of the page. Especially turning off the<br />
'''Store connection information for every IP''' and '''Store traffic history graph for IP peers''' settings can help saving<br />
a lot of memory.<br />
<br />
==== What happens to the data after shutdown, reboot, or restart processing? ====<br />
<br />
The Allegro Network Multimeter uses an In-Memory database to store the<br />
metadata of the packets it processes. This metadata will be lost when the<br />
processing is stopped (shutdown, reboot, restart processing). This metadata<br />
is also lost in case of an unexpected power loss.<br />
<br />
When using a packet ring buffer (see [[Storage|storage]]), the packets will be<br />
stored on the attached hard disk drive. This data is not lost after the<br />
processing is stopped. It is possible to reanalyze the packet ringbuffer, but<br />
this will interrupt the '''live''' mode, so no new packets will be processed when this is in operation.<br />
<br />
== Allegro hardware ==<br />
<br />
==== What types of SFP modules are supported? ====<br />
<br />
See [[List_of_Supported_Transceiver_Modules|List of supported transceiver modules]] for details.<br />
<br />
== Bypass ==<br />
<br />
==== What bypass options are available? ====<br />
<br />
Two bypass options are available:<br />
<br />
* a quad-port RJ45 1Gbps copper option supporting 1000BaseT and 100BaseT speeds. Each pair of interfaces makes up a bridged link with bypass.<br />
* a dual-port 10Gbps fiber option with builtin SR transceivers and LC connectors. The two interfaces make up a bridged link with bypass.<br />
<br />
==== How does the bypass work? ====<br />
<br />
If the Allegro Network Multimeter contains a bypass option, it is only active when the device is configured to operate<br />
in bridge mode. The bypass activates when the device is powered off, when the device is starting but is not yet<br />
processing traffic or when an unexpected failure like a crash or a power loss occurs. If the bypass is active, the<br />
two interfaces that make up a bypass link will be physically connected to each other so that devices connected on<br />
either side will always find a working link.<br />
<br />
If the device is operating in sink mode, the bypass interfaces will act just like all the other interfaces on the device<br />
and the bypass will never be activated.<br />
<br />
== User interface ==<br />
<br />
==== What does the question mark on packets/bytes counters mean? ====<br />
<br />
The Allegro Network Multimeter stores historical traffic data in<br />
different time resolutions depending on the age of the data.<br />
<br />
When zooming into a specific time window, packet and byte counters are<br />
shown for this specific time interval only. Since the time resolution<br />
available internally might be coarser than the selected zoom level,<br />
the shown packet and byte values might not exactly represent the time<br />
interval.<br />
<br />
If this is the case, the actual interval time is shown in square<br />
brackets (for example [120s]). This means that the value represents<br />
the time between the end of the selected interval (the right end of<br />
the graph) and the shown number of seconds in the past.<br />
<br />
This value is shown to avoid confusion about unexpected values due to<br />
interactive graph zooming.<br />
<br />
==== How can I print statistics? ====<br />
<br />
The Allegro Network Multimeter web interface can be printed by using<br />
the built-in printing support of your browser. Just navigate to the desired<br />
statistics and click on the printing button (Ctrl+P in most browsers). The pages<br />
are optimized for printing. Tabs, PCAP and navigation buttons are hidden in<br />
print mode.<br />
<br />
If the browser is truncating the page in print preview, you can try to use<br />
'''Shrink to fit''' option (Firefox) or use a smaller scaling than 100% (Chrome).<br />
You can also use another page orientation and change between '''landscape''' or '''portrait'''.<br />
<br />
== Packet ring buffer ==<br />
<br />
==== Which time stamps are used during packet ring buffer replay? ==== <br />
<br />
Packet ring buffer replay will use the original time stamps of the packets as they were captured. Therefore the replay<br />
recreates the original sequence and timing of packets in the displayed statistics.<br />
<br />
== Capturing ==<br />
<br />
==== How many captures can be used in parallel? ====<br />
<br />
The Allegro Network Multimeter 200 supports up to 3 parallel and the<br />
1000/3000 model supports up to 4 parallel captures. If the memory<br />
usage is too high, the number of parallel captures might be lower.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=FAQ&diff=2821FAQ2020-05-14T13:07:01Z<p>David.Griffiths: /* How can I reset the Allegro Network Multimeter to a default configuration? */</p>
<hr />
<div>== Setup == <br />
==== What is the difference between the Monitor interfaces and the Management interfaces? ==== <br />
<br />
The Monitor interfaces are used to passively analyze traffic and cannot be used for management functions such as accessing<br />
the user interface. These interfaces do not generate any traffic apart from forwarding traffic received on the adjacent<br />
interface if configured to Bridge mode.<br />
The Management interface on the other hand, is dedicated for management functions like accessing the user interface,<br />
downloading and uploading pcaps, streaming captured data to the device for analysis and so on. The Management<br />
interface actively participates in the network it is connected to.<br />
<br />
==== How can I monitor the traffic of a single computer? ====<br />
<br />
The easiest way of monitoring and analyzing the traffic of a single device like a computer is to configure the<br />
Allegro Network Multimeter in Bridge mode. The device to be monitored is connected to one interface of a bridged pair<br />
of interfaces on the Allegro Network Multimeter. The other interface of the bridged pair is connected to the<br />
network to which the device would normally be directly connected.<br />
<br />
In a setup like this, the Allegro Network Multimeter transparently forwards traffic between the device and the<br />
network while providing full insight into the traffic between the device and the network.<br />
<br />
==== What is the difference between Bridge mode and Sink mode? ====<br />
<br />
If the Allegro Network Multimeter is configured to Sink mode, all Monitor interfaces act in a similar way in that they <br />
receive traffic which is then analyzed by the appliance but not forwarded. The appliance acts as a traffic<br />
sink, as it receives packets, analyzes them and discards them. This mode is ideally suited for situations<br />
where traffic is already a copy; for example, on a Mirror Port of a Switch or on a network traffic Tap.<br />
<br />
If configured in Bridge mode, the Allegro Network Multimeter transparently forwards all traffic between adjacent Monitor<br />
interfaces while simultaneously analyzing the forwarded traffic. The appliance acts as a network Bridge and can <br />
be connected between two network devices which would normally be connected directly to each other. This mode<br />
is suited for inserting the Allegro Network Multimeter directly into a point of the network without the need of a separate network<br />
Tap or other means of providing a copy of the network traffic.<br />
<br />
==== I have used the LAN Management interface but I do not know the leased IP. How can I get the assigned IP address? ====<br />
<br />
===== DHCP server =====<br />
<br />
If the selected DHCP server provides some kind of log output or an overview of devices for which IP address leases have<br />
been granted, it might help to search for a device with a hostname that starts with '''allegro-mm-''' followed by a four<br />
digit hexadecimal number. The Allegro Network Multimeter announces itself with this hostname when it requests a<br />
DHCP lease and should be traceable in the DHCP server info.<br />
<br />
===== WI-FI =====<br />
<br />
Every Allegro Network Multimeter comes with an USB to Wi-Fi adapter. In the factory default configuration the adapter will<br />
create a wi-Fi Access Point when connected to the appliance. This Access Point shows up as '''allegro-mm-xxxx''' where the<br />
'''xxxx''' part consists of a hexadecimal number which is unique to the device. In factory default settings the password<br />
for the Wi-Fi network is '''Allegro-MM''' (without the quotes). As soon as there is a connection to Wi-Fi, the user<br />
interface of the device can be accessed by either browsing to https://allegro or https://192.168.4.1.<br />
When access to the user interface is established, the IP address of the LAN Management interface can be found under<br />
'''Settings''' -> '''Management interface settings''' in the '''Active interfaces''' section.<br />
<br />
===== Display =====<br />
<br />
The Allegro Network Multimeter 200 comes with a HDMI connector and<br />
the 1000 and 3000 series come with a VGA connector. When a compatible<br />
display is connected, the console displays information about the running<br />
Firmware version along with information on the configured<br />
management network IP addresses. On the 200 model the<br />
display must be connected before starting the appliance to obtain the output.<br />
<br />
===== KVM =====<br />
<br />
The video output of the device displaying the management IP addresses can be viewed over the network using the [[IPMI KVM on Allegro series 1000+|KVM/IPMI management module of the 1000 or 3000 series]]. Please see the FAQ entry '''What can I do with the integrated KVM port?''' on how to get started.<br />
<br />
==== What can I do with the integrated KVM port? ====<br />
<br />
The Allegro Network Multimeter 1000 and 3000 series devices contain a KVM/IPMI management module from Supermicro by<br />
which several hardware management functions like powering the device on and off, system health messages and much<br />
more can be accessed. It is also possible to view the video output of the device over the network from which the<br />
current active management IP addresses can be retrieved.<br />
<br />
By default the KVM/IPMI management module will obtain an IP address through DHCP and the default user name as well<br />
as default password is '''ADMIN''' (without the quotes).<br />
<br />
See [[IPMI KVM on Allegro series 1000+]] for additional information.<br />
<br />
==== I do not have a Wi-Fi client and I do not have a DHCP server. How can I access the Allegro Network Multimeter? ==== <br />
<br />
It is possible to make the Allegro Network Multimeter set a temporary static address on the LAN management interface.<br />
It will return to the configured behaviour for the LAN management interface following the next restart.<br />
<br />
To enable the temporary static IP address, a USB keyboard is needed. When the keyboard is attached to one of the USB<br />
ports of the Allegro, start the device. Wait for two minutes to make sure that the device is fully operational.<br />
Then press and hold the '''shift''' key while pressing the '''s''' key. After this procedure the device will be configured to<br />
use the IP address '''192.168.0.1''' on the LAN management interface. It is now possible to e.g. connect another<br />
computer to the LAN management interface with an IP address statically configured to e.g. '''192.168.0.100''' and from<br />
that computer the user interface of the Allegro is accessible at https://192.168.0.1.<br />
If for some reason the IP address '''192.168.0.1''' is already used in the network, the Allegro will try to<br />
set another IP address in the range of '''192.168.0.2''' - '''192.168.0.10'''.<br />
<br />
Once access to the user interface is established, a static IP address can be configured under '''Settings''' -><br />
'''Management interface settings'''.<br />
<br />
== Data protection ==<br />
<br />
==== What kind of user data is stored on the Allegro Network Multimeter ====<br />
<br />
All metadata and statistics are stored in the device's main memory and are deleted as soon as the device is rebooted,<br />
powered off, or packet processing is restarted. Any user data that can be derived from these statistics is therefore<br />
only stored for the duration of continuous operation. If, however, reports are generated and stored on the device, these<br />
reports exist until manually deleted or until a device configuration reset is performed.<br />
<br />
Raw packet data in the packet ring buffer or in stored pcap capture files will persist on the internal or external<br />
storage until overwritten or deleted. If it is important that captured or deleted data must not be retrieved by someone<br />
with physical access to the storage devices, it is possible to format the storage device with industry-standard full<br />
disk encryption.<br />
<br />
==== How can I reset the Allegro Network Multimeter to a default configuration? ====<br />
<br />
There are two ways to reset the configuration of the appliance.<br />
<br />
The first option is to use the '''Reset System Configuration''' button which can be found under '''Settings''' -><br />
'''Administration''' in the user interface. After confirmation, this will trigger a restart of the system and afterward the<br />
appliance will revert to the factory default settings.<br />
<br />
If, for some reason, the user interface is not accessible, a configuration reset can be performed by attaching<br />
a USB keyboard and a HDMI/VGA display to the appliance. When booting the device, there is a short period when a GNU GRUB<br />
menu is displayed. The arrow up and arrow down keys can be used to select an entry and the selected entry can be chosen<br />
by pressing the '''enter''' key. Below the default '''multimeter''' entry, there is a '''configuration-reset''' option which will<br />
perform a reset to default configuration and then reboot the appliance.<br />
<br />
Keep in mind that a reset to the default configuration does not delete any<br />
packet ring buffer data or captured files from internal or external<br />
storage.<br />
<br />
== System behavior ==<br />
<br />
==== Where does the Allegro Network Multimeter display L1 issues like bad CRC frames? ====<br />
<br />
Issues like these are accounted for the Monitoring interface on which the issue was encountered and the respective<br />
statistics are available on the '''Interface stats''' page in the '''Errors''' column. For an explanation of the error<br />
counters, please refer to the [[Interface_statistics|Interface statistics]] manual page.<br />
<br />
==== What happens in case of a system overload? ====<br />
<br />
In case of a system overload, a prominent warning is displayed at the top of the user interface for a few seconds<br />
and these warnings and the time when the error occurred can be reviewed on the '''Info''' -> '''Status''' page. As long as there are<br />
still notifications on the '''Info''' -> '''Status''' page, this is indicated by colored icons at the top of the user interface.<br />
<br />
If a system overload occurs and not all packets can be analyzed, these packets are accounted at the Monitoring<br />
interface on which they were received. The counter can be found on the '''Interface stats''' page in the '''Errors''' column<br />
under the '''Not processed''' section and is titled '''due to overload'''.<br />
<br />
When the Allegro Network Multimeter is operating in bridge mode and packets cannot be processed due to a system<br />
overload, a software bypass will ensure that these packets are still forwarded to the adjacent Monitoring interface.<br />
<br />
==== What happens if the maximum number of stored connections has been reached? ====<br />
<br />
In this case, the Allegro Network Multimeter will start freeing up memory by removing historic statistical data which<br />
lies before a certain point in time. This cutoff time is constantly adjusted to provide the best possible use of the<br />
available memory. For how far back-in-time historical statistics are currently available, can be reviewed on the<br />
'''Info''' -> '''System Info''' page.<br />
<br />
==== I can only see the traffic of the last day. How can I increase this period? ====<br />
<br />
If the system does not provide a sufficient look back-in-time with the given traffic, it may help to deactivate certain<br />
features that provide very detailed information but also consume a large amount of memory. Features that typically<br />
fit into this category are the different settings of the '''IP statistics'''. These settings can be accessed by navigating to<br />
'''IP''' -> '''IP Statistics''' and clicking the '''Settings''' button at the top of the page. Especially turning off the<br />
'''Store connection information for every IP''' and '''Store traffic history graph for IP peers''' settings can help saving<br />
a lot of memory.<br />
<br />
==== What happens to the data after shutdown, reboot, or restart processing? ====<br />
<br />
The Allegro Network Multimeter uses an In-Memory database to store the<br />
metadata of the packets it processes. This metadata will be lost when the<br />
processing is stopped (shutdown, reboot, restart processing). This metadata<br />
is also lost in case of an unexpected power loss.<br />
<br />
When using a packet ring buffer (see [[Storage|storage]]), the packets will be<br />
stored on the attached hard disk drive. This data is not lost after the<br />
processing is stopped. It is possible to reanalyze the packet ringbuffer, but<br />
this will interrupt the '''live''' mode, so no new packets will be processed.<br />
<br />
== Allegro hardware ==<br />
<br />
==== What types of SFP modules are supported? ====<br />
<br />
See [[List_of_Supported_Transceiver_Modules|List of supported transceiver modules]] for details.<br />
<br />
== Bypass ==<br />
<br />
==== What bypass options are available? ====<br />
<br />
Two bypass options are available:<br />
<br />
* a quad-port RJ45 1Gbps copper option supporting 1000BaseT and 100BaseT speeds. Each pair of interfaces makes up a bridged link with bypass.<br />
* a dual-port 10Gbps fiber option with builtin SR transceivers and LC connectors. The two interfaces make up a bridged link with bypass.<br />
<br />
==== How does the bypass work? ====<br />
<br />
If the Allegro Network Multimeter contains a bypass option, it is only active when the device is configured to operate<br />
in bridge mode. The bypass activates when the device is powered off, when the device is starting but is not yet<br />
processing traffic or when an unexpected failure like a crash or a power loss occurs. If the bypass is active, the<br />
two interfaces that make up a bypass link will be physically connected to each other so that devices connected on<br />
either side will always find a working link.<br />
<br />
If the device is operating in sink mode, the bypass interfaces will act just like all the other interfaces on the device<br />
and the bypass will never be activated.<br />
<br />
== User interface ==<br />
<br />
==== What does the question mark on packets/bytes counters mean? ====<br />
<br />
The Allegro Network Multimeter stores historical traffic data in<br />
different time resolutions depending on the age of the data.<br />
<br />
When zooming into a specific time window, packet and byte counters are<br />
shown for this specific time interval only. Since the time resolution<br />
available internally might be coarser than the selected zoom level,<br />
the shown packet and byte values might not exactly represent the time<br />
interval.<br />
<br />
If this is the case, the actual interval time is shown in square<br />
brackets (for example [120s]). This means that the value represents<br />
the time between the end of the selected interval (the right end of<br />
the graph) and the shown number of seconds in the past.<br />
<br />
This value is shown to avoid confusion about unexpected values due to<br />
interactive graph zooming.<br />
<br />
==== How can I print statistics? ====<br />
<br />
The Allegro Network Multimeter web interface can be printed by using<br />
the built-in printing support of your browser. Just navigate to the desired<br />
statistics and click on the printing button (Ctrl+P in most browsers). The pages<br />
are optimized for printing. Tabs, PCAP and navigation buttons are hidden in<br />
print mode.<br />
<br />
If the browser is truncating the page in print preview, you can try to use<br />
'''Shrink to fit''' option (Firefox) or use a smaller scaling than 100% (Chrome).<br />
You can also use another page orientation and change between '''landscape''' or '''portrait'''.<br />
<br />
== Packet ring buffer ==<br />
<br />
==== Which time stamps are used during packet ring buffer replay? ==== <br />
<br />
Packet ring buffer replay will use the original time stamps of the packets as they were captured. Therefore the replay<br />
recreates the original sequence and timing of packets in the displayed statistics.<br />
<br />
== Capturing ==<br />
<br />
==== How many captures can be used in parallel? ====<br />
<br />
The Allegro Network Multimeter 200 supports up to 3 parallel and the<br />
1000/3000 model supports up to 4 parallel captures. If the memory<br />
usage is too high, the number of parallel captures might be lower.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=FAQ&diff=2820FAQ2020-05-14T13:04:43Z<p>David.Griffiths: /* What kind of user data is stored on the Allegro Network Multimeter */</p>
<hr />
<div>== Setup == <br />
==== What is the difference between the Monitor interfaces and the Management interfaces? ==== <br />
<br />
The Monitor interfaces are used to passively analyze traffic and cannot be used for management functions such as accessing<br />
the user interface. These interfaces do not generate any traffic apart from forwarding traffic received on the adjacent<br />
interface if configured to Bridge mode.<br />
The Management interface on the other hand, is dedicated for management functions like accessing the user interface,<br />
downloading and uploading pcaps, streaming captured data to the device for analysis and so on. The Management<br />
interface actively participates in the network it is connected to.<br />
<br />
==== How can I monitor the traffic of a single computer? ====<br />
<br />
The easiest way of monitoring and analyzing the traffic of a single device like a computer is to configure the<br />
Allegro Network Multimeter in Bridge mode. The device to be monitored is connected to one interface of a bridged pair<br />
of interfaces on the Allegro Network Multimeter. The other interface of the bridged pair is connected to the<br />
network to which the device would normally be directly connected.<br />
<br />
In a setup like this, the Allegro Network Multimeter transparently forwards traffic between the device and the<br />
network while providing full insight into the traffic between the device and the network.<br />
<br />
==== What is the difference between Bridge mode and Sink mode? ====<br />
<br />
If the Allegro Network Multimeter is configured to Sink mode, all Monitor interfaces act in a similar way in that they <br />
receive traffic which is then analyzed by the appliance but not forwarded. The appliance acts as a traffic<br />
sink, as it receives packets, analyzes them and discards them. This mode is ideally suited for situations<br />
where traffic is already a copy; for example, on a Mirror Port of a Switch or on a network traffic Tap.<br />
<br />
If configured in Bridge mode, the Allegro Network Multimeter transparently forwards all traffic between adjacent Monitor<br />
interfaces while simultaneously analyzing the forwarded traffic. The appliance acts as a network Bridge and can <br />
be connected between two network devices which would normally be connected directly to each other. This mode<br />
is suited for inserting the Allegro Network Multimeter directly into a point of the network without the need of a separate network<br />
Tap or other means of providing a copy of the network traffic.<br />
<br />
==== I have used the LAN Management interface but I do not know the leased IP. How can I get the assigned IP address? ====<br />
<br />
===== DHCP server =====<br />
<br />
If the selected DHCP server provides some kind of log output or an overview of devices for which IP address leases have<br />
been granted, it might help to search for a device with a hostname that starts with '''allegro-mm-''' followed by a four<br />
digit hexadecimal number. The Allegro Network Multimeter announces itself with this hostname when it requests a<br />
DHCP lease and should be traceable in the DHCP server info.<br />
<br />
===== WI-FI =====<br />
<br />
Every Allegro Network Multimeter comes with an USB to Wi-Fi adapter. In the factory default configuration the adapter will<br />
create a wi-Fi Access Point when connected to the appliance. This Access Point shows up as '''allegro-mm-xxxx''' where the<br />
'''xxxx''' part consists of a hexadecimal number which is unique to the device. In factory default settings the password<br />
for the Wi-Fi network is '''Allegro-MM''' (without the quotes). As soon as there is a connection to Wi-Fi, the user<br />
interface of the device can be accessed by either browsing to https://allegro or https://192.168.4.1.<br />
When access to the user interface is established, the IP address of the LAN Management interface can be found under<br />
'''Settings''' -> '''Management interface settings''' in the '''Active interfaces''' section.<br />
<br />
===== Display =====<br />
<br />
The Allegro Network Multimeter 200 comes with a HDMI connector and<br />
the 1000 and 3000 series come with a VGA connector. When a compatible<br />
display is connected, the console displays information about the running<br />
Firmware version along with information on the configured<br />
management network IP addresses. On the 200 model the<br />
display must be connected before starting the appliance to obtain the output.<br />
<br />
===== KVM =====<br />
<br />
The video output of the device displaying the management IP addresses can be viewed over the network using the [[IPMI KVM on Allegro series 1000+|KVM/IPMI management module of the 1000 or 3000 series]]. Please see the FAQ entry '''What can I do with the integrated KVM port?''' on how to get started.<br />
<br />
==== What can I do with the integrated KVM port? ====<br />
<br />
The Allegro Network Multimeter 1000 and 3000 series devices contain a KVM/IPMI management module from Supermicro by<br />
which several hardware management functions like powering the device on and off, system health messages and much<br />
more can be accessed. It is also possible to view the video output of the device over the network from which the<br />
current active management IP addresses can be retrieved.<br />
<br />
By default the KVM/IPMI management module will obtain an IP address through DHCP and the default user name as well<br />
as default password is '''ADMIN''' (without the quotes).<br />
<br />
See [[IPMI KVM on Allegro series 1000+]] for additional information.<br />
<br />
==== I do not have a Wi-Fi client and I do not have a DHCP server. How can I access the Allegro Network Multimeter? ==== <br />
<br />
It is possible to make the Allegro Network Multimeter set a temporary static address on the LAN management interface.<br />
It will return to the configured behaviour for the LAN management interface following the next restart.<br />
<br />
To enable the temporary static IP address, a USB keyboard is needed. When the keyboard is attached to one of the USB<br />
ports of the Allegro, start the device. Wait for two minutes to make sure that the device is fully operational.<br />
Then press and hold the '''shift''' key while pressing the '''s''' key. After this procedure the device will be configured to<br />
use the IP address '''192.168.0.1''' on the LAN management interface. It is now possible to e.g. connect another<br />
computer to the LAN management interface with an IP address statically configured to e.g. '''192.168.0.100''' and from<br />
that computer the user interface of the Allegro is accessible at https://192.168.0.1.<br />
If for some reason the IP address '''192.168.0.1''' is already used in the network, the Allegro will try to<br />
set another IP address in the range of '''192.168.0.2''' - '''192.168.0.10'''.<br />
<br />
Once access to the user interface is established, a static IP address can be configured under '''Settings''' -><br />
'''Management interface settings'''.<br />
<br />
== Data protection ==<br />
<br />
==== What kind of user data is stored on the Allegro Network Multimeter ====<br />
<br />
All metadata and statistics are stored in the device's main memory and are deleted as soon as the device is rebooted,<br />
powered off, or packet processing is restarted. Any user data that can be derived from these statistics is therefore<br />
only stored for the duration of continuous operation. If, however, reports are generated and stored on the device, these<br />
reports exist until manually deleted or until a device configuration reset is performed.<br />
<br />
Raw packet data in the packet ring buffer or in stored pcap capture files will persist on the internal or external<br />
storage until overwritten or deleted. If it is important that captured or deleted data must not be retrieved by someone<br />
with physical access to the storage devices, it is possible to format the storage device with industry-standard full<br />
disk encryption.<br />
<br />
==== How can I reset the Allegro Network Multimeter to a default configuration? ====<br />
<br />
There are two ways to reset the configuration of the device.<br />
<br />
The first option is to use the '''Reset System Configuration''' button which can be found under '''Settings''' -><br />
'''Administration''' in the user interface. After confirmation, this will trigger a restart of the system and afterwards the<br />
device will be running with factory default settings.<br />
<br />
If, for some reason, the user interface is not accessible, a configuration reset can also be performed by attaching<br />
an USB keyboard and a HDMI/VGA display to the device. When booting the device, there is a short period when a GNU GRUB<br />
menu is displayed. The arrow up and arrow down keys can be used to select an entry and the selected entry can be chosen<br />
by pressing the '''enter''' key. Below the default '''multimeter''' entry, there is a '''configuration-reset''' entry which will<br />
perform a reset to default configuration and then reboot the device.<br />
<br />
Keep in mind that a reset to default configuration does not delete any<br />
packet ring buffer data or captured files from internal or external<br />
storage.<br />
<br />
== System behavior ==<br />
<br />
==== Where does the Allegro Network Multimeter display L1 issues like bad CRC frames? ====<br />
<br />
Issues like these are accounted for the Monitoring interface on which the issue was encountered and the respective<br />
statistics are available on the '''Interface stats''' page in the '''Errors''' column. For an explanation of the error<br />
counters, please refer to the [[Interface_statistics|Interface statistics]] manual page.<br />
<br />
==== What happens in case of a system overload? ====<br />
<br />
In case of a system overload, a prominent warning is displayed at the top of the user interface for a few seconds<br />
and these warnings and the time when the error occurred can be reviewed on the '''Info''' -> '''Status''' page. As long as there are<br />
still notifications on the '''Info''' -> '''Status''' page, this is indicated by colored icons at the top of the user interface.<br />
<br />
If a system overload occurs and not all packets can be analyzed, these packets are accounted at the Monitoring<br />
interface on which they were received. The counter can be found on the '''Interface stats''' page in the '''Errors''' column<br />
under the '''Not processed''' section and is titled '''due to overload'''.<br />
<br />
When the Allegro Network Multimeter is operating in bridge mode and packets cannot be processed due to a system<br />
overload, a software bypass will ensure that these packets are still forwarded to the adjacent Monitoring interface.<br />
<br />
==== What happens if the maximum number of stored connections has been reached? ====<br />
<br />
In this case, the Allegro Network Multimeter will start freeing up memory by removing historic statistical data which<br />
lies before a certain point in time. This cutoff time is constantly adjusted to provide the best possible use of the<br />
available memory. For how far back-in-time historical statistics are currently available, can be reviewed on the<br />
'''Info''' -> '''System Info''' page.<br />
<br />
==== I can only see the traffic of the last day. How can I increase this period? ====<br />
<br />
If the system does not provide a sufficient look back-in-time with the given traffic, it may help to deactivate certain<br />
features that provide very detailed information but also consume a large amount of memory. Features that typically<br />
fit into this category are the different settings of the '''IP statistics'''. These settings can be accessed by navigating to<br />
'''IP''' -> '''IP Statistics''' and clicking the '''Settings''' button at the top of the page. Especially turning off the<br />
'''Store connection information for every IP''' and '''Store traffic history graph for IP peers''' settings can help saving<br />
a lot of memory.<br />
<br />
==== What happens to the data after shutdown, reboot, or restart processing? ====<br />
<br />
The Allegro Network Multimeter uses an In-Memory database to store the<br />
metadata of the packets it processes. This metadata will be lost when the<br />
processing is stopped (shutdown, reboot, restart processing). This metadata<br />
is also lost in case of an unexpected power loss.<br />
<br />
When using a packet ring buffer (see [[Storage|storage]]), the packets will be<br />
stored on the attached hard disk drive. This data is not lost after the<br />
processing is stopped. It is possible to reanalyze the packet ringbuffer, but<br />
this will interrupt the '''live''' mode, so no new packets will be processed.<br />
<br />
== Allegro hardware ==<br />
<br />
==== What types of SFP modules are supported? ====<br />
<br />
See [[List_of_Supported_Transceiver_Modules|List of supported transceiver modules]] for details.<br />
<br />
== Bypass ==<br />
<br />
==== What bypass options are available? ====<br />
<br />
Two bypass options are available:<br />
<br />
* a quad-port RJ45 1Gbps copper option supporting 1000BaseT and 100BaseT speeds. Each pair of interfaces makes up a bridged link with bypass.<br />
* a dual-port 10Gbps fiber option with builtin SR transceivers and LC connectors. The two interfaces make up a bridged link with bypass.<br />
<br />
==== How does the bypass work? ====<br />
<br />
If the Allegro Network Multimeter contains a bypass option, it is only active when the device is configured to operate<br />
in bridge mode. The bypass activates when the device is powered off, when the device is starting but is not yet<br />
processing traffic or when an unexpected failure like a crash or a power loss occurs. If the bypass is active, the<br />
two interfaces that make up a bypass link will be physically connected to each other so that devices connected on<br />
either side will always find a working link.<br />
<br />
If the device is operating in sink mode, the bypass interfaces will act just like all the other interfaces on the device<br />
and the bypass will never be activated.<br />
<br />
== User interface ==<br />
<br />
==== What does the question mark on packets/bytes counters mean? ====<br />
<br />
The Allegro Network Multimeter stores historical traffic data in<br />
different time resolutions depending on the age of the data.<br />
<br />
When zooming into a specific time window, packet and byte counters are<br />
shown for this specific time interval only. Since the time resolution<br />
available internally might be coarser than the selected zoom level,<br />
the shown packet and byte values might not exactly represent the time<br />
interval.<br />
<br />
If this is the case, the actual interval time is shown in square<br />
brackets (for example [120s]). This means that the value represents<br />
the time between the end of the selected interval (the right end of<br />
the graph) and the shown number of seconds in the past.<br />
<br />
This value is shown to avoid confusion about unexpected values due to<br />
interactive graph zooming.<br />
<br />
==== How can I print statistics? ====<br />
<br />
The Allegro Network Multimeter web interface can be printed by using<br />
the built-in printing support of your browser. Just navigate to the desired<br />
statistics and click on the printing button (Ctrl+P in most browsers). The pages<br />
are optimized for printing. Tabs, PCAP and navigation buttons are hidden in<br />
print mode.<br />
<br />
If the browser is truncating the page in print preview, you can try to use<br />
'''Shrink to fit''' option (Firefox) or use a smaller scaling than 100% (Chrome).<br />
You can also use another page orientation and change between '''landscape''' or '''portrait'''.<br />
<br />
== Packet ring buffer ==<br />
<br />
==== Which time stamps are used during packet ring buffer replay? ==== <br />
<br />
Packet ring buffer replay will use the original time stamps of the packets as they were captured. Therefore the replay<br />
recreates the original sequence and timing of packets in the displayed statistics.<br />
<br />
== Capturing ==<br />
<br />
==== How many captures can be used in parallel? ====<br />
<br />
The Allegro Network Multimeter 200 supports up to 3 parallel and the<br />
1000/3000 model supports up to 4 parallel captures. If the memory<br />
usage is too high, the number of parallel captures might be lower.</div>David.Griffithshttps://allegro-packets.com/wiki/index.php?title=FAQ&diff=2819FAQ2020-05-14T13:02:49Z<p>David.Griffiths: /* I do not have a WIFI client and I do not have a DHCP server. How can I access the Allegro Network Multimeter? */</p>
<hr />
<div>== Setup == <br />
==== What is the difference between the Monitor interfaces and the Management interfaces? ==== <br />
<br />
The Monitor interfaces are used to passively analyze traffic and cannot be used for management functions such as accessing<br />
the user interface. These interfaces do not generate any traffic apart from forwarding traffic received on the adjacent<br />
interface if configured to Bridge mode.<br />
The Management interface on the other hand, is dedicated for management functions like accessing the user interface,<br />
downloading and uploading pcaps, streaming captured data to the device for analysis and so on. The Management<br />
interface actively participates in the network it is connected to.<br />
<br />
==== How can I monitor the traffic of a single computer? ====<br />
<br />
The easiest way of monitoring and analyzing the traffic of a single device like a computer is to configure the<br />
Allegro Network Multimeter in Bridge mode. The device to be monitored is connected to one interface of a bridged pair<br />
of interfaces on the Allegro Network Multimeter. The other interface of the bridged pair is connected to the<br />
network to which the device would normally be directly connected.<br />
<br />
In a setup like this, the Allegro Network Multimeter transparently forwards traffic between the device and the<br />
network while providing full insight into the traffic between the device and the network.<br />
<br />
==== What is the difference between Bridge mode and Sink mode? ====<br />
<br />
If the Allegro Network Multimeter is configured to Sink mode, all Monitor interfaces act in a similar way in that they <br />
receive traffic which is then analyzed by the appliance but not forwarded. The appliance acts as a traffic<br />
sink, as it receives packets, analyzes them and discards them. This mode is ideally suited for situations<br />
where traffic is already a copy; for example, on a Mirror Port of a Switch or on a network traffic Tap.<br />
<br />
If configured in Bridge mode, the Allegro Network Multimeter transparently forwards all traffic between adjacent Monitor<br />
interfaces while simultaneously analyzing the forwarded traffic. The appliance acts as a network Bridge and can <br />
be connected between two network devices which would normally be connected directly to each other. This mode<br />
is suited for inserting the Allegro Network Multimeter directly into a point of the network without the need of a separate network<br />
Tap or other means of providing a copy of the network traffic.<br />
<br />
==== I have used the LAN Management interface but I do not know the leased IP. How can I get the assigned IP address? ====<br />
<br />
===== DHCP server =====<br />
<br />
If the selected DHCP server provides some kind of log output or an overview of devices for which IP address leases have<br />
been granted, it might help to search for a device with a hostname that starts with '''allegro-mm-''' followed by a four<br />
digit hexadecimal number. The Allegro Network Multimeter announces itself with this hostname when it requests a<br />
DHCP lease and should be traceable in the DHCP server info.<br />
<br />
===== WI-FI =====<br />
<br />
Every Allegro Network Multimeter comes with an USB to Wi-Fi adapter. In the factory default configuration the adapter will<br />
create a wi-Fi Access Point when connected to the appliance. This Access Point shows up as '''allegro-mm-xxxx''' where the<br />
'''xxxx''' part consists of a hexadecimal number which is unique to the device. In factory default settings the password<br />
for the Wi-Fi network is '''Allegro-MM''' (without the quotes). As soon as there is a connection to Wi-Fi, the user<br />
interface of the device can be accessed by either browsing to https://allegro or https://192.168.4.1.<br />
When access to the user interface is established, the IP address of the LAN Management interface can be found under<br />
'''Settings''' -> '''Management interface settings''' in the '''Active interfaces''' section.<br />
<br />
===== Display =====<br />
<br />
The Allegro Network Multimeter 200 comes with a HDMI connector and<br />
the 1000 and 3000 series come with a VGA connector. When a compatible<br />
display is connected, the console displays information about the running<br />
Firmware version along with information on the configured<br />
management network IP addresses. On the 200 model the<br />
display must be connected before starting the appliance to obtain the output.<br />
<br />
===== KVM =====<br />
<br />
The video output of the device displaying the management IP addresses can be viewed over the network using the [[IPMI KVM on Allegro series 1000+|KVM/IPMI management module of the 1000 or 3000 series]]. Please see the FAQ entry '''What can I do with the integrated KVM port?''' on how to get started.<br />
<br />
==== What can I do with the integrated KVM port? ====<br />
<br />
The Allegro Network Multimeter 1000 and 3000 series devices contain a KVM/IPMI management module from Supermicro by<br />
which several hardware management functions like powering the device on and off, system health messages and much<br />
more can be accessed. It is also possible to view the video output of the device over the network from which the<br />
current active management IP addresses can be retrieved.<br />
<br />
By default the KVM/IPMI management module will obtain an IP address through DHCP and the default user name as well<br />
as default password is '''ADMIN''' (without the quotes).<br />
<br />
See [[IPMI KVM on Allegro series 1000+]] for additional information.<br />
<br />
==== I do not have a Wi-Fi client and I do not have a DHCP server. How can I access the Allegro Network Multimeter? ==== <br />
<br />
It is possible to make the Allegro Network Multimeter set a temporary static address on the LAN management interface.<br />
It will return to the configured behaviour for the LAN management interface following the next restart.<br />
<br />
To enable the temporary static IP address, a USB keyboard is needed. When the keyboard is attached to one of the USB<br />
ports of the Allegro, start the device. Wait for two minutes to make sure that the device is fully operational.<br />
Then press and hold the '''shift''' key while pressing the '''s''' key. After this procedure the device will be configured to<br />
use the IP address '''192.168.0.1''' on the LAN management interface. It is now possible to e.g. connect another<br />
computer to the LAN management interface with an IP address statically configured to e.g. '''192.168.0.100''' and from<br />
that computer the user interface of the Allegro is accessible at https://192.168.0.1.<br />
If for some reason the IP address '''192.168.0.1''' is already used in the network, the Allegro will try to<br />
set another IP address in the range of '''192.168.0.2''' - '''192.168.0.10'''.<br />
<br />
Once access to the user interface is established, a static IP address can be configured under '''Settings''' -><br />
'''Management interface settings'''.<br />
<br />
== Data protection ==<br />
<br />
==== What kind of user data is stored on the Allegro Network Multimeter ====<br />
<br />
All metadata and statistics are stored in the device's main memory and are gone as soon as the device is rebooted,<br />
powered off or the packet processing is restarted. Any user data that can be derived from these statistics is therefore<br />
only stored for the duration of continuous operation. If, however, reports are generated and stored on the device, these<br />
reports exist until manually deleted or until a device configuration reset is performed.<br />
<br />
Raw packet data in the packet ring buffer or in stored PCAP capture files will persist on the internal or external<br />
storage until overwritten or deleted. If it is important that captured or deleted data cannot be retrieved by someone<br />
with physical access to the storage devices, it is possible to format the storage device with industry-standard full<br />
disk encryption.<br />
<br />
==== How can I reset the Allegro Network Multimeter to a default configuration? ====<br />
<br />
There are two ways to reset the configuration of the device.<br />
<br />
The first option is to use the '''Reset System Configuration''' button which can be found under '''Settings''' -><br />
'''Administration''' in the user interface. After confirmation, this will trigger a restart of the system and afterwards the<br />
device will be running with factory default settings.<br />
<br />
If, for some reason, the user interface is not accessible, a configuration reset can also be performed by attaching<br />
an USB keyboard and a HDMI/VGA display to the device. When booting the device, there is a short period when a GNU GRUB<br />
menu is displayed. The arrow up and arrow down keys can be used to select an entry and the selected entry can be chosen<br />
by pressing the '''enter''' key. Below the default '''multimeter''' entry, there is a '''configuration-reset''' entry which will<br />
perform a reset to default configuration and then reboot the device.<br />
<br />
Keep in mind that a reset to default configuration does not delete any<br />
packet ring buffer data or captured files from internal or external<br />
storage.<br />
<br />
== System behavior ==<br />
<br />
==== Where does the Allegro Network Multimeter display L1 issues like bad CRC frames? ====<br />
<br />
Issues like these are accounted for the Monitoring interface on which the issue was encountered and the respective<br />
statistics are available on the '''Interface stats''' page in the '''Errors''' column. For an explanation of the error<br />
counters, please refer to the [[Interface_statistics|Interface statistics]] manual page.<br />
<br />
==== What happens in case of a system overload? ====<br />
<br />
In case of a system overload, a prominent warning is displayed at the top of the user interface for a few seconds<br />
and these warnings and the time when the error occurred can be reviewed on the '''Info''' -> '''Status''' page. As long as there are<br />
still notifications on the '''Info''' -> '''Status''' page, this is indicated by colored icons at the top of the user interface.<br />
<br />
If a system overload occurs and not all packets can be analyzed, these packets are accounted at the Monitoring<br />
interface on which they were received. The counter can be found on the '''Interface stats''' page in the '''Errors''' column<br />
under the '''Not processed''' section and is titled '''due to overload'''.<br />
<br />
When the Allegro Network Multimeter is operating in bridge mode and packets cannot be processed due to a system<br />
overload, a software bypass will ensure that these packets are still forwarded to the adjacent Monitoring interface.<br />
<br />
==== What happens if the maximum number of stored connections has been reached? ====<br />
<br />
In this case, the Allegro Network Multimeter will start freeing up memory by removing historic statistical data which<br />
lies before a certain point in time. This cutoff time is constantly adjusted to provide the best possible use of the<br />
available memory. For how far back-in-time historical statistics are currently available, can be reviewed on the<br />
'''Info''' -> '''System Info''' page.<br />
<br />
==== I can only see the traffic of the last day. How can I increase this period? ====<br />
<br />
If the system does not provide a sufficient look back-in-time with the given traffic, it may help to deactivate certain<br />
features that provide very detailed information but also consume a large amount of memory. Features that typically<br />
fit into this category are the different settings of the '''IP statistics'''. These settings can be accessed by navigating to<br />
'''IP''' -> '''IP Statistics''' and clicking the '''Settings''' button at the top of the page. Especially turning off the<br />
'''Store connection information for every IP''' and '''Store traffic history graph for IP peers''' settings can help saving<br />
a lot of memory.<br />
<br />
==== What happens to the data after shutdown, reboot, or restart processing? ====<br />
<br />
The Allegro Network Multimeter uses an In-Memory database to store the<br />
metadata of the packets it processes. This metadata will be lost when the<br />
processing is stopped (shutdown, reboot, restart processing). This metadata<br />
is also lost in case of an unexpected power loss.<br />
<br />
When using a packet ring buffer (see [[Storage|storage]]), the packets will be<br />
stored on the attached hard disk drive. This data is not lost after the<br />
processing is stopped. It is possible to reanalyze the packet ringbuffer, but<br />
this will interrupt the '''live''' mode, so no new packets will be processed.<br />
<br />
== Allegro hardware ==<br />
<br />
==== What types of SFP modules are supported? ====<br />
<br />
See [[List_of_Supported_Transceiver_Modules|List of supported transceiver modules]] for details.<br />
<br />
== Bypass ==<br />
<br />
==== What bypass options are available? ====<br />
<br />
Two bypass options are available:<br />
<br />
* a quad-port RJ45 1Gbps copper option supporting 1000BaseT and 100BaseT speeds. Each pair of interfaces makes up a bridged link with bypass.<br />
* a dual-port 10Gbps fiber option with builtin SR transceivers and LC connectors. The two interfaces make up a bridged link with bypass.<br />
<br />
==== How does the bypass work? ====<br />
<br />
If the Allegro Network Multimeter contains a bypass option, it is only active when the device is configured to operate<br />
in bridge mode. The bypass activates when the device is powered off, when the device is starting but is not yet<br />
processing traffic or when an unexpected failure like a crash or a power loss occurs. If the bypass is active, the<br />
two interfaces that make up a bypass link will be physically connected to each other so that devices connected on<br />
either side will always find a working link.<br />
<br />
If the device is operating in sink mode, the bypass interfaces will act just like all the other interfaces on the device<br />
and the bypass will never be activated.<br />
<br />
== User interface ==<br />
<br />
==== What does the question mark on packets/bytes counters mean? ====<br />
<br />
The Allegro Network Multimeter stores historical traffic data in<br />
different time resolutions depending on the age of the data.<br />
<br />
When zooming into a specific time window, packet and byte counters are<br />
shown for this specific time interval only. Since the time resolution<br />
available internally might be coarser than the selected zoom level,<br />
the shown packet and byte values might not exactly represent the time<br />
interval.<br />
<br />
If this is the case, the actual interval time is shown in square<br />
brackets (for example [120s]). This means that the value represents<br />
the time between the end of the selected interval (the right end of<br />
the graph) and the shown number of seconds in the past.<br />
<br />
This value is shown to avoid confusion about unexpected values due to<br />
interactive graph zooming.<br />
<br />
==== How can I print statistics? ====<br />
<br />
The Allegro Network Multimeter web interface can be printed by using<br />
the built-in printing support of your browser. Just navigate to the desired<br />
statistics and click on the printing button (Ctrl+P in most browsers). The pages<br />
are optimized for printing. Tabs, PCAP and navigation buttons are hidden in<br />
print mode.<br />
<br />
If the browser is truncating the page in print preview, you can try to use<br />
'''Shrink to fit''' option (Firefox) or use a smaller scaling than 100% (Chrome).<br />
You can also use another page orientation and change between '''landscape''' or '''portrait'''.<br />
<br />
== Packet ring buffer ==<br />
<br />
==== Which time stamps are used during packet ring buffer replay? ==== <br />
<br />
Packet ring buffer replay will use the original time stamps of the packets as they were captured. Therefore the replay<br />
recreates the original sequence and timing of packets in the displayed statistics.<br />
<br />
== Capturing ==<br />
<br />
==== How many captures can be used in parallel? ====<br />
<br />
The Allegro Network Multimeter 200 supports up to 3 parallel and the<br />
1000/3000 model supports up to 4 parallel captures. If the memory<br />
usage is too high, the number of parallel captures might be lower.</div>David.Griffiths