Allegro Network Multimeter Manual - User contributions [en]

IP module

2024-07-15T11:50:43Z

Simon: /* TCP statistics */

The IP module operates on layer 3 of the network stack. It stores information about all IPv4 and IPv6 addresses.
For every address, the corresponding network traffic is accounted, the used protocols and their individual traffic.
The communication peers are stored as well as the traffic between both IP addresses. Every connection and its amount of traffic and the protocol can be accessed too.

== Web interface ==

{| class="wikitable sortable"
|-
|[[File:IP statistics.png|800px|none|right]]
|}

=== IP addresses tab ===

The IP addresses tab shows the complete list of all IP addresses seen by the system. The button row allows for select specific information to be shown or hidden so that only the relevant information fit on the screen.
By clicking on '''Counters (combined)''' the table toggles between sent and received bytes and packets displayed in either one column or in separate columns for sorting purposes.
For each address, the table contains the following information:

* IP
:See [[Common table columns#IP|Common table columns - IP]].

* Alternative names
:See [[Common table columns#Alternative names|Common table columns - Alternative names]].
:The name information are also used when filtering the table for some entered string.

* Traceroute
:A traceroute for the IP can be requested or updated using the available button. When traceroute information is available for the IP, brief information about each found network hop (IP, hostname, ping response time) is displayed. Since this list of hops can get very long, the view can be toggled to show all found hops or just the last one by clicking on the traceroute header.

* First (recent) activity
:See [[Common table columns#First (recent) activity|Common table columns - First (recent) activity]].

* Last activity
:See [[Common table columns#Last activity|Common table columns - Last activity]].

* Packets and Bytes
:See [[Common table columns#Packets|Common table columns - Packets]] and [[Common table columns#Bytes|Common table columns - Bytes]].

* Packets/s and Bit/s
:See [[Common table columns#Packets/s|Common table columns - Packets/s]] and [[Common table columns#Bit/s|Common table columns - Bit/s]].

* Peers
: This shows the amount of peers of this IP. This counter is an all time only value and does not consider a selected interval.

* TTL
: This shows the min, max and average TTL value (or hop limit in case of IPv6) of TCP/UDP traffic of an IP address. Non-UDP and non-TCP traffic as well as multicast traffic is ignored as e.g. ICMP packets likely have very high TTL values of 255 at the sender.

* MTU
: The maximum transmission unit (i.e. layer 2 payload) is calculated for both receive and send direction. The maximum values are displayed.

* TCP packets and UDP packets
:This is the number of TCP and UDP packets that have been seen for this IP.

* TCP handshake time and TCP data response time
: The average time for a handshake as a TCP client and/or a TCP server is displayed as well as the average time the IP takes to acknowledge TCP data.

* TCP payload and retransmissions
:These two columns show the number of bytes transmitted as TCP payload and how many bytes have been retransmitted, indicating a bad connection quality.

* Graph
:See [[Common table columns#Graph|Common table columns - Graph]].
:Available data sources are load (bps or packets/s), TCP statistics or connections.

* PCAP
:See [[Common table columns#PCAP|Common table columns - PCAP]]

When multiple pages are available, there will be a control field for switching pages.
The IP search bar allows to enter IP addresses or names to see only those element for which the entered string is part of the IP address or name.
Also, complex filter expressions are possible, if the string starts with an open parenthesis '''('''. See [[Live_filtering_of_tables|Live filtering of tables]] for a detailed description about how to use this feature.
The columns can be sorted also, for example to easily spot the IP addresses with the most bytes, or the highest current throughput.

Below the table a CSV download button provides the ability to download the whole table contents in CSV format.
Sorting and filtering are applied as selected for the table but all IPs in the table are exported, not only the currently visible page.

=== Global IP statistics tab ===

The global IP statistics shows global sums about the processed IPv4 and IPv6 traffic and often used layer 4 protocols.
Non-IP packets such as ARP packets are indicated as other traffic and are not covered by this module.
The available information is:
* Layer 3 protocols (IPv4, IPv6 and non-IP traffic, its distribution over time and a history graph)
* Layer 4 protocols (TCP, UDP and traffic for other often used layer 4 protocols, its distribution over time and a history graph)
* Number of IPv4 fragmented packets (distribution over time and a history graph)

For layer 3 and layer 4 protocols, traffic can be downloaded by clicking on the PCAP download button. The captured packets are not stored on the system but they are directly sent over the HTTP connection to your computer.
To stop capture, click on the same button again (which turned to a STOP symbol), or go to the capture traffic page in the generic section and stop the corresponding download.

=== Top IP statistics ===

On this page pie charts are shown with the top 10 sending and receiving IP addresses. By clicking on a pie chart section the related IP detail page is opened.

=== Per IP statistics ===

It is possible to select an IP from the list of IP addresses and get an more detailed view of the information stored about that IP.
The headline of the page includes three buttons.
The first left arrow button navigates back to the complete IP overview.
The second download button allows to download the traffic for the current IP address.
The third button allows for opening this manual section.
Below the buttons there are two graphs for the packets and bytes sent and received by the IP address.
The third section contains six tabs for various information about the selected IP.

==== Overview tab ====

This tab summarizes all the standard information from the main IP view, such as
* the alternative names,
* the packet and bytes counters, and
* the current throughput.

Additionally, the top DPI protocols are printed both in the table as well as a pie chart at the bottom of the page.
The last line in the table shows the MAC addresses seen for this IP address.
There can be multiple MAC addresses for the same IP, for example if the DHCP reuse the IP address after some time.
The last new connection time is the start time of the last connection seen for this IP.
There is also a download button to capture the traffic for the specific IP and MAC address pair.
The final two rows shows all VLAN tags that have been seen for the given IP. An IP address might be visible in multiple VLANs.
If the Allegro Network Multimeter is installed at a mirror port of a switch which also modifies the VLAN tag, it might happen that an IP address is seen without a VLAN tag (none) and a specific VLAN tag.
This setup will decrease the quality of the results as connections use the VLAN information too to distinguish connections.
The measurement results can be improved if the mirror port is reconfigured to only see traffic with VLAN or completely without VLAN tags.
The last row shows the devices interfaces at which the IP has been seen.
The displayed interface always considers the sender side of an IP connection.
This information helps especially in bridge mode to determine at which side of an link the IP address is visible as sender of packets.

==== Layer 3 QoS tab ====

This tab lists all seen IP DSCP values for the current IP.
Several traffic counters are displayed and a history graph of the traffic over time. A PCAP button allows for capturing the specific QoS tagged traffic for that IP.
By clicking on the shown DSCP class name you will be redirected to the '''Connection''' tab with a filter active that only shows connections for that specific DSCP value.

==== Layer 2 QoS tab ====

This tab lists all seen MPLS traffic classes and VLAN priority code points for the current IP.
Several traffic counters are displayed and a history graph of the traffic over time.
A PCAP button allows for capturing the specific QoS tagged traffic for that IP.
By clicking on the shown QoS class name you will be redirected to the '''Connection''' tab with a filter active that only shows connections for that specific QoS.

==== Protocols tab ====

This tab lists the DPI protocols for the current IP. The download button allows to capture the traffic for the IP and protocol pair.

==== Peers tab ====

The Peers tab shows all communication peers the current IP address has talked to. The table contains the [[Common table columns#IP|IP address]] which can be clicked to see the statistics for that IP.
The alternative names are shown, depending on which data is available (DNS name, DHCP name, NIC vendor name).
The packets and bytes columns show the total amount of data transferred between those two IP addresses.
The list of peers can be filtered by entering a string into the text area. Also, complex filter expressions are possible, if the string starts with an open parenthesis '''('''. See [[Live_filtering_of_tables|Live filtering of tables]] for details.

==== Layer 4 endpoints ====

The layer 4 endpoint tab shows all peers of the current IP address and the used server port. If the peer is the server, the port of the peer is shown. If the peer is the client, the other port is shown.

The table shows [[Common table columns#IP|IP addresses]] with port number, whether the peer acts as a server or client, alternative names, layer 4 protocol and byte and packet counters. If there were multiple connection between the IP address and the peer with the same port, the counters will show aggregated data.

When clicking on "Peer connections" the connection tab is opened with the filter set to match that particular endpoint.

==== Connections tab ====

The connection tabs lists all connections which involves the current IP. The button rows allow to select which kind of information should be shown.

{| class="wikitable"
|+
!Column
!Description
|-
|Client IP/port
|Client side IP information (see [[Common table columns#IP|Common table columns - IP]])
|-
|Server IP/port
|Server side IP information (see [[Common table columns#IP|Common table columns - IP]])
|-
|Layer 4 protocol
|TCP, UDP, or others
|-
|Go to
|allows to go to the connection details page which shows all information in more detail.
|-
|Start time
|The start time is the time of the first packet for that connection.
|-
|Last activity
|shows the time of the last packet seen so far for the connection
|-
|Duration
|Difference between last activity and start time.
|-
|Packets
|Number of packets
|-
|Bytes
|Number of bytes
|-
|Packets/s
|Packet rate
|-
|Bit/s
|Bit rate
|-
|MTU
|The maximum transmission unit (i.e. layer 2 payload) is calculated for both directions.
|-
|Layer 7 protocol
|shows the detect application layer 7 protocol.
|-
|TCP handshake time
|The time between SYN and ACK.
|-
|TCP response time (max/avg)
|contains response times for TCP data
|-
|Layer 7 response time
|contains response times for the maximum HTTP response for HTTP connections, or the SSL response times for SSL connections. The column also contains a score for this connection and this IP, based on the average response times of the server. See HTTP module and SSL module for additional information. When sorting the column and more than one time value is shown in a field, the maximum of all time values of that field is taken into account.
|-
|TCP retransmissions/TCP restransmission %
|shows the number of bytes that have been retransmitted on TCP layer because of packet loss. High percentage indicate connection problems for this communication pair.
|-
|TCP DUP ACKs
|Number of DUP ACK packets
|-
|TCP missed data
|shows the estimated amount of TCP data not seen for this connection. See [[TCP module#Missed data|TCP module]] for details about missed data.
|-
|TCP SYNs/SYN-ACKs/FINs/RSTs
|shows the amount of TCP SYN, SYN-ACK, FIN and RST packets per direction. Up to 255 packets can be accounted, if more were seen, >= 255 will be displayed.
|-
|TCP end termination reason
|Connection end can be regular FIN, RST, or timeout if no termination is seen at all
|-
|TCP MSS
|The TCP maximum segment size may be announced by the peers using a TCP option during connection negotiation. If the option is not announced, default values will be used. The values represents the payload capacity of TCP packets sent by the peer.
|-
|Max announced TCP window size
|shows the size of the biggest TCP receive window announced for each direction of a connection.
|-
|Min announced TCP window size
|shows the size of the smallest TCP receive window announced for each direction of a connection.
|-
|Max TCP bytes in flight
|shows how much of the TCP receive window of the corresponding direction has been used at max during the lifetime of the connection, in other words this is the bytes in flight of the opposite, sending direction.
|-
|Announced TCP window size limit
|The TCP window size limit columns show the maximum possible value that could be used for the TCP receive window size. This is calculated from the announced TCP window scale option for each direction of a connection. The raw window scale (ws) shift count value is displayed in parentheses next to the byte value.
|-
|TCP window limit usage
|show the ratio of the TCP max window size values compared to the TCP window size limit values in percent.
|-
|TCP zero window packets
|Number of TCP zero window packets indicated full receive buffer.
|-
|Client announced TLS versions/Negotiated TLS version, Client announced cipher suites/Negotiated cipher suite
|shows the TLS versions and all supported cipher suites announced by the client during a SSL client hello. In the negotiated columns the currently used TLS version and cipher suite is shown as indicated by the SSL server hello. As the client announced cipher suite list can be quite long, it is possible expand or minimize the list by click on it.
|-
|TLS alert
|
|-
|TLS alert level
|
|-
|Validity
|Connections are counted as valid if the handshake succeeded or at least some data is transferred.
|-
|Meta data
|may contain additional information that could be retrieved depending on the protocol. For instance, for HTTP traffic this column shows the request URL and response code for the last transaction seen in the corresponding connection.
|-
|Outer VLANs
|shows which VLAN tags has been seen for a specific connection.
|-
|Inner VLANs
|shows which inner VLAN tags has been seen for a specific connection in QinQ setups.
|-
|PPPoE session ID
|shows the PPPoE session ID which has been seen for packets of that specific connection. If a PPPoE session ID changes at any time while the connection is active, a 'changed' indication is given. In this case the latter session ID is displayed.
|-
|MPLS labels
|shows all seen MPLS labels for every direction of the connection. The full label stack is shown. A '''no label''' indication is given, if no MPLS labels have been used. If a MPLS label changes at any time while the connection is active, a '''changed''' indication is given. In this case the latter MPLS labels are displayed.
|-
|QoS
|shows all seen QoS service classes for every direction of the connection. IP DSCP, outermost MPLS traffic classes and outermost VLAN priority code points may be detected and displayed. If a QoS class changes at any time while the connection is active, a '''changed''' indication is given. In this case the latter QoS service classes are displayed. TCP RST packets will be ignored, as that packet may be less important and is indicated by a QoS class with lower priority than the previous packets with data.
|-
|Interfaces
|shows at which interface the connection has been established. This is especially helpful in bridge mode to determine at which side of link the connection has been established.
|-
|Two-way latency avg interval
|[[Path measurement#Measurement_statistics|Statistics from the path measurement]]
|-
|Two-way latency min interval
|
|-
|Two-way latency max interval
|
|-
|One-way latency avg interval
|
|-
|One-way latency min interval
|
|-
|One-way latency max interval
|
|-
|Graph
|shows the historical throughput for each connection, it is possible to select the displayed graph from multiple different statistics (see [[Common table columns#Graph|Common table columns - Graph]]). Some may only be available if module options has been enabled, as it will increase the overall memory usage. Some statistics like the path latency is only available, if the path measurement module is active (and the corresponding option to store latencies per connection is enabled)
|-
|PCAP
|allows for capturing the specific connection (see [[Common table columns#PCAP|Common table columns - PCAP]])
|}
The list of connections can be filtered by entering a string into the text area. Also, complex filter expressions are possible, if the string starts with an open parenthesis '''('''. See [[Live_filtering_of_tables|Live filtering of tables]] for details.
[[File:IP connection details.png|thumb|600x600px|Connection detail view]]
A detailed connection view can be accessed by clicking on the magnifying glass symbol in the client IP column.

===== CSV download =====

The connection list can also be downloaded as a CSV document by clicking at the CSV download button. The current filter and sort order is used when creating the CSV file.

The CSV file can also be accessed without using the web interface by getting the following URL:

<code>/API/stats/modules/ip/ips/x.x.x.x/connections?csv=true</code>

x.x.x.x must be replaced with the actual IP address. Additional URL parameters can be used to choose a time span, applying filters, etc. See [[REST API description]] for details.

==== Open TCP server ports ====

This tab shows the list of ports for which the IP address has accessed incoming connections.
It shows which service is (usually) behind the port.
Additionally, the first and last connection time is shown as well.
Also, there is button to capture traffic for the current IP and the corresponding port.

==== TCP statistics ====

This web page shows statistics about the response time of TCP connection handshake of all TCP connections of the current IP address. Also, the amount of data retransmitted due to packet loss is shown on the right side of the page. When TCP data has not been seen for TCP connections, the estimated amount is shown as well (see [[TCP module#Missed data|TCP module]] for details).

The graphs below show the historical data for each TCP handshake. The data point is the average handshake time and the vertical line shows the min and max handshake time for that specific time window (depending on the zoom level). Up to two graphs might be visible, one for data when the IP connected other IPs as a client, and another graph for data when the IP has been connected from other IPs as a server.

The TCP application times show info about data packets being transferred between the clients and server.
For each TCP connection, the following key attributes are measured and reported:

* '''Transactions:''' This metric indicates the count of data transaction cycles, allowing you to track the volume of activity over time.
* '''Data Transfer Time:''' This measures the time interval from the first data packet to the last consecutive data packet sent from the same side, giving you a clear picture of the data flow duration.
* '''First Data Response Time:''' This tracks the time between the last data packet sent and the first data packet received from the other peer, marking the conclusion of a transaction cycle
* '''Total Request-Response Time:''' This attribute captures the time interval from the first client data packet to the last server data packet during the entire request-response cycle, offering a comprehensive view of transaction latency.

It’s essential to understand that the values provided by the TCP application times feature are correlated through TCP packets containing data. This analysis is performed without decrypting the packets themselves, relying on observed patterns rather than the actual content of the packets. As such, the reported metrics are considered '''heuristics'''—meaning they offer insights based on empirical data rather than direct measurements of specific transactions. This approach allows for efficient monitoring while maintaining data integrity and privacy.

The connection table below shows a subset of the main connection table only for TCP connections for this IP. When sorting the handshake and response time columns and more than one time value is shown in a field, the maximum of all time values of that field is taken into account.

==== HTTP server statistics ====

This tab shows statistics (if available) of all HTTP requests handled by the current IP address.
The statistics contains:

* HTTP server names: All host names are shown that have been used to contact the HTTP server on this IP.
* Sent HTTP responses: This is the total number of requests/responses that have been seen on the network.
* Average response time: This is the average response time in milliseconds for all servers.
* Standard deviation: This value shows the variation of the response times (https://en.wikipedia.org/wiki/Standard_deviation)
* Minimum response time: This is the smallest response time seen on the network.
* Maximum response time: This is the largest response time seen on the network.

The graph shows the historical data for all responses.
Below the graph, the number of response codes for each main code family is shown together with the last URL requested.

==== SSL server statistics ====

This tab shows statistics (if available) of all SSL requests handled by the current IP address.
The statistics contains:

* SSL server names: All host names are shown that have been used to contact the SSL server on this IP.
* Response time for SSL handshake
** Number of handshake: This is the total number of SSL requests/responses that have been seen for this IP.
** Average response time: This is the average response time in milliseconds.
** Standard deviation: This value shows the variation of the response times (https://en.wikipedia.org/wiki/Standard_deviation)
** Minimum response time: This is the smallest response time.
** Maximum response time: This is the largest response time.
* Response time for SSL data
** Number of first data responses: This is the total number of initial SSL data requests/responses that have been seen for this IP.
** Average response time: This is the average response time in milliseconds.
** Standard deviation: This value shows the variation of the response times (https://en.wikipedia.org/wiki/Standard_deviation)
** Minimum response time: This is the smallest response time.
** Maximum response time: This is the largest response time.

The graphs shows the historical data for all handshakes and SSL first data responses

==== SSL/TLS infos ====

This tab shows statistics (if available) of all negotiated SSL/TLS versions and cipher suites used by the current IP address either as server or client.

In case of an SSL/TLS client this tab will also show the supported SSL/TLS versions and cipher suites that have been announced by this client IP address.

==== SIP statistics ====

This tab shows statistics (if available) of all SIP request methods, all SIP response types as well as all SIP request/response pairs sent or received by the current IP address.

==== RTP statistics ====

This tab shows statistics (if available) of all RTP connections which involve the current IP address as either client or server.
A list shows all connections with client and server [[Common table columns#IP|IP addresses]] and ports. The RTP payload type is shown as well as timing informations and counters, jitter, packet time delta, MOS and R values and SSRC (synchronization source) of both client and server.
The min and max audio levels (decibel relative to full scale, dBFS) per direction are shown if G.711 A-Law or μ-Law is used.
For calculation, raw A-Law or μ-Law values are converted to 16 bit PCM values. Those values are then converted to dbFS:

value_dBFS = 20 * log10(abs(pcm_value) / 32768)
Values range from 0 dBFS (loudest) to -96 dBFS (absolute silence).

Graphs per connection show packets and packet loss, jitter, packet time delta, MOS, R value and the max audio level of client and server over time.
A PCAP button allows for PCAP capturing. If a proper codec is used, audio capture buttons for both directions are available allowing downloads in MP3 format.
Following codecs are supported for audio extraction:

* G.711 A-Law and μ-Law
* G.722
* G.729

==== Ping/Traceroute ====

A traceroute to the IP can be started or updated by clicking the Traceroute/Update button. Available traceroute data is shown in a table, containing details of each discovered network hop.
The following hop information may be displayed:

* IP address
* host name
* round trip time (average, minimum, maximum)
* rate of received responses to sent requests
* dropped packets count
* country
* city
* link to watch the location in online map services Google Maps or OpenStreetMaps

A button is available to easily navigate to the traceroute configuration section.

=== IP connection details ===
The connection detail view shows connection information in a single page. The view can be accessed in the list of IP connection (or the global connection list) by clicking on the magnifying glass symbol in the client IP column.

The page shows all data in a tabular format as well all graphs that are available for the connection.

A capture button at the right hand side can be used to capture packets of that connection.

The zoom button select the time range in which the connection was active.

For TCP connections a [[TCP flow chart]] can be calculated by clicking on the corresponding button:
[[File:TCP flow graph start.png|none|thumb|614x614px|Start TCP flow graph analysis]]See also [[IP connection details]].

== Configuration settings ==

By clicking on the gear button on the top right of the IP statistics web page, you can access the configuration section.

* Store connection information for every IP This option is enabled by default.
:When enabled, the IP measurement module stores every connection for each IP.
:This includes historical packet counter so you can see for individual connection at which time the connection transferred which amount of data.
:Connection data will be stored as long as possible regarding the total memory usage.
:Disabling this option will increase the minimum storage time significantly.

* Store layer 7 protocol information for every IP The network protocols and their historical traffic data is stored for each IP if this option is enabled.
:Disabling this option will increase the minimum storage time slightly.

* Track number of new connections for every IP
:When This option is enabled, TCP connections per IP will be tracked.
:Connections are divided into valid and invalid connections for server and client direction and the amount is shown.
:Disabling this option will increase the minimum storage time slightly.

* Store traffic history graph for IP peers
:This option allows enabling or disabling the traffic history graph that is shown per peer in the '''Peers''' tab for an IP.
:Disabling this option will increase the minimum storage time slightly.

* Store RTP performance information per IP and connection
:This option allows enabling or disabling of RTP related statistics that are shown in the '''RTP statistics''' tab for an IP.
:Jitter, packet time delta and MOS calculation in the [[SIP_module|SIP module]] also depends on this switch since it partially shows information stored at the IP address of RTP senders/receivers.
:Disabling this option will reduce the memory utilization and therefor increase the minimum storage time slightly.

* Store QoS information for every IP
:This option enables or disables to storage of Quality of Service information per IP.
:These information require additional memory so if these information are not necessary, memory can be save to increase global data storage time.

* Store SSL/TLS information for every connection
:This option enables or disables to storage of SSL/TLS information per IP. This includes used and announced
:encryption ciphers which can take additional memory per IP connection. If these information are not necessary, memory can be save to increase global data storage time.

* Store detailed TCP statistics for every connection
:This option allows to store detailed TCP statistics per connection, such as TCP retransmissions or TCP response time. The graph type can be selected in the IP connection tab to access these information.

* Maximum number of IP groups
:This option configures how many IP groups can be defined. The minimum (and default) value is 32 IP groups.
:The maximum value is 65535 IP groups. A new configuration value only takes effect after restarting the packet processing in the Administration menu.

* Maximum number of HTTP requests per connection
:This options configures how many HTTP request/response tuples are stored by default. The default is 1.
:On global and IP detail connection page it is possible to download CSV file with either the last or all HTTP request/responses per connection. In the latter case each connection line is duplicated with another HTTP request/response in chronological order.

IP module

2024-07-15T11:49:56Z

Simon: /* TCP statistics */

The IP module operates on layer 3 of the network stack. It stores information about all IPv4 and IPv6 addresses.
For every address, the corresponding network traffic is accounted, the used protocols and their individual traffic.
The communication peers are stored as well as the traffic between both IP addresses. Every connection and its amount of traffic and the protocol can be accessed too.

== Web interface ==

{| class="wikitable sortable"
|-
|[[File:IP statistics.png|800px|none|right]]
|}

=== IP addresses tab ===

The IP addresses tab shows the complete list of all IP addresses seen by the system. The button row allows for select specific information to be shown or hidden so that only the relevant information fit on the screen.
By clicking on '''Counters (combined)''' the table toggles between sent and received bytes and packets displayed in either one column or in separate columns for sorting purposes.
For each address, the table contains the following information:

* IP
:See [[Common table columns#IP|Common table columns - IP]].

* Alternative names
:See [[Common table columns#Alternative names|Common table columns - Alternative names]].
:The name information are also used when filtering the table for some entered string.

* Traceroute
:A traceroute for the IP can be requested or updated using the available button. When traceroute information is available for the IP, brief information about each found network hop (IP, hostname, ping response time) is displayed. Since this list of hops can get very long, the view can be toggled to show all found hops or just the last one by clicking on the traceroute header.

* First (recent) activity
:See [[Common table columns#First (recent) activity|Common table columns - First (recent) activity]].

* Last activity
:See [[Common table columns#Last activity|Common table columns - Last activity]].

* Packets and Bytes
:See [[Common table columns#Packets|Common table columns - Packets]] and [[Common table columns#Bytes|Common table columns - Bytes]].

* Packets/s and Bit/s
:See [[Common table columns#Packets/s|Common table columns - Packets/s]] and [[Common table columns#Bit/s|Common table columns - Bit/s]].

* Peers
: This shows the amount of peers of this IP. This counter is an all time only value and does not consider a selected interval.

* TTL
: This shows the min, max and average TTL value (or hop limit in case of IPv6) of TCP/UDP traffic of an IP address. Non-UDP and non-TCP traffic as well as multicast traffic is ignored as e.g. ICMP packets likely have very high TTL values of 255 at the sender.

* MTU
: The maximum transmission unit (i.e. layer 2 payload) is calculated for both receive and send direction. The maximum values are displayed.

* TCP packets and UDP packets
:This is the number of TCP and UDP packets that have been seen for this IP.

* TCP handshake time and TCP data response time
: The average time for a handshake as a TCP client and/or a TCP server is displayed as well as the average time the IP takes to acknowledge TCP data.

* TCP payload and retransmissions
:These two columns show the number of bytes transmitted as TCP payload and how many bytes have been retransmitted, indicating a bad connection quality.

* Graph
:See [[Common table columns#Graph|Common table columns - Graph]].
:Available data sources are load (bps or packets/s), TCP statistics or connections.

* PCAP
:See [[Common table columns#PCAP|Common table columns - PCAP]]

When multiple pages are available, there will be a control field for switching pages.
The IP search bar allows to enter IP addresses or names to see only those element for which the entered string is part of the IP address or name.
Also, complex filter expressions are possible, if the string starts with an open parenthesis '''('''. See [[Live_filtering_of_tables|Live filtering of tables]] for a detailed description about how to use this feature.
The columns can be sorted also, for example to easily spot the IP addresses with the most bytes, or the highest current throughput.

Below the table a CSV download button provides the ability to download the whole table contents in CSV format.
Sorting and filtering are applied as selected for the table but all IPs in the table are exported, not only the currently visible page.

=== Global IP statistics tab ===

The global IP statistics shows global sums about the processed IPv4 and IPv6 traffic and often used layer 4 protocols.
Non-IP packets such as ARP packets are indicated as other traffic and are not covered by this module.
The available information is:
* Layer 3 protocols (IPv4, IPv6 and non-IP traffic, its distribution over time and a history graph)
* Layer 4 protocols (TCP, UDP and traffic for other often used layer 4 protocols, its distribution over time and a history graph)
* Number of IPv4 fragmented packets (distribution over time and a history graph)

For layer 3 and layer 4 protocols, traffic can be downloaded by clicking on the PCAP download button. The captured packets are not stored on the system but they are directly sent over the HTTP connection to your computer.
To stop capture, click on the same button again (which turned to a STOP symbol), or go to the capture traffic page in the generic section and stop the corresponding download.

=== Top IP statistics ===

On this page pie charts are shown with the top 10 sending and receiving IP addresses. By clicking on a pie chart section the related IP detail page is opened.

=== Per IP statistics ===

It is possible to select an IP from the list of IP addresses and get an more detailed view of the information stored about that IP.
The headline of the page includes three buttons.
The first left arrow button navigates back to the complete IP overview.
The second download button allows to download the traffic for the current IP address.
The third button allows for opening this manual section.
Below the buttons there are two graphs for the packets and bytes sent and received by the IP address.
The third section contains six tabs for various information about the selected IP.

==== Overview tab ====

This tab summarizes all the standard information from the main IP view, such as
* the alternative names,
* the packet and bytes counters, and
* the current throughput.

Additionally, the top DPI protocols are printed both in the table as well as a pie chart at the bottom of the page.
The last line in the table shows the MAC addresses seen for this IP address.
There can be multiple MAC addresses for the same IP, for example if the DHCP reuse the IP address after some time.
The last new connection time is the start time of the last connection seen for this IP.
There is also a download button to capture the traffic for the specific IP and MAC address pair.
The final two rows shows all VLAN tags that have been seen for the given IP. An IP address might be visible in multiple VLANs.
If the Allegro Network Multimeter is installed at a mirror port of a switch which also modifies the VLAN tag, it might happen that an IP address is seen without a VLAN tag (none) and a specific VLAN tag.
This setup will decrease the quality of the results as connections use the VLAN information too to distinguish connections.
The measurement results can be improved if the mirror port is reconfigured to only see traffic with VLAN or completely without VLAN tags.
The last row shows the devices interfaces at which the IP has been seen.
The displayed interface always considers the sender side of an IP connection.
This information helps especially in bridge mode to determine at which side of an link the IP address is visible as sender of packets.

==== Layer 3 QoS tab ====

This tab lists all seen IP DSCP values for the current IP.
Several traffic counters are displayed and a history graph of the traffic over time. A PCAP button allows for capturing the specific QoS tagged traffic for that IP.
By clicking on the shown DSCP class name you will be redirected to the '''Connection''' tab with a filter active that only shows connections for that specific DSCP value.

==== Layer 2 QoS tab ====

This tab lists all seen MPLS traffic classes and VLAN priority code points for the current IP.
Several traffic counters are displayed and a history graph of the traffic over time.
A PCAP button allows for capturing the specific QoS tagged traffic for that IP.
By clicking on the shown QoS class name you will be redirected to the '''Connection''' tab with a filter active that only shows connections for that specific QoS.

==== Protocols tab ====

This tab lists the DPI protocols for the current IP. The download button allows to capture the traffic for the IP and protocol pair.

==== Peers tab ====

The Peers tab shows all communication peers the current IP address has talked to. The table contains the [[Common table columns#IP|IP address]] which can be clicked to see the statistics for that IP.
The alternative names are shown, depending on which data is available (DNS name, DHCP name, NIC vendor name).
The packets and bytes columns show the total amount of data transferred between those two IP addresses.
The list of peers can be filtered by entering a string into the text area. Also, complex filter expressions are possible, if the string starts with an open parenthesis '''('''. See [[Live_filtering_of_tables|Live filtering of tables]] for details.

==== Layer 4 endpoints ====

The layer 4 endpoint tab shows all peers of the current IP address and the used server port. If the peer is the server, the port of the peer is shown. If the peer is the client, the other port is shown.

The table shows [[Common table columns#IP|IP addresses]] with port number, whether the peer acts as a server or client, alternative names, layer 4 protocol and byte and packet counters. If there were multiple connection between the IP address and the peer with the same port, the counters will show aggregated data.

When clicking on "Peer connections" the connection tab is opened with the filter set to match that particular endpoint.

==== Connections tab ====

The connection tabs lists all connections which involves the current IP. The button rows allow to select which kind of information should be shown.

{| class="wikitable"
|+
!Column
!Description
|-
|Client IP/port
|Client side IP information (see [[Common table columns#IP|Common table columns - IP]])
|-
|Server IP/port
|Server side IP information (see [[Common table columns#IP|Common table columns - IP]])
|-
|Layer 4 protocol
|TCP, UDP, or others
|-
|Go to
|allows to go to the connection details page which shows all information in more detail.
|-
|Start time
|The start time is the time of the first packet for that connection.
|-
|Last activity
|shows the time of the last packet seen so far for the connection
|-
|Duration
|Difference between last activity and start time.
|-
|Packets
|Number of packets
|-
|Bytes
|Number of bytes
|-
|Packets/s
|Packet rate
|-
|Bit/s
|Bit rate
|-
|MTU
|The maximum transmission unit (i.e. layer 2 payload) is calculated for both directions.
|-
|Layer 7 protocol
|shows the detect application layer 7 protocol.
|-
|TCP handshake time
|The time between SYN and ACK.
|-
|TCP response time (max/avg)
|contains response times for TCP data
|-
|Layer 7 response time
|contains response times for the maximum HTTP response for HTTP connections, or the SSL response times for SSL connections. The column also contains a score for this connection and this IP, based on the average response times of the server. See HTTP module and SSL module for additional information. When sorting the column and more than one time value is shown in a field, the maximum of all time values of that field is taken into account.
|-
|TCP retransmissions/TCP restransmission %
|shows the number of bytes that have been retransmitted on TCP layer because of packet loss. High percentage indicate connection problems for this communication pair.
|-
|TCP DUP ACKs
|Number of DUP ACK packets
|-
|TCP missed data
|shows the estimated amount of TCP data not seen for this connection. See [[TCP module#Missed data|TCP module]] for details about missed data.
|-
|TCP SYNs/SYN-ACKs/FINs/RSTs
|shows the amount of TCP SYN, SYN-ACK, FIN and RST packets per direction. Up to 255 packets can be accounted, if more were seen, >= 255 will be displayed.
|-
|TCP end termination reason
|Connection end can be regular FIN, RST, or timeout if no termination is seen at all
|-
|TCP MSS
|The TCP maximum segment size may be announced by the peers using a TCP option during connection negotiation. If the option is not announced, default values will be used. The values represents the payload capacity of TCP packets sent by the peer.
|-
|Max announced TCP window size
|shows the size of the biggest TCP receive window announced for each direction of a connection.
|-
|Min announced TCP window size
|shows the size of the smallest TCP receive window announced for each direction of a connection.
|-
|Max TCP bytes in flight
|shows how much of the TCP receive window of the corresponding direction has been used at max during the lifetime of the connection, in other words this is the bytes in flight of the opposite, sending direction.
|-
|Announced TCP window size limit
|The TCP window size limit columns show the maximum possible value that could be used for the TCP receive window size. This is calculated from the announced TCP window scale option for each direction of a connection. The raw window scale (ws) shift count value is displayed in parentheses next to the byte value.
|-
|TCP window limit usage
|show the ratio of the TCP max window size values compared to the TCP window size limit values in percent.
|-
|TCP zero window packets
|Number of TCP zero window packets indicated full receive buffer.
|-
|Client announced TLS versions/Negotiated TLS version, Client announced cipher suites/Negotiated cipher suite
|shows the TLS versions and all supported cipher suites announced by the client during a SSL client hello. In the negotiated columns the currently used TLS version and cipher suite is shown as indicated by the SSL server hello. As the client announced cipher suite list can be quite long, it is possible expand or minimize the list by click on it.
|-
|TLS alert
|
|-
|TLS alert level
|
|-
|Validity
|Connections are counted as valid if the handshake succeeded or at least some data is transferred.
|-
|Meta data
|may contain additional information that could be retrieved depending on the protocol. For instance, for HTTP traffic this column shows the request URL and response code for the last transaction seen in the corresponding connection.
|-
|Outer VLANs
|shows which VLAN tags has been seen for a specific connection.
|-
|Inner VLANs
|shows which inner VLAN tags has been seen for a specific connection in QinQ setups.
|-
|PPPoE session ID
|shows the PPPoE session ID which has been seen for packets of that specific connection. If a PPPoE session ID changes at any time while the connection is active, a 'changed' indication is given. In this case the latter session ID is displayed.
|-
|MPLS labels
|shows all seen MPLS labels for every direction of the connection. The full label stack is shown. A '''no label''' indication is given, if no MPLS labels have been used. If a MPLS label changes at any time while the connection is active, a '''changed''' indication is given. In this case the latter MPLS labels are displayed.
|-
|QoS
|shows all seen QoS service classes for every direction of the connection. IP DSCP, outermost MPLS traffic classes and outermost VLAN priority code points may be detected and displayed. If a QoS class changes at any time while the connection is active, a '''changed''' indication is given. In this case the latter QoS service classes are displayed. TCP RST packets will be ignored, as that packet may be less important and is indicated by a QoS class with lower priority than the previous packets with data.
|-
|Interfaces
|shows at which interface the connection has been established. This is especially helpful in bridge mode to determine at which side of link the connection has been established.
|-
|Two-way latency avg interval
|[[Path measurement#Measurement_statistics|Statistics from the path measurement]]
|-
|Two-way latency min interval
|
|-
|Two-way latency max interval
|
|-
|One-way latency avg interval
|
|-
|One-way latency min interval
|
|-
|One-way latency max interval
|
|-
|Graph
|shows the historical throughput for each connection, it is possible to select the displayed graph from multiple different statistics (see [[Common table columns#Graph|Common table columns - Graph]]). Some may only be available if module options has been enabled, as it will increase the overall memory usage. Some statistics like the path latency is only available, if the path measurement module is active (and the corresponding option to store latencies per connection is enabled)
|-
|PCAP
|allows for capturing the specific connection (see [[Common table columns#PCAP|Common table columns - PCAP]])
|}
The list of connections can be filtered by entering a string into the text area. Also, complex filter expressions are possible, if the string starts with an open parenthesis '''('''. See [[Live_filtering_of_tables|Live filtering of tables]] for details.
[[File:IP connection details.png|thumb|600x600px|Connection detail view]]
A detailed connection view can be accessed by clicking on the magnifying glass symbol in the client IP column.

===== CSV download =====

The connection list can also be downloaded as a CSV document by clicking at the CSV download button. The current filter and sort order is used when creating the CSV file.

The CSV file can also be accessed without using the web interface by getting the following URL:

<code>/API/stats/modules/ip/ips/x.x.x.x/connections?csv=true</code>

x.x.x.x must be replaced with the actual IP address. Additional URL parameters can be used to choose a time span, applying filters, etc. See [[REST API description]] for details.

==== Open TCP server ports ====

This tab shows the list of ports for which the IP address has accessed incoming connections.
It shows which service is (usually) behind the port.
Additionally, the first and last connection time is shown as well.
Also, there is button to capture traffic for the current IP and the corresponding port.

==== TCP statistics ====

This web page shows statistics about the response time of TCP connection handshake of all TCP connections of the current IP address. Also, the amount of data retransmitted due to packet loss is shown on the right side of the page. When TCP data has not been seen for TCP connections, the estimated amount is shown as well (see [[TCP module#Missed data|TCP module]] for details).

The graphs below show the historical data for each TCP handshake. The data point is the average handshake time and the vertical line shows the min and max handshake time for that specific time window (depending on the zoom level). Up to two graphs might be visible, one for data when the IP connected other IPs as a client, and another graph for data when the IP has been connected from other IPs as a server.

The TCP application times show info about data packets being transferred between the clients and server.
For each TCP connection, the following key attributes are measured and reported:

* '''Transactions:''' This metric indicates the count of data transaction cycles, allowing you to track the volume of activity over time.
* '''Data Transfer Time:''' This measures the time interval from the first data packet to the last consecutive data packet sent from the same side, giving you a clear picture of the data flow duration.
* '''First Data Response Time:''' This tracks the time between the last data packet sent and the first data packet received from the other peer, marking the conclusion of a transaction cycle
* '''Total Request-Response Time:''' This attribute captures the time interval from the first client data packet to the last server data packet during the entire request-response cycle, offering a comprehensive view of transaction latency.

It’s essential to understand that the values provided by the TCP Application Times feature are correlated through TCP packets containing data. This analysis is performed without decrypting the packets themselves, relying on observed patterns rather than the actual content of the packets. As such, the reported metrics are considered '''heuristics'''—meaning they offer insights based on empirical data rather than direct measurements of specific transactions. This approach allows for efficient monitoring while maintaining data integrity and privacy.

The connection table below shows a subset of the main connection table only for TCP connections for this IP. When sorting the handshake and response time columns and more than one time value is shown in a field, the maximum of all time values of that field is taken into account.

==== HTTP server statistics ====

This tab shows statistics (if available) of all HTTP requests handled by the current IP address.
The statistics contains:

* HTTP server names: All host names are shown that have been used to contact the HTTP server on this IP.
* Sent HTTP responses: This is the total number of requests/responses that have been seen on the network.
* Average response time: This is the average response time in milliseconds for all servers.
* Standard deviation: This value shows the variation of the response times (https://en.wikipedia.org/wiki/Standard_deviation)
* Minimum response time: This is the smallest response time seen on the network.
* Maximum response time: This is the largest response time seen on the network.

The graph shows the historical data for all responses.
Below the graph, the number of response codes for each main code family is shown together with the last URL requested.

==== SSL server statistics ====

This tab shows statistics (if available) of all SSL requests handled by the current IP address.
The statistics contains:

* SSL server names: All host names are shown that have been used to contact the SSL server on this IP.
* Response time for SSL handshake
** Number of handshake: This is the total number of SSL requests/responses that have been seen for this IP.
** Average response time: This is the average response time in milliseconds.
** Standard deviation: This value shows the variation of the response times (https://en.wikipedia.org/wiki/Standard_deviation)
** Minimum response time: This is the smallest response time.
** Maximum response time: This is the largest response time.
* Response time for SSL data
** Number of first data responses: This is the total number of initial SSL data requests/responses that have been seen for this IP.
** Average response time: This is the average response time in milliseconds.
** Standard deviation: This value shows the variation of the response times (https://en.wikipedia.org/wiki/Standard_deviation)
** Minimum response time: This is the smallest response time.
** Maximum response time: This is the largest response time.

The graphs shows the historical data for all handshakes and SSL first data responses

==== SSL/TLS infos ====

This tab shows statistics (if available) of all negotiated SSL/TLS versions and cipher suites used by the current IP address either as server or client.

In case of an SSL/TLS client this tab will also show the supported SSL/TLS versions and cipher suites that have been announced by this client IP address.

==== SIP statistics ====

This tab shows statistics (if available) of all SIP request methods, all SIP response types as well as all SIP request/response pairs sent or received by the current IP address.

==== RTP statistics ====

This tab shows statistics (if available) of all RTP connections which involve the current IP address as either client or server.
A list shows all connections with client and server [[Common table columns#IP|IP addresses]] and ports. The RTP payload type is shown as well as timing informations and counters, jitter, packet time delta, MOS and R values and SSRC (synchronization source) of both client and server.
The min and max audio levels (decibel relative to full scale, dBFS) per direction are shown if G.711 A-Law or μ-Law is used.
For calculation, raw A-Law or μ-Law values are converted to 16 bit PCM values. Those values are then converted to dbFS:

value_dBFS = 20 * log10(abs(pcm_value) / 32768)
Values range from 0 dBFS (loudest) to -96 dBFS (absolute silence).

Graphs per connection show packets and packet loss, jitter, packet time delta, MOS, R value and the max audio level of client and server over time.
A PCAP button allows for PCAP capturing. If a proper codec is used, audio capture buttons for both directions are available allowing downloads in MP3 format.
Following codecs are supported for audio extraction:

* G.711 A-Law and μ-Law
* G.722
* G.729

==== Ping/Traceroute ====

A traceroute to the IP can be started or updated by clicking the Traceroute/Update button. Available traceroute data is shown in a table, containing details of each discovered network hop.
The following hop information may be displayed:

* IP address
* host name
* round trip time (average, minimum, maximum)
* rate of received responses to sent requests
* dropped packets count
* country
* city
* link to watch the location in online map services Google Maps or OpenStreetMaps

A button is available to easily navigate to the traceroute configuration section.

=== IP connection details ===
The connection detail view shows connection information in a single page. The view can be accessed in the list of IP connection (or the global connection list) by clicking on the magnifying glass symbol in the client IP column.

The page shows all data in a tabular format as well all graphs that are available for the connection.

A capture button at the right hand side can be used to capture packets of that connection.

The zoom button select the time range in which the connection was active.

For TCP connections a [[TCP flow chart]] can be calculated by clicking on the corresponding button:
[[File:TCP flow graph start.png|none|thumb|614x614px|Start TCP flow graph analysis]]See also [[IP connection details]].

== Configuration settings ==

By clicking on the gear button on the top right of the IP statistics web page, you can access the configuration section.

* Store connection information for every IP This option is enabled by default.
:When enabled, the IP measurement module stores every connection for each IP.
:This includes historical packet counter so you can see for individual connection at which time the connection transferred which amount of data.
:Connection data will be stored as long as possible regarding the total memory usage.
:Disabling this option will increase the minimum storage time significantly.

* Store layer 7 protocol information for every IP The network protocols and their historical traffic data is stored for each IP if this option is enabled.
:Disabling this option will increase the minimum storage time slightly.

* Track number of new connections for every IP
:When This option is enabled, TCP connections per IP will be tracked.
:Connections are divided into valid and invalid connections for server and client direction and the amount is shown.
:Disabling this option will increase the minimum storage time slightly.

* Store traffic history graph for IP peers
:This option allows enabling or disabling the traffic history graph that is shown per peer in the '''Peers''' tab for an IP.
:Disabling this option will increase the minimum storage time slightly.

* Store RTP performance information per IP and connection
:This option allows enabling or disabling of RTP related statistics that are shown in the '''RTP statistics''' tab for an IP.
:Jitter, packet time delta and MOS calculation in the [[SIP_module|SIP module]] also depends on this switch since it partially shows information stored at the IP address of RTP senders/receivers.
:Disabling this option will reduce the memory utilization and therefor increase the minimum storage time slightly.

* Store QoS information for every IP
:This option enables or disables to storage of Quality of Service information per IP.
:These information require additional memory so if these information are not necessary, memory can be save to increase global data storage time.

* Store SSL/TLS information for every connection
:This option enables or disables to storage of SSL/TLS information per IP. This includes used and announced
:encryption ciphers which can take additional memory per IP connection. If these information are not necessary, memory can be save to increase global data storage time.

* Store detailed TCP statistics for every connection
:This option allows to store detailed TCP statistics per connection, such as TCP retransmissions or TCP response time. The graph type can be selected in the IP connection tab to access these information.

* Maximum number of IP groups
:This option configures how many IP groups can be defined. The minimum (and default) value is 32 IP groups.
:The maximum value is 65535 IP groups. A new configuration value only takes effect after restarting the packet processing in the Administration menu.

* Maximum number of HTTP requests per connection
:This options configures how many HTTP request/response tuples are stored by default. The default is 1.
:On global and IP detail connection page it is possible to download CSV file with either the last or all HTTP request/responses per connection. In the latter case each connection line is duplicated with another HTTP request/response in chronological order.

QUIC module

2024-04-17T12:01:48Z

Simon:

The QUIC Analysis Module provides insights into QUIC (Quick UDP Internet Connections) traffic, a modern transport protocol developed by Google and designed to improve upon traditional TCP connections. This module offers detailed information on various aspects of QUIC traffic, enabling users to understand and analyze communication patterns and data exchanges. QUIC is currently utilized in various applications such as web browsing, video streaming, and online gaming, offering enhanced performance and security benefits over traditional protocols. The QUIC protocol is described in detail in [https://datatracker.ietf.org/doc/html/rfc9000 RFC 9000] (V1) and [https://datatracker.ietf.org/doc/rfc9369/ RFC 9369] (V2).

This module supports QUIC initial decoding for the draft protocol versions 29, 31, and 32, as well as version 1 and 2 to read TLS information if the option "'''Decode server name from handshakes'''" is enabled in the "'''Module Settings'''" tab. This functionality allows users to delve deeper into the cryptographic properties and security features of QUIC connections, providing a comprehensive analysis experience.

== QUIC TLS Server ==
[[File:Quic server.png|thumb|Overview of the QUIC TLS server tab]]
The first tab "QUIC TLS Server" presents a comprehensive overview of all QUIC server IP addresses that have been requested by a client along with their corresponding server names. This data is extracted from the server_name extension of the TLS client hello, which is present in the QUIC initial packets.

File:Quic server.png

2024-04-17T12:01:20Z

Simon:

Overview of the QUIC TLS server tab

QUIC module

2024-04-17T10:58:49Z

Simon:

The QUIC Analysis Module provides insights into QUIC (Quick UDP Internet Connections) traffic, a modern transport protocol developed by Google and designed to improve upon traditional TCP connections. This module offers detailed information on various aspects of QUIC traffic, enabling users to understand and analyze communication patterns and data exchanges. QUIC is currently utilized in various applications such as web browsing, video streaming, and online gaming, offering enhanced performance and security benefits over traditional protocols. The QUIC protocol is described in detail in [https://datatracker.ietf.org/doc/html/rfc9000 RFC 9000] (V1) and [https://datatracker.ietf.org/doc/rfc9369/ RFC 9369] (V2).

This module supports QUIC initial decoding for the draft protocol versions 29, 31, and 32, as well as version 1 and 2 to read TLS information if the option "'''Decode server name from handshakes'''" is enabled in the "'''Module Settings'''" tab. This functionality allows users to delve deeper into the cryptographic properties and security features of QUIC connections, providing a comprehensive analysis experience.

== QUIC TLS Server ==
The first tab "QUIC TLS Server" presents a comprehensive overview of all QUIC server IP addresses that have been requested by a client along with their corresponding server names. This data is extracted from the server_name extension of the TLS client hello, which is present in the QUIC initial packets.

Measurement modules

2024-04-17T10:10:50Z

Simon: /* L7 - Application Layer */

The Allegro Network Multimeter provides a number of network measurement modules for different use cases. Here
you can find a list of modules and a short description and see the specific module for detailed documentation.

== Generic modules ==

* [[Capture_module|Capture module]]
:The Capture module lists all running captures which were started interactively in any other module.
:It also allows for starting new captures with specific filters.

* [[Path_measurement|Path measurement]]
:This module allows you to measure packet loss and latency between two Allegro Network Multimeter installations.

* [[Packet_ring_buffer|Packet ring buffer]]
:The packet ring buffer feature allows you to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. If the fixed size buffer is full, the oldest packets in the buffer will be replaced with new packets in a round-robin fashion.

* [[PCAP#Pcap_analysis_module|Pcap analysis module]]
:The Pcap analysis module allows for the analysis of Pcap files by sending them to the appliance. After analyzing a Pcap, the web interface displays all the metadata as if the packets are live traffic at the time of the Pcap recording.

* [[Incidents#Incidents_module|Incidents module]]
:The Incidents module allows for notifications to be created when specific network incidents are detected.

== L2 - WiFi ==

* [[WiFi module]]
:This module analyse wireless frames forwarded by access points.

== L2 - Ethernet Layer ==

* [[MAC_module|MAC module]]
:The MAC module gathers information about all captured MAC addresses, including the protocols used, traffic, communication peers and MAC/IP mappings.

* [[QoS module]]
:The QoS module processes and displays traffic with QoS tags VLAN PCP and MPLS TC on Layer 2 (and IP DSCP on Layer 3).

* [[Packet_size_module|Packet size module]]
:The packet size module accounts the size of all packets (Layer 2 with CRC) and shows packet size distribution.

* [[ARP_module|ARP module]]
:The ARP module monitors ARP packets for tracking MAC addresses and announced IP addresses.

* [[VLAN_module|VLAN module]]
:The VLAN module accounts traffic per VLAN tag seen on the network.

* [[MAC_protocols_module|MAC protocols module]]
:The MAC protocols module accounts traffic of all different MAC protocols.

* [[STP_module|STP module]]
:The stp module analyzes STP traffic and shows a history of the identified root Bridges with their configurations.

* [[MPLS_module|MPLS module]]
:The MPLS module displays information about all identified MPLS labels (single label and double-stacked).

* [[LLDP_module|LLDP module]]
:The LLDP module extracts information from LLDP (Link Layer Discovery Protocol) messages and correlates this information to the respective MAC and IP addresses.

* [[PPPoE module]]
:The PPPoE module displays all PPPoE sessions and traffic within a specific session.

* [[Burst_analysis|Burst analysis]]
:The Burst analysis module measures throughput per interface or MAC address and displays utilization graphs for fast burst recognition.

== L3 - IP Layer ==
* [[IP_module|IP module]]
:The IP module gathers information about all captured IPv4 and IPv6 addresses including the protocol used, traffic, communication peers, and connections.

* [[IP_groups|IP groups]]
:The IP groups module gathers information for groups of IP addresses. Any IP subnet can be configured to be used as a group.

* [[IP_pairs|IP pairs]]
:The IP pairs module shows traffic information between pairs of IP addresses.

* [[QoS_module|QoS module]]
:The QoS module processes and displays traffic with QoS tags for IP DSCP on Layer 3 and VLAN PCP (and MPLS TC on Layer 2).

* [[Geolocation_statistics|Geolocation statistics]]
:The Allegro Network Multimeter uses a geolocation library to identify the IP addresses of individual countries. The country information is shown in other modules; however, this web page lists all countries and their corresponding amount of traffic. It also shows detailed statistics per country including all IP addresses seen for that country.

* [[DHCP_module|DHCP module]]
:The DHCP module tracks requests and responses for dynamic IP assignments in networks.

* [[DNS_module|DNS module]]
:DNS name resolving is handled passively by processing all DNS requests and responses captured by the system.
:This module lists all IP addresses and names known by the system. This information is used by other modules to look up names.

* [[NetBIOS_module|NetBIOS module]]
:The NetBIOS module monitors NetBIOS packets for tracking announced host names for IP addresses.

* [[ICMP_module|ICMP module]]
:The ICMP module shows information about ICMP traffic and specific packet types.

* [[Multicast_statistics|Multicast statistics]]
:The multicast module analyzes IGMP traffic and displays detailed information on multicast groups and members.

== L4 - Transport Layer ==

* [[Connections_module|Connections module]]
:The Connections module provides access to a list of connections of all IPs aggregated together based on selected sort and filter parameters.

* [[TCP_module|TCP module]]
:The TCP module measures the TCP handshake time for connection setup. It allows you to identify slow responding servers in a network.

* [[Layer_4_server_ports_module|Layer 4 server ports module]]
:The Layer 4 server ports module measures traffic per TCP and UDP server port.

* [[IPSec_module|IPSec module]]
:The IPSec module shows information about IPSec ESP traffic and sequence counter correctness.

== L7 - Application Layer ==

* [[SSL_module|SSL module]]
:The SSL module keeps track of SSL server names and common names in SSL/TLS encrypted traffic. It enables you to get the name resolved even if no DNS has been seen.

* [[HTTP_module|HTTP module]]
:The HTTP module keeps track of HTTP host names requested in HTTP connections. It allows you to get the name resolved even if no DNS has been seen and to see which virtual host is handled by a given server.

* [[L7_module|L7 module]]
:The L7 module gathers information about all supported Layer 7 protocols. This includes information on how much traffic was seen for each protocol for each IPv4 and IPv6 address.

* [[Response_time_analysis|Response time analysis]]
:The response-time analysis module allows you to define your own protocol request and response pattern and measure the response time and request/response loss.

* [[SMB_statistics|SMB statistics]]
:The SMB module gathers information about all SMB servers handling unencrypted traffic. It shows which shares have been accessed and which files in those shares have been read or written to, together with detailed statistics per file.

* [[SIP_module|SIP module]]
:The SIP statistics includes all SIP calls and their associated metadata.

* [[NTP_module|NTP module]]
:The NTP module shows detailed information about Network Time Protocol servers selected and their corresponding network clients.

* [[PTP_module|PTP module]]
:The PTP module stores the PTP members and their associated metadata like the PTP version.

* [[Profinet_module|Profinet module]]
:The Profinet module analyzes Profinet RT cyclic and acyclic traffic and displays details on all devices and their communication relationships.

* [[OPC-UA_module|OPC-UA module]]
:The OPC-UA module displays information about OPC-UA binary protocol traffic and performs response-time measurement.

* [[IEC_60870-5-104_module|IEC 60870-5-104 module]]
:The IEC 60870-5-104 module shows information about IEC 60870-5-104 traffic, sequence counter correctness and response times.

* [[Fix_module|FIX module]]
:The FIX module shows information about '''F'''inancial '''I'''nformation e'''X'''change traffic.

* [[TETRA_module|TETRA module]]
:The TETRA module shows detailed information about '''Te'''rrestrial '''T'''runked '''Ra'''dio traffic.

* [[QUIC module]]
:The QUIC Analysis Module provides comprehensive insights into '''Q'''uick '''U'''DP '''I'''nternet '''C'''onnections traffic.

* [[RTP_statistics|RTP statistics]]
:The RTP module shows detailed information about RTP codecs used.

Measurement modules

2024-04-17T10:10:04Z

Simon: /* L7 - Application Layer */

The Allegro Network Multimeter provides a number of network measurement modules for different use cases. Here
you can find a list of modules and a short description and see the specific module for detailed documentation.

== Generic modules ==

* [[Capture_module|Capture module]]
:The Capture module lists all running captures which were started interactively in any other module.
:It also allows for starting new captures with specific filters.

* [[Path_measurement|Path measurement]]
:This module allows you to measure packet loss and latency between two Allegro Network Multimeter installations.

* [[Packet_ring_buffer|Packet ring buffer]]
:The packet ring buffer feature allows you to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. If the fixed size buffer is full, the oldest packets in the buffer will be replaced with new packets in a round-robin fashion.

* [[PCAP#Pcap_analysis_module|Pcap analysis module]]
:The Pcap analysis module allows for the analysis of Pcap files by sending them to the appliance. After analyzing a Pcap, the web interface displays all the metadata as if the packets are live traffic at the time of the Pcap recording.

* [[Incidents#Incidents_module|Incidents module]]
:The Incidents module allows for notifications to be created when specific network incidents are detected.

== L2 - WiFi ==

* [[WiFi module]]
:This module analyse wireless frames forwarded by access points.

== L2 - Ethernet Layer ==

* [[MAC_module|MAC module]]
:The MAC module gathers information about all captured MAC addresses, including the protocols used, traffic, communication peers and MAC/IP mappings.

* [[QoS module]]
:The QoS module processes and displays traffic with QoS tags VLAN PCP and MPLS TC on Layer 2 (and IP DSCP on Layer 3).

* [[Packet_size_module|Packet size module]]
:The packet size module accounts the size of all packets (Layer 2 with CRC) and shows packet size distribution.

* [[ARP_module|ARP module]]
:The ARP module monitors ARP packets for tracking MAC addresses and announced IP addresses.

* [[VLAN_module|VLAN module]]
:The VLAN module accounts traffic per VLAN tag seen on the network.

* [[MAC_protocols_module|MAC protocols module]]
:The MAC protocols module accounts traffic of all different MAC protocols.

* [[STP_module|STP module]]
:The stp module analyzes STP traffic and shows a history of the identified root Bridges with their configurations.

* [[MPLS_module|MPLS module]]
:The MPLS module displays information about all identified MPLS labels (single label and double-stacked).

* [[LLDP_module|LLDP module]]
:The LLDP module extracts information from LLDP (Link Layer Discovery Protocol) messages and correlates this information to the respective MAC and IP addresses.

* [[PPPoE module]]
:The PPPoE module displays all PPPoE sessions and traffic within a specific session.

* [[Burst_analysis|Burst analysis]]
:The Burst analysis module measures throughput per interface or MAC address and displays utilization graphs for fast burst recognition.

== L3 - IP Layer ==
* [[IP_module|IP module]]
:The IP module gathers information about all captured IPv4 and IPv6 addresses including the protocol used, traffic, communication peers, and connections.

* [[IP_groups|IP groups]]
:The IP groups module gathers information for groups of IP addresses. Any IP subnet can be configured to be used as a group.

* [[IP_pairs|IP pairs]]
:The IP pairs module shows traffic information between pairs of IP addresses.

* [[QoS_module|QoS module]]
:The QoS module processes and displays traffic with QoS tags for IP DSCP on Layer 3 and VLAN PCP (and MPLS TC on Layer 2).

* [[Geolocation_statistics|Geolocation statistics]]
:The Allegro Network Multimeter uses a geolocation library to identify the IP addresses of individual countries. The country information is shown in other modules; however, this web page lists all countries and their corresponding amount of traffic. It also shows detailed statistics per country including all IP addresses seen for that country.

* [[DHCP_module|DHCP module]]
:The DHCP module tracks requests and responses for dynamic IP assignments in networks.

* [[DNS_module|DNS module]]
:DNS name resolving is handled passively by processing all DNS requests and responses captured by the system.
:This module lists all IP addresses and names known by the system. This information is used by other modules to look up names.

* [[NetBIOS_module|NetBIOS module]]
:The NetBIOS module monitors NetBIOS packets for tracking announced host names for IP addresses.

* [[ICMP_module|ICMP module]]
:The ICMP module shows information about ICMP traffic and specific packet types.

* [[Multicast_statistics|Multicast statistics]]
:The multicast module analyzes IGMP traffic and displays detailed information on multicast groups and members.

== L4 - Transport Layer ==

* [[Connections_module|Connections module]]
:The Connections module provides access to a list of connections of all IPs aggregated together based on selected sort and filter parameters.

* [[TCP_module|TCP module]]
:The TCP module measures the TCP handshake time for connection setup. It allows you to identify slow responding servers in a network.

* [[Layer_4_server_ports_module|Layer 4 server ports module]]
:The Layer 4 server ports module measures traffic per TCP and UDP server port.

* [[IPSec_module|IPSec module]]
:The IPSec module shows information about IPSec ESP traffic and sequence counter correctness.

== L7 - Application Layer ==

* [[SSL_module|SSL module]]
:The SSL module keeps track of SSL server names and common names in SSL/TLS encrypted traffic. It enables you to get the name resolved even if no DNS has been seen.

* [[HTTP_module|HTTP module]]
:The HTTP module keeps track of HTTP host names requested in HTTP connections. It allows you to get the name resolved even if no DNS has been seen and to see which virtual host is handled by a given server.

* [[L7_module|L7 module]]
:The L7 module gathers information about all supported Layer 7 protocols. This includes information on how much traffic was seen for each protocol for each IPv4 and IPv6 address.

* [[Response_time_analysis|Response time analysis]]
:The response-time analysis module allows you to define your own protocol request and response pattern and measure the response time and request/response loss.

* [[SMB_statistics|SMB statistics]]
:The SMB module gathers information about all SMB servers handling unencrypted traffic. It shows which shares have been accessed and which files in those shares have been read or written to, together with detailed statistics per file.

* [[SIP_module|SIP module]]
:The SIP statistics includes all SIP calls and their associated metadata.

* [[NTP_module|NTP module]]
:The NTP module shows detailed information about Network Time Protocol servers selected and their corresponding network clients.

* [[PTP_module|PTP module]]
:The PTP module stores the PTP members and their associated metadata like the PTP version.

* [[Profinet_module|Profinet module]]
:The Profinet module analyzes Profinet RT cyclic and acyclic traffic and displays details on all devices and their communication relationships.

* [[OPC-UA_module|OPC-UA module]]
:The OPC-UA module displays information about OPC-UA binary protocol traffic and performs response-time measurement.

* [[IEC_60870-5-104_module|IEC 60870-5-104 module]]
:The IEC 60870-5-104 module shows information about IEC 60870-5-104 traffic, sequence counter correctness and response times.

* [[Fix_module|FIX module]]
:The FIX module shows information about '''F'''inancial '''I'''nformation e'''X'''change traffic.

* [[TETRA_module|TETRA module]]
:The TETRA module shows detailed information about '''Te'''rrestrial '''T'''runked '''Ra'''dio traffic.

* [[QUIC module]]The QUIC Analysis Module provides comprehensive insights into '''Q'''uick '''U'''DP '''I'''nternet '''C'''onnections traffic.
* [[RTP_statistics|RTP statistics]]
:The RTP module shows detailed information about RTP codecs used.

Measurement modules

2024-04-17T10:09:39Z

Simon: Add quic

The Allegro Network Multimeter provides a number of network measurement modules for different use cases. Here
you can find a list of modules and a short description and see the specific module for detailed documentation.

== Generic modules ==

* [[Capture_module|Capture module]]
:The Capture module lists all running captures which were started interactively in any other module.
:It also allows for starting new captures with specific filters.

* [[Path_measurement|Path measurement]]
:This module allows you to measure packet loss and latency between two Allegro Network Multimeter installations.

* [[Packet_ring_buffer|Packet ring buffer]]
:The packet ring buffer feature allows you to create a buffer of fixed size on an external storage device to which all processed packets will be recorded. If the fixed size buffer is full, the oldest packets in the buffer will be replaced with new packets in a round-robin fashion.

* [[PCAP#Pcap_analysis_module|Pcap analysis module]]
:The Pcap analysis module allows for the analysis of Pcap files by sending them to the appliance. After analyzing a Pcap, the web interface displays all the metadata as if the packets are live traffic at the time of the Pcap recording.

* [[Incidents#Incidents_module|Incidents module]]
:The Incidents module allows for notifications to be created when specific network incidents are detected.

== L2 - WiFi ==

* [[WiFi module]]
:This module analyse wireless frames forwarded by access points.

== L2 - Ethernet Layer ==

* [[MAC_module|MAC module]]
:The MAC module gathers information about all captured MAC addresses, including the protocols used, traffic, communication peers and MAC/IP mappings.

* [[QoS module]]
:The QoS module processes and displays traffic with QoS tags VLAN PCP and MPLS TC on Layer 2 (and IP DSCP on Layer 3).

* [[Packet_size_module|Packet size module]]
:The packet size module accounts the size of all packets (Layer 2 with CRC) and shows packet size distribution.

* [[ARP_module|ARP module]]
:The ARP module monitors ARP packets for tracking MAC addresses and announced IP addresses.

* [[VLAN_module|VLAN module]]
:The VLAN module accounts traffic per VLAN tag seen on the network.

* [[MAC_protocols_module|MAC protocols module]]
:The MAC protocols module accounts traffic of all different MAC protocols.

* [[STP_module|STP module]]
:The stp module analyzes STP traffic and shows a history of the identified root Bridges with their configurations.

* [[MPLS_module|MPLS module]]
:The MPLS module displays information about all identified MPLS labels (single label and double-stacked).

* [[LLDP_module|LLDP module]]
:The LLDP module extracts information from LLDP (Link Layer Discovery Protocol) messages and correlates this information to the respective MAC and IP addresses.

* [[PPPoE module]]
:The PPPoE module displays all PPPoE sessions and traffic within a specific session.

* [[Burst_analysis|Burst analysis]]
:The Burst analysis module measures throughput per interface or MAC address and displays utilization graphs for fast burst recognition.

== L3 - IP Layer ==
* [[IP_module|IP module]]
:The IP module gathers information about all captured IPv4 and IPv6 addresses including the protocol used, traffic, communication peers, and connections.

* [[IP_groups|IP groups]]
:The IP groups module gathers information for groups of IP addresses. Any IP subnet can be configured to be used as a group.

* [[IP_pairs|IP pairs]]
:The IP pairs module shows traffic information between pairs of IP addresses.

* [[QoS_module|QoS module]]
:The QoS module processes and displays traffic with QoS tags for IP DSCP on Layer 3 and VLAN PCP (and MPLS TC on Layer 2).

* [[Geolocation_statistics|Geolocation statistics]]
:The Allegro Network Multimeter uses a geolocation library to identify the IP addresses of individual countries. The country information is shown in other modules; however, this web page lists all countries and their corresponding amount of traffic. It also shows detailed statistics per country including all IP addresses seen for that country.

* [[DHCP_module|DHCP module]]
:The DHCP module tracks requests and responses for dynamic IP assignments in networks.

* [[DNS_module|DNS module]]
:DNS name resolving is handled passively by processing all DNS requests and responses captured by the system.
:This module lists all IP addresses and names known by the system. This information is used by other modules to look up names.

* [[NetBIOS_module|NetBIOS module]]
:The NetBIOS module monitors NetBIOS packets for tracking announced host names for IP addresses.

* [[ICMP_module|ICMP module]]
:The ICMP module shows information about ICMP traffic and specific packet types.

* [[Multicast_statistics|Multicast statistics]]
:The multicast module analyzes IGMP traffic and displays detailed information on multicast groups and members.

== L4 - Transport Layer ==

* [[Connections_module|Connections module]]
:The Connections module provides access to a list of connections of all IPs aggregated together based on selected sort and filter parameters.

* [[TCP_module|TCP module]]
:The TCP module measures the TCP handshake time for connection setup. It allows you to identify slow responding servers in a network.

* [[Layer_4_server_ports_module|Layer 4 server ports module]]
:The Layer 4 server ports module measures traffic per TCP and UDP server port.

* [[IPSec_module|IPSec module]]
:The IPSec module shows information about IPSec ESP traffic and sequence counter correctness.

== L7 - Application Layer ==

* [[SSL_module|SSL module]]
:The SSL module keeps track of SSL server names and common names in SSL/TLS encrypted traffic. It enables you to get the name resolved even if no DNS has been seen.

* [[HTTP_module|HTTP module]]
:The HTTP module keeps track of HTTP host names requested in HTTP connections. It allows you to get the name resolved even if no DNS has been seen and to see which virtual host is handled by a given server.

* [[L7_module|L7 module]]
:The L7 module gathers information about all supported Layer 7 protocols. This includes information on how much traffic was seen for each protocol for each IPv4 and IPv6 address.

* [[Response_time_analysis|Response time analysis]]
:The response-time analysis module allows you to define your own protocol request and response pattern and measure the response time and request/response loss.

* [[SMB_statistics|SMB statistics]]
:The SMB module gathers information about all SMB servers handling unencrypted traffic. It shows which shares have been accessed and which files in those shares have been read or written to, together with detailed statistics per file.

* [[SIP_module|SIP module]]
:The SIP statistics includes all SIP calls and their associated metadata.

* [[NTP_module|NTP module]]
:The NTP module shows detailed information about Network Time Protocol servers selected and their corresponding network clients.

* [[PTP_module|PTP module]]
:The PTP module stores the PTP members and their associated metadata like the PTP version.

* [[Profinet_module|Profinet module]]
:The Profinet module analyzes Profinet RT cyclic and acyclic traffic and displays details on all devices and their communication relationships.

* [[OPC-UA_module|OPC-UA module]]
:The OPC-UA module displays information about OPC-UA binary protocol traffic and performs response-time measurement.

* [[IEC_60870-5-104_module|IEC 60870-5-104 module]]
:The IEC 60870-5-104 module shows information about IEC 60870-5-104 traffic, sequence counter correctness and response times.

* [[Fix_module|FIX module]]
:The FIX module shows information about '''F'''inancial '''I'''nformation e'''X'''change traffic.

* [[TETRA_module|TETRA module]]
:The TETRA module shows detailed information about '''Te'''rrestrial '''T'''runked '''Ra'''dio traffic.

* [[QUIC module]]The QUIC Analysis Module provides comprehensive insights into '''Q'''uick '''U'''DP '''I'''nternet '''C'''onnections traffic.

* [[RTP_statistics|RTP statistics]]
:The RTP module shows detailed information about RTP codecs used.

QUIC module

2024-04-17T10:05:19Z

Simon:

QUIC module

2024-04-17T10:04:48Z

Simon: Created page with "The QUIC Analysis Module provides insights into QUIC (Quick UDP Internet Connections) traffic, a modern transport protocol developed by Google and designed to improve upon traditional TCP connections. This module offers detailed information on various aspects of QUIC traffic, enabling users to understand and analyze communication patterns and data exchanges. QUIC is currently utilized in various applications such as web browsing, video streaming, and online gaming, offer..."

The QUIC Analysis Module provides insights into QUIC (Quick UDP Internet Connections) traffic, a modern transport protocol developed by Google and designed to improve upon traditional TCP connections. This module offers detailed information on various aspects of QUIC traffic, enabling users to understand and analyze communication patterns and data exchanges. QUIC is currently utilized in various applications such as web browsing, video streaming, and online gaming, offering enhanced performance and security benefits over traditional protocols. The QUIC protocol is described in detail in [https://datatracker.ietf.org/doc/html/rfc9000 RFC 9000] (V1) and [https://datatracker.ietf.org/doc/rfc9369/ RFC 9369].

This module supports QUIC initial decoding for the draft protocol versions 29, 31, and 32, as well as version 1 and 2 to read TLS information if the option "'''Decode server name from handshakes'''" is enabled in the "'''Module Settings'''" tab. This functionality allows users to delve deeper into the cryptographic properties and security features of QUIC connections, providing a comprehensive analysis experience.

REST API description

2023-01-17T12:17:33Z

Simon: /* REST API Examples */

This page describes how to access and use the REST API. It allows to post-process data with 3rd party systems. The Allegro Network Multimeter web interface is itself based on this REST API and all displayed statistics can be extracted from the Allegro Network Multimeter with this API.

== General API Setup ==

=== REST API Interface ===

All Allegro Network Multimeter statistics are derived from HTTPS requests and provided as JSON objects.
The requests are stateless, i.e. there are no prerequisites and there is no fixed sequence of requests necessary.
Example requests related to a specific module and statistics can be seen in the web interface by opening the browser development console (Ctrl+Shift+I for Chrome and Firefox, F12 for Edge).

Here an example of the structured JSON data for the IP overview. This data has been extracted with the Google Chrome developer console while accessing the IP statistics page.

[[File:Rest api chrome console.png|800px]]

=== Credentials ===

The credentials are the same as for the web interface. The admin user allows to access all APIs. A non-admin user has read access to most of the statistics. If you have enabled the pcap role, the capture URL is also possible for the API.

Allegro Packets recommends to set up a separate non-admin user with or without the pcap role for the REST API of only statistics shall be gathered. This will prevent to accidentally shut down or change any configuration by calling the REST API.

== Useful shell commands and their parameters ==

=== Curl ===

Most examples are written for curl [https://en.wikipedia.org/wiki/CURL]. Curl is available as for many operating systems like Linux or Windows. Curl needs a few parameters for the access of the Allegro Network Multimeter:

The parameter '''-u''' allows you to set a user name and password for the request.

The parameter '''-k''' will allow self-signed certificates.

The parameter '''-s''' or '''--silent''' mutes any debugging output.

The URL of the API call is the first argument. It is recommended to enclose the API call with the character ' to avoid replacing the argument ( unless you need to replace parts of it )

<pre>curl --silent -k -u USER:PASSWORD 'https://allegro-mm-XXXX/...'</pre>

Please note that you might need to use <code>curl.exe</code> in windows.

=== PowerShell ===

The Integrated Windows PowerShell can be used to access the REST API. This guide requires at least PowerShell v6.

The command to call a REST API is '''Invoke-RestMethod''' [https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-restmethod].
Invoke-RestMethod on the PowerShell needs a few parameters for the access of the Allegro Network Multimeter:

To set the user name for basic authorization, use the '''-Headers''' parameter:

<pre>-Headers @{Authorization = ("Basic {0}" -f [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f 'USER', 'PASSWORD'))))}</pre>

You also need to announce that you accept JSON as response with:

<pre>-ContentType'application/json; charset=utf-8'</pre>

To disable the certificate check, use:

<pre>-SkipCertificateCheck</pre>

The URL must be passed with the parameter '''-Uri''', so the full command is:

<pre>Invoke-RestMethod -Uri 'https://allegro-mm-XXXX/...' -Headers @{Authorization = ("Basic {0}" -f [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f 'USER', 'PASSWORD'))))} -ContentType'application/json; charset=utf-8' -Method 'Get' -SkipCertificateCheck</pre>

=== jq ===

jq ([https://stedolan.github.io/jq/]) is a powerful tool to extract parameters from a json document. If called without parameters, jq formats the JSON output into a readable format with indenting and new lines. It also allows to select specific values and do basic operations like addition with this values.
Please read the jq documentation for more information.

== API hierarchy ==

=== Query available URIs with OPTIONS ===

The Allegro Network Multimeter REST API has the fixed URI <code>API/stats</code> for statistics. To see all possible subtrees of a specific request, use the '''OPTIONS''' request instead of '''GET'''. It can be set with the parameter <code>-X OPTIONS</code> for curl.

<pre>
$ curl --silent -k -u USER:PASSWORD 'https://allegro-mm/API/stats' -X OPTIONS
{
"subResources": [
"modules",
"reports",
"incidentReporting",
"time",
"ringBufferReplay",
"pcap",
"reset",
"interfacesError",
"interfaces",
"load",
"processing"
]
}
</pre>

This allows you to query for example for all modules that are available for a specific release of the Allegro Network Multimeter:

<pre>
$ curl --silent -k -u USER:PASSWORD 'https://allegro-mm/API/stats/modules' -X OPTIONS
{
"subResources": [
"pppoe",
"lldp",
"groups",
"mpls",
"opc_ua",
"quality",
"ipsec",
"profinet",
"multicast",
"burst_analysis",
"global_incidents",
"ptp",
"ntp",
"icmp",
"stp",
"sip",
"smb",
"dpa",
"l4_ports",
"netbios",
"crt",
"dpi",
"http",
"ssl",
"dns",
"dhcp",
"location",
"qos",
"ip",
"mac_protocols",
"vlan",
"arp",
"packet_size",
"mac",
"capture"
]
}
</pre>

=== URI content parameters ===

Some modules allow to use a parameter as part of the URI like the IP or Mac address. The path <code>API/stats/modules/ip/ips</code> allows you to use an IP address as next uri element

<pre>
$ curl --silent -k -u USER:PASSWORD 'https://allegro-mm/API/stats/modules/ip/ips' -X OPTIONS
{
"subResources": [
"protocol",
":ip"
]
}
</pre>

The path of an IP address shows all further available elements:

<pre>
$ curl --silent -k -u USER:PASSWORD 'https://allegro-mm/API/stats/modules/ip/ips/10.0.54.254' -X OPTIONS
{
"subResources": [
"sip_request_responses",
"peers_ports",
"sip_responses",
"sip_requests",
"qos",
"ports",
"connections",
"protocols",
"macs",
"peers",
"tcpStats"
]
}
</pre>

== JSON output traffic counters ==

All counters are aggregated counters, either for the selected time interval or since the processing start of the Allegro Network Multimeter. Many traffic counters have 4 separate values. These traffic counters are represented as a JSON array with at least 4 lines. The structure is as follows:
* line 1: '''received packets''', extraction example: jq .lastSecond[0]
* line 2: '''received bytes''', extraction example: jq .lastSecond[1]
* line 3: '''transmitted packets''', extraction example: jq .lastSecond[2]
* line 4: '''transmitted bytes''', extraction example: jq .lastSecond[3]
* additional lines are module specific

The following counters exist for many REST APIs like IP, MAC, l4 protocol, l7 protocol and many more:
* '''interval''': Values of the selected time interval. If no interval is specified, this is similar to lastSecond.
* '''allTime''': Values since start of the Allegro Network Multimeter.
* '''lastSecond''': Values of the last second.
* '''intervalPerSecond''': Average per second value of the selected time interval. If no interval is specified, this is similar to lastSecond.

Please note that all counters are byte counters, not bit counters. You need to multiply the counters by 8 to get the bitrate.

This example extracts the received bytes of the last second of a specific IP.

<pre>curl --silent -k -u USER:PASSWORD 'https://allegro-mm/API/stats/modules/ip/ips/10.1.2.3' | jq .lastSecond[1]</pre>

This example extracts received and transmitted bytes of the last second of a specific IP.

<pre>curl --silent -k -u USER:PASSWORD 'https://allegro-mm/API/stats/modules/ip/ips/10.1.2.3' | jq '.lastSecond[1] + .lastSecond[3]'</pre>

== API parameters ==

The Allegro Network Multimeter REST API has a number of query parameters that can be added to modify the request. By default, the API will display the real time counters since the last restart of the processing unit.

This example extracts the amount of received and transmitted bytes for an IP address since the processing start of the Allegro Network Multimeter. It queries via the REST API the JSON and then adds the values second value ( row 1, rx bytes ) and 4th value ( row 3, tx bytes ) of the interval counters together.

<pre>
$ curl --silent -k -u USER:PASSWORD "https://allegro-mm/API/stats/modules/ip/ips/10.54.0.254" | jq '.interval[1] + .interval[3]'
</pre>

=== Time interval selection ===

Requests can be given a time interval. If present, the '''interval''' counters are adjusted to this interval. The following GET parameters are necessary:
* '''starttime''', '''endtime''': Start and end time of the interval. Format: seconds since 1970/01/01 UTC (Unix time, epoch). You can use <code>date +%s</code> on your machine to adjust to the best interval. Please consult the man page of date for more parameters.
* '''skiphistorydata''': shall the JSON include the history data without datasets, this reduces the amount of transferred bytes if datasets are required to render a graph, can be false/true default: false
* '''timespan''': required resolution for the graph dataset

This example extracts the amount of received and transmitted bytes for an IP address for the last 24 hours.
<pre>
$ curl --silent -k -u USER:PASSWORD "https://allegro-mm/API/stats/modules/ip/ips/10.54.0.254?starttime=$(date --date="1 day ago" +%s)&endtime=$(date +%s)&skiphistorydata=true" | jq '.interval[1] + .interval[3]'
</pre>

=== List queries ===

List queries are requested with pagination parameters to reduce the size of the resulting JSON objects and to increase performance. In the resulting JSON object, the list elements are stored in the displayedItems array.
The following list parameters are possible:

* sort: Sorting criteria for the list. Following criteria's are supported for most lists:
** bytes: Received and transmitted bytes (either in selected time interval or since start of the Allegro Network Multimeter).
** rxbytes: Received bytes.
** txbytes: Transmitted bytes.
** bps: Received and transmitted bytes per second (either average per second value of the selected time interval or last second, if no interval is specified).
** rxbps: Received bytes per second.
** txbps: Transmitted bytes per second.
* reverse: Sort ascending (= false) or descending (= true).
* page: Requested page.
* count: Amount of entries in the list. Maximum is 100.
* values: Amount of maximal values in history object(s).

This example shows IP address with the highest amount of traffic

<pre>curl --silent -k -u USER:PASSWORD 'https://allegro-mm/API/stats/modules/ip/ips_paged?sort=bps&reverse=true&page=0&count=1' | jq .displayedItems[0].ip</pre>

This example shows up to 9999 peers of a specific IP address:

<pre>curl --silent -k -u USER:PASSWORD 'https://allegro-mm/API/stats/modules/ip/ips/10.1.2.3/peers?sort=bytes&reverse=true&page=0&count=9999&timespan=60&values=100' | jq '.displayedItems[].ip'</pre>

=== Pcap extraction ===

The Allegro Network Multimeter allows to extract the raw packets with the REST API with the special capture URI <code>/API/data/modules/capture</code>

<pre>curl -k -u USER:PASSWORD 'https://allegro-mm/API/data/modules/capture?expression=ip==10.1.2.3' > path_to/capture.pcap</pre>

The available parameters are:

* '''startTime''': The start time of the capture. The first packet with exactly this or a later time will start the capture. The time format must be microseconds after January, 1st 1970 UTC (Unix time, epoch). If the start time is in the past, make sure you set fromCaptureBuffer parameter accordingly. If not specified, the current time will be used.
* '''endTime''': The end time of the capture. The first packet with exactly this or a later time will stop the capture. The time format must be microseconds after January, 1st 1970 UTC (Unix time, epoch). If not specified, unlimited will be used. The end time can also be set to 'now', in this case the timespan parameter will be taken and the corresponding start time will be calculated.
* '''timespan''': The time span in seconds. Will be used if no startTime but endTime with 'now' is set.
* '''expression''': The filter expression. There are no whitespaces allowed. You may use ‘%20’ instead. See [[Capture module]] for available expressions.
* '''snapPacketLength''': The maximum size of a packet applied on Layer 2 without frame check sequence. If a packet is larger than this value, it is truncated. Use 65535 for unlimited size.
* '''fromCaptureBuffer''': Whether to extract data from the packet ring buffer (= true) or just live traffic (= false).
* '''captureBufferSlotId''': In case a cluster packet ring buffer is used, the id of the ring buffer must be given. The id of the first ring buffer is 0. If this parameter is omitted, 0 will be taken as default value.
* '''captureToMedia''': Whether to store a pcap on an external storage device (= true) or download to your computer (= false).
* '''mm-id''': If you are extracting a Pcap from a parallel Pcap analysis job or a multi device connected Allegro Network Multimeter, you have to specify the device and the slot where to get the data from. The syntax is: <code>mm-id=<device name>:<slot id></code>. If the capture shall be performed on the local device, the device name can be omited (e.g. mm-id=:1 for the first replay slot on the local device).

Example to capture everything from now on:

<pre>curl -k -u USER:PASSWORD 'https://allegro-mm/API/data/modules/capture' > path_to/capture.pcap</pre>

Example to capture a specific IP of the last hour

<pre>curl -k -u USER:PASSWORD "https://allegro-mm/API/data/modules/capture?expression=ip==10.1.2.3&starttime=$(($(date --date="1 hour ago" +%s%N)/1000))&endtime=$(($(date +%s%N)/1000))&fromCaptureBuffer=true" > path_to/capture.pcap</pre>

Example to capture a specific IP of a given time span of the first parallel Pcap analysis slot

<pre>curl -k -u USER:PASSWORD "https://allegro-mm/API/data/modules/capture?expression=ip==10.1.2.3&starttime=$(($(date --date="2020-07-15 08:55:00" +%s%N)/1000))&endtime=$(($(date --date="2020-07-15 09:55:00" +%s%N)/1000))&fromCaptureBuffer=true&mm-id=:1" > path_to/capture.pcap</pre>

=== Pcap upload and analysis ===

Pcap upload and analysis can also be done via API calls.

The PCAP upload is split into 3 commands. First, the replay is being initialized. Then the analyzing is started. In the last step the PCAP is streamed to the Allegro Network Multimeter. Depending on the size of the PCAP the third step could take some time, but the Allegro Network Multimeter already allows access to the statistics of the already analyzed packets via web/API.

The example assumes that PCAP parallel analysis is enabled in the global settings, so the PCAP analysis will be done in slot 1 and a dedicated ring buffer is available.

<pre>
curl -k -u USER:PASSWORD "https://allegro-mm/API/system/replay/upload" -d '{"fileName": "abc.pcapng", "fileSize": '$(stat -c %s abc.pcapng)', "replaySlotID": 1, "forceSlotID": true, "useReplayBuffer": true}'
curl -k -u USER:PASSWORD "https://allegro-mm/API/data/pcap?mm-id=:1" -d '{"command":"start"}'
curl -F 'name=file' -F 'filename=abc.pcapng' -F 'file=@path_to/abc.pcapng' -k -u USER:PASSWORD "https://allegro-mm/API/system/analyze-pcap?replaySlotID=1"
</pre>

=== Virtual Link Groups ===

The Allegro Network Multimeter REST API allows to access all link groups by the parameter '''group'''. The group index starts at zero, which is the default value. If a virtual link group is enabled.

This example extracts the traffic of the IP 10.54.0.254 from the second virtual link group ( index 1 ).

<pre>
$ curl --silent -k -u USER:PASSWORD "https://allegro-mm/API/stats/modules/ip/ips/10.54.0.254?group=1" | jq '.interval[1] + .interval[3]'
</pre>

=== Parallel pcap analysis ===

The Allegro Network Multimeter can process in parallel offline traffic like a pcap file or a ring buffer. In case a parallel PCAP analysis is running, the API call must be given either the additional header field <code>"X-AllegroPackets-Multimeter-ID: :1"</code> or the parameter mm-id with the PCAP instance ID.

This allows to extract information of automated pcap uploads.

=== Multi-device analysis ===

If the Allegro Network Multimeter is configured as a gateway for multiple Allegro devices by the [[Multi-device settings]], you need to add either the additional header field <code>"X-AllegroPackets-Multimeter-ID: hostname"</code> or the parameter mm-id where the hostname must be the same as configured in the multi-device settings.

== REST API Examples ==

==== MAC statistics ====

Extract the packets per second statistic of the MAC broadcast address

<pre>curl --silent -k -u USER:PASSWORD 'https://allegro-mm/API/stats/modules/mac/macs/ff:ff:ff:ff:ff:ff'</pre>

==== IP statistics ====

<pre>curl --silent -k -u USER:PASSWORD 'https://allegro-mm/API/stats/modules/ip/ips/10.1.2.3'</pre>

==== Pretty displaying JSON output with jq ====

<pre>curl --silent -k -u USER:PASSWORD 'https://allegro-mm-XXXX/API/stats/modules/ip/ips/10.1.2.3' | jq</pre>

==== Capture a specific IP ====

<pre>curl -k -u USER:PASSWORD 'https://allegro-mm-XXXX/API/data/modules/capture?expression=ip==10.1.2.3' > path_to/capture.pcap</pre>

==== Capture two IP addresses with ports on a specific Layer 4 protocol ====

<pre>curl -k -u USER:PASSWORD 'https://allegro-mm-XXXX/API/data/modules/capture?expression=IP==10.1.2.3:62887 and IP==10.1.2.100:548 and l4Protocol==TCP' > path_to/capture.pcap</pre>

==== Output IP Table as CSV file ====
<pre>curl -k -u USER:PASSWORD 'https://allegro-mm-XXXX/API/stats/modules/ip/ips_paged?csv=true' > path_to/file.csv</pre>

==== Output Connection Table as CSV file ====
<pre>curl -k -u USER:PASSWORD 'https://allegro-mm-XXXX/API/stats/modules/ip/globalConnections/csv?csv=true' > path_to/file.csv</pre>

==== Multi-device Capture Python Script Example ====

<pre>
#! /usr/bin/python3

""" This example script starts a parallel download-capture for each 'multi-device' of a given allegro packets multimeter. """

import requests
import threading
import datetime
import shutil

def start_capture_download(host: str, device: dict, duration: int):
start = datetime.datetime.now()
end = start + datetime.timedelta(seconds=duration)
file = device["host"] + start.strftime("%m-%d-%Y_%H-%M-%S") + ".pcap"
params = {
"mm-id": device["id"],
"endTime": int(end.timestamp() * 1000000),
}

with session.get(host + "/API/data/modules/capture", params=params, stream=True) as resp:
with open(file, "wb") as fh:
shutil.copyfileobj(resp.raw, fh)

host = "https://allegro-mm-xxxx"
session = requests.Session()
session.auth = ("user", "password")
# session.verify = False # disable ssl verification

with session.get(host + "/API/system/multidevice/devices") as resp:
devices = resp.json()

active_devices = []
for device in devices:
if device["active"]:
active_devices.append(device)

threads = []
for device in active_devices:
t = threading.Thread(target=start_capture_download, args=(host, device, 30))
t.start()
threads.append(t)

for t in threads:
t.join()
</pre>

Ingress filter

2022-09-09T11:17:14Z

Simon: /* Statistics */

=== Ingress (NIC) filter ===

The ingress (NIC) filter page, allows setting allow/deny filters for live traffic preprocessing. Filtered out/denied traffic, will NOT become available throughout the dashboard nor the packet ring buffer. Filtered out/denied traffic will be irretrievable for (post) analysis.

Filters can be applied for:

* IP addresses (with possible subnet mask).
* pairs of IP addresses (with possible subnet mask).
* MAC addresses.
* VLAN tags (or none for no VLAN tag).
* specific TCP/UDP ports.
* physical interface IDs (as listed in Interface statistics).
* duplicate packets.

They can all be set to either deny list or allow list mode.
Filtering will be evaluated for every packet in tab order.
The more restrictive filter will be applied.
For instance if no IP address is denied but a specific MAC address is on the deny list, no traffic for that MAC address will be processed.

NOTE: The ingress (NIC) filter is applied to live traffic only, i.e. the traffic sent to the monitoring interfaces of an Allegro Network Multimeter. When replaying data from the ring buffer, loading a pcap or using the remote traffic capture feature, filtering is not used and/or applied.

NOTE: The data recorded to/stored in the Packet Ring buffer, is of course also affected by the Ingress filter. Additional ring buffer capture rules may be configured under "Generic - Packet Ring Buffer", further explained in our wiki here [[Packet ring buffer#Packet%20ring%20buffer%20snapshot%20length%20filter|https://allegro-packets.com/wiki/Packet_ring_buffer#Packet_ring_buffer_snapshot_length_filter]]

{| class="wikitable sortable"
|-
| [[File:NIC filter.png|1000px|none|right]]
|}

=== IP filters ===

In the IP filter/IP pair filter, IP addresses and IP ranges can be entered with their respective subnet mask.
* /32 subnet mask: 192.168.1.1/32 means the filter will deny/allow IP 192.168.1.1
* /24 subnet mask: 192.168.1.0/24 means the filter will deny/allow IP range 192.168.1.0 - 192.168.1.255
* /16 subnet mask: 192.168.0.0/16 means the filter will deny/allow IP range 192.168.0.0 - 192.168.255.255

The IP filter/IP pair filter allows for importing an IP list in the following format:

#A line with a comment
1.2.3.1
1.2.3.2
1.2.3.3

By clicking on '''Import list''' a dialogue box will be opened where you can choose to download such a list from a given URL or specify a file from your system. The IP addresses are added to the existing ones up to a maximum of 10000 addresses.

The '''Export list''' button allows for exporting the IP filter list in the same format as the import.

The '''Delete all''' button allows for deleting all IP addresses from the filter list.

=== Packet deduplication ===

Packet deduplication provides the ability to filter packets from live traffic which have already been seen. This feature creates a hash from significant parts of the packet and stores the hash for a certain amount of time and within the configured memory limit. If for a second packet (or possibly further packets) the same hash value is calculated this packet is discarded and will not be analyzed by the system. The feature provides several options for configuring which parts of a packets are regarded as significant for duplicate detection.

It is also possible to capture packets which have been detected as duplicates but since these packets are excluded from further processing as well as the packet ring buffer it is only possible to create a live capture. Also, since only hash values are stored, the first packet of a series of duplicates will not be part of the duplicate capture, but it can be captured with the regular capture feature as it is part of the packet processing.

==== Statistics ====

The top graph and counter show how many packets have been discarded as duplicates.

The '''Memory used''' graph shows how much of the memory which has been configured for use by the packet deduplication is actually consumed. If the value is very high it is possible that the configured amount of memory is not sufficient for the actual traffic. Insufficient memory results in reduction of the packet timeout.

The '''Oldest packet age''' graph shows how old the oldest packet known to the packet deduplication is. If this value is significantly lower than the configured '''Packet timeout''' value the configured amount of memory may not be sufficient for the actual traffic.

==== Settings ====

{| class="wikitable"
|-
! Option !! Description
|-
| Enabled || Turns the packet deduplication filter on and off.
|-
| Reserved memory (MB) || Controls how much memory in megabytes is reserved for packet deduplication. This memory then cannot be used for other statistics. Changes to this value will need a restart of the processing to take effect.
|-
| Packet timeout (ms) || The time in milliseconds after which a packet hash is removed from the packet deduplication. If the time is between identical packets is longer than this value the packets will not be detected as duplicates.
|-
| Compare starting at layer || Here it is possible to choose where the packet deduplication will start to analyze the packet. If e.g. 'Layer 3' is chosen it is possible for two packets to have different MAC addresses and still be detected as duplicates.
|-
| Layer 7 length limit for compare (bytes) || This value controls how many bytes of the application payload are actually used for the hash calculation. A very high value may affect the performance while a very low value may increase the risk of false positives.
|-
| Ignore VLAN || The VLAN tag will not be used by the packet deduplication so that two packets from different VLANs can still be detected as duplicates.
|-
| Ignore IP TOS and traffic class || The IP 'type of service' and 'traffic class' fields will not be used by the packet deduplication so that two packets with different values in these fields can still be detected as duplicates.
|-
| Ignore IP TTL and HOP || The IP 'time to live' and 'hop counter' fields will not be used by the packet deduplication so that two packets with different values in these fields can still be detected as duplicates.
|-
| Ignore TCP SEQ and ACK numbers || The TCP sequence and acknowledgement numbers will not be used by the packet deduplication so that two packets with different TCP sequence and acknowledgement numbers can still be detected as duplicates.
|-
| Ignore TCP options || Any TCP options will not be used by the packet deduplication so that two packets with different TCP options can still be detected as duplicates.
|}

==== Limitations ====

# In some circumstances, real duplicates cannot be distinguished from retransmissions. For example, for TCP in IPv6 traffic a retransmitted ACK packet might be byte-wise identical to the original ACK packet. The IPv6 header does not have an IP-ID field by default so it is identical and the TCP header is identical too if both the sequence and acknowledge number are the same and no timestamp option header is used. In this case it might help to decrease the packet timeout in the deduplication configuration since real duplicates in a network setup usually appear much faster than actual retransmissions.

Ingress filter

2022-09-09T11:16:59Z

Simon: /* Limitations */

=== Ingress (NIC) filter ===

The ingress (NIC) filter page, allows setting allow/deny filters for live traffic preprocessing. Filtered out/denied traffic, will NOT become available throughout the dashboard nor the packet ring buffer. Filtered out/denied traffic will be irretrievable for (post) analysis.

Filters can be applied for:

* IP addresses (with possible subnet mask).
* pairs of IP addresses (with possible subnet mask).
* MAC addresses.
* VLAN tags (or none for no VLAN tag).
* specific TCP/UDP ports.
* physical interface IDs (as listed in Interface statistics).
* duplicate packets.

They can all be set to either deny list or allow list mode.
Filtering will be evaluated for every packet in tab order.
The more restrictive filter will be applied.
For instance if no IP address is denied but a specific MAC address is on the deny list, no traffic for that MAC address will be processed.

NOTE: The ingress (NIC) filter is applied to live traffic only, i.e. the traffic sent to the monitoring interfaces of an Allegro Network Multimeter. When replaying data from the ring buffer, loading a pcap or using the remote traffic capture feature, filtering is not used and/or applied.

NOTE: The data recorded to/stored in the Packet Ring buffer, is of course also affected by the Ingress filter. Additional ring buffer capture rules may be configured under "Generic - Packet Ring Buffer", further explained in our wiki here [[Packet ring buffer#Packet%20ring%20buffer%20snapshot%20length%20filter|https://allegro-packets.com/wiki/Packet_ring_buffer#Packet_ring_buffer_snapshot_length_filter]]

{| class="wikitable sortable"
|-
| [[File:NIC filter.png|1000px|none|right]]
|}

=== IP filters ===

In the IP filter/IP pair filter, IP addresses and IP ranges can be entered with their respective subnet mask.
* /32 subnet mask: 192.168.1.1/32 means the filter will deny/allow IP 192.168.1.1
* /24 subnet mask: 192.168.1.0/24 means the filter will deny/allow IP range 192.168.1.0 - 192.168.1.255
* /16 subnet mask: 192.168.0.0/16 means the filter will deny/allow IP range 192.168.0.0 - 192.168.255.255

The IP filter/IP pair filter allows for importing an IP list in the following format:

#A line with a comment
1.2.3.1
1.2.3.2
1.2.3.3

By clicking on '''Import list''' a dialogue box will be opened where you can choose to download such a list from a given URL or specify a file from your system. The IP addresses are added to the existing ones up to a maximum of 10000 addresses.

The '''Export list''' button allows for exporting the IP filter list in the same format as the import.

The '''Delete all''' button allows for deleting all IP addresses from the filter list.

=== Packet deduplication ===

Packet deduplication provides the ability to filter packets from live traffic which have already been seen. This feature creates a hash from significant parts of the packet and stores the hash for a certain amount of time and within the configured memory limit. If for a second packet (or possibly further packets) the same hash value is calculated this packet is discarded and will not be analyzed by the system. The feature provides several options for configuring which parts of a packets are regarded as significant for duplicate detection.

It is also possible to capture packets which have been detected as duplicates but since these packets are excluded from further processing as well as the packet ring buffer it is only possible to create a live capture. Also, since only hash values are stored, the first packet of a series of duplicates will not be part of the duplicate capture, but it can be captured with the regular capture feature as it is part of the packet processing.

==== Statistics ====

The top graph and counter show how many packets have been discarded as duplicates.

The '''Memory used''' graph shows how much of the memory which has been configured for use by the packet deduplication is actually consumed. If the value is very high it is possible that the configured amount of memory is not sufficient for the actual traffic. Insufficient memory results in reduction of the Packet timeout.

The '''Oldest packet age''' graph shows how old the oldest packet known to the packet deduplication is. If this value is significantly lower than the configured '''Packet timeout''' value the configured amount of memory may not be sufficient for the actual traffic.

==== Settings ====

{| class="wikitable"
|-
! Option !! Description
|-
| Enabled || Turns the packet deduplication filter on and off.
|-
| Reserved memory (MB) || Controls how much memory in megabytes is reserved for packet deduplication. This memory then cannot be used for other statistics. Changes to this value will need a restart of the processing to take effect.
|-
| Packet timeout (ms) || The time in milliseconds after which a packet hash is removed from the packet deduplication. If the time is between identical packets is longer than this value the packets will not be detected as duplicates.
|-
| Compare starting at layer || Here it is possible to choose where the packet deduplication will start to analyze the packet. If e.g. 'Layer 3' is chosen it is possible for two packets to have different MAC addresses and still be detected as duplicates.
|-
| Layer 7 length limit for compare (bytes) || This value controls how many bytes of the application payload are actually used for the hash calculation. A very high value may affect the performance while a very low value may increase the risk of false positives.
|-
| Ignore VLAN || The VLAN tag will not be used by the packet deduplication so that two packets from different VLANs can still be detected as duplicates.
|-
| Ignore IP TOS and traffic class || The IP 'type of service' and 'traffic class' fields will not be used by the packet deduplication so that two packets with different values in these fields can still be detected as duplicates.
|-
| Ignore IP TTL and HOP || The IP 'time to live' and 'hop counter' fields will not be used by the packet deduplication so that two packets with different values in these fields can still be detected as duplicates.
|-
| Ignore TCP SEQ and ACK numbers || The TCP sequence and acknowledgement numbers will not be used by the packet deduplication so that two packets with different TCP sequence and acknowledgement numbers can still be detected as duplicates.
|-
| Ignore TCP options || Any TCP options will not be used by the packet deduplication so that two packets with different TCP options can still be detected as duplicates.
|}

==== Limitations ====

# In some circumstances, real duplicates cannot be distinguished from retransmissions. For example, for TCP in IPv6 traffic a retransmitted ACK packet might be byte-wise identical to the original ACK packet. The IPv6 header does not have an IP-ID field by default so it is identical and the TCP header is identical too if both the sequence and acknowledge number are the same and no timestamp option header is used. In this case it might help to decrease the packet timeout in the deduplication configuration since real duplicates in a network setup usually appear much faster than actual retransmissions.

Pcap analysis module

2022-08-31T09:40:36Z

Simon: Add screenshots to analysis profiles

The pcap analysis module allows analyzing pcap files by sending them to the device. After analyzing the pcap, the web interface shows all the metadata as if the packets are live traffic at the time of the pcap recording.

'''Web Interface'''

{| class="wikitable"
|-
|
[[File:Pcap.png|1000px|none]]
|}

====Notes====
Starting pcap analyze will stop the network ports and thus the normal packet processing and forwarding is disabled. The network connections of the devices connected to the Allegro Network Multimeter will stop working.

==== Start new Upload====
To select a file to analyze, simply drag a file from your file manager to the drop zone. The second option is to click into the drop zone. After a click, a file selection dialog will open.
After selecting a file, the name and the size of the pcap will be displayed in the drop zone box.

To proceed, press the '''Upload and analyze pcap''' button. A modal dialog will open.

* A warning will be shown if the device is in bridge mode, since no more packets will be forwarded when starting pcap analyze mode.
* If a storage device is active, it is possible to buffer the packets on it. This allows simple extraction of packets as in live packet processing.

The pcap file itself will not be stored on the storage of the Allegro Network Multimeter (except in the packet ring buffer, if activated in the upload modal dialog).

==== Analysis profiles ====
Profiles allow for some processing relevant settings to be changed on an per analysis level. If no analysis profile is selected those settings will be equal to the globally configured settings of the multimeter.
[[File:Analysis profile selector.png|none|thumb|687x687px|Select an analysis profile for your pcap analysis]]

Currently profiles influence the following settings:

* [[Complex_filter|Complex ingress filter]]
* [[Global_settings#Packet_length_accounting|Packet length accounting]]
* [[Global_settings#Tunnel_view_mode|Tunnel view mode]]
* [[Global_settings#VLAN_handling|VLAN handling]]
* [[Global_settings#External_timestamps|External timestamps]]
* [[Global_settings#Detail_of_traffic_analysis|Detail of traffic analysis]]
* [[Global_settings#Graph_detail_settings|Graph detail settings]]
Useres without admin privileges can not edit or create analysis profiles but can select and see which settings they change.
[[File:Analysis profile view.png|none|thumb|418x418px|View analysis profile]]

==== PCAP analysis statistics====
After the upload started, a progress section will be displayed. This includes a progress bar and the time of the last
processed packet. When viewing the progress bar on a different tab or on a different browser, the progress bar
will not show the correct value.

==== Viewing the pcap metadata====
During and after the upload of the file, all modules will show the metadata produced by analyzing the packets in the pcap file.

==== Resuming normal operation====
After finishing the analysis, the processing can be set back to live mode by clicking the '''Resume normal operation''' button at the bottom of the page.

File:Analysis profile view.png

2022-08-31T09:24:47Z

Simon:

File:Analysis profile selector.png

2022-08-31T09:24:46Z

Simon:

File:Analysis profile edit.png

2022-08-31T09:24:44Z

Simon:

Pcap analysis module

2022-08-29T15:40:14Z

Simon: /* Analysis profiles */

The pcap analysis module allows analyzing pcap files by sending them to the device. After analyzing the pcap, the web interface shows all the metadata as if the packets are live traffic at the time of the pcap recording.

'''Web Interface'''

{| class="wikitable"
|-
|
[[File:Pcap.png|1000px|none]]
|}

====Notes====
Starting pcap analyze will stop the network ports and thus the normal packet processing and forwarding is disabled. The network connections of the devices connected to the Allegro Network Multimeter will stop working.

==== Start new Upload====
To select a file to analyze, simply drag a file from your file manager to the drop zone. The second option is to click into the drop zone. After a click, a file selection dialog will open.
After selecting a file, the name and the size of the pcap will be displayed in the drop zone box.

To proceed, press the '''Upload and analyze pcap''' button. A modal dialog will open.

* A warning will be shown if the device is in bridge mode, since no more packets will be forwarded when starting pcap analyze mode.
* If a storage device is active, it is possible to buffer the packets on it. This allows simple extraction of packets as in live packet processing.

The pcap file itself will not be stored on the storage of the Allegro Network Multimeter (except in the packet ring buffer, if activated in the upload modal dialog).

==== Analysis profiles ====
Profiles allow for some processing relevant settings to be changed on an per Analysis level. If no analysis profile is selected those settings will be equal to the globally configured settings of the multimeter.

Currently profiles influence the following settings:

* [[Complex_filter|Complex ingress filter]]
* [[Global_settings#Packet_length_accounting|Packet length accounting]]
* [[Global_settings#Tunnel_view_mode|Tunnel view mode]]
* [[Global_settings#VLAN_handling|VLAN handling]]
* [[Global_settings#External_timestamps|External timestamps]]
* [[Global_settings#Detail_of_traffic_analysis|Detail of traffic analysis]]
* [[Global_settings#Graph_detail_settings|Graph detail settings]]

==== PCAP analysis statistics====
After the upload started, a progress section will be displayed. This includes a progress bar and the time of the last
processed packet. When viewing the progress bar on a different tab or on a different browser, the progress bar
will not show the correct value.

==== Viewing the pcap metadata====
During and after the upload of the file, all modules will show the metadata produced by analyzing the packets in the pcap file.

==== Resuming normal operation====
After finishing the analysis, the processing can be set back to live mode by clicking the '''Resume normal operation''' button at the bottom of the page.

Pcap analysis module

2022-08-29T15:39:23Z

Simon:

The pcap analysis module allows analyzing pcap files by sending them to the device. After analyzing the pcap, the web interface shows all the metadata as if the packets are live traffic at the time of the pcap recording.

'''Web Interface'''

{| class="wikitable"
|-
|
[[File:Pcap.png|1000px|none]]
|}

====Notes====
Starting pcap analyze will stop the network ports and thus the normal packet processing and forwarding is disabled. The network connections of the devices connected to the Allegro Network Multimeter will stop working.

==== Start new Upload====
To select a file to analyze, simply drag a file from your file manager to the drop zone. The second option is to click into the drop zone. After a click, a file selection dialog will open.
After selecting a file, the name and the size of the pcap will be displayed in the drop zone box.

To proceed, press the '''Upload and analyze pcap''' button. A modal dialog will open.

* A warning will be shown if the device is in bridge mode, since no more packets will be forwarded when starting pcap analyze mode.
* If a storage device is active, it is possible to buffer the packets on it. This allows simple extraction of packets as in live packet processing.

The pcap file itself will not be stored on the storage of the Allegro Network Multimeter (except in the packet ring buffer, if activated in the upload modal dialog).

==== Analysis profiles ====
Profiles allow for some processing relevant settings to be changed on an per Analysis level. If no analysis profile is selected those settings will be equal to the globally configured settings of the multimeter.

Currently profiles influence the following settings:

* Complex ingress filter
* [[Global_settings#Packet_length_accounting|Packet length accounting]]
* [[Global_settings#Tunnel_view_mode|Tunnel view mode]]
* [[Global_settings#VLAN_handling|VLAN handling]]
* [[Global_settings#External_timestamps|External timestamps]]
* [[Global_settings#Detail_of_traffic_analysis|Detail of traffic analysis]]
* [[Global_settings#Graph_detail_settings|Graph detail settings]]

==== PCAP analysis statistics====
After the upload started, a progress section will be displayed. This includes a progress bar and the time of the last
processed packet. When viewing the progress bar on a different tab or on a different browser, the progress bar
will not show the correct value.

==== Viewing the pcap metadata====
During and after the upload of the file, all modules will show the metadata produced by analyzing the packets in the pcap file.

==== Resuming normal operation====
After finishing the analysis, the processing can be set back to live mode by clicking the '''Resume normal operation''' button at the bottom of the page.

Pcap analysis module

2022-08-29T15:36:24Z

Simon: Add analysis profiles to the pcap analysis module

The pcap analysis module allows analyzing pcap files by sending them to the device. After analyzing the pcap, the web interface shows all the metadata as if the packets are live traffic at the time of the pcap recording.

'''Web Interface'''

{| class="wikitable"
|-
|
[[File:Pcap.png|1000px|none]]
|}

====Notes====
Starting pcap analyze will stop the network ports and thus the normal packet processing and forwarding is disabled. The network connections of the devices connected to the Allegro Network Multimeter will stop working.

==== Start new Upload====
To select a file to analyze, simply drag a file from your file manager to the drop zone. The second option is to click into the drop zone. After a click, a file selection dialog will open.
After selecting a file, the name and the size of the pcap will be displayed in the drop zone box.

To proceed, press the '''Upload and analyze pcap''' button. A modal dialog will open.

* A warning will be shown if the device is in bridge mode, since no more packets will be forwarded when starting pcap analyze mode.
* If a storage device is active, it is possible to buffer the packets on it. This allows simple extraction of packets as in live packet processing.

The pcap file itself will not be stored on the storage of the Allegro Network Multimeter (except in the packet ring buffer, if activated in the upload modal dialog).

==== Analysis profiles ====
Profiles allow for some processing relevant settings to be changed on an per Analysis level. If no analysis profile is selected those settings will be equal to the globally configured settings of the multimeter.

Currently profiles influence the following settings:

* Complex ingress filter
* Packet length accounting
* Tunnel view mode
* VLAN handling
* External timestamps
* Detail of traffic analysis
* Graph detail settings

==== PCAP analysis statistics====
After the upload started, a progress section will be displayed. This includes a progress bar and the time of the last
processed packet. When viewing the progress bar on a different tab or on a different browser, the progress bar
will not show the correct value.

==== Viewing the pcap metadata====
During and after the upload of the file, all modules will show the metadata produced by analyzing the packets in the pcap file.

==== Resuming normal operation====
After finishing the analysis, the processing can be set back to live mode by clicking the '''Resume normal operation''' button at the bottom of the page.

Custom dashboards

2022-08-11T09:05:18Z

Simon: Fix typo

It is possible to define customized dashboards and display configurable widgets that can show different aspects such as the whole traffic, a certain IP group or a particular IP address. By using custom dashboards you can create an overview page of a certain server or an IP group in a certain virtual link group or how it was seen on different remote Allegro Network Multimeter.

[[File:Custom dashboard 2.png|frameless|800x800px]]

To create a custom dashboard click on the "Add new dashboard" menu item in the "Dashboard" section. A dialog will be displayed that allows you to set a name, description and a group. Dashboards of the same group will form a section in the menu. Dashboards are defined per user session, however, it is possible to publish them as a template so that also other users can use them. Simply click on "Add dashboard to templates" and it will be placed in the template list and can be selected. Export and import as a file is possible, too. The dashboard configuration dialog can also be opened by clicking on "Configure dashboard" in the top right corner.

[[File:Create a custom dashboard.png|frameless|800x800px]]

After creating the dashboard, you will be redirected to the new, empty dashboard.

[[File:Empty dashboard.png|frameless|800x800px]]

By clicking on the field "Click to select a widget" or "Add widget" a dialog is shown and allows to select a widget from the list. Following widgets are available and are grouped by OSI layer:
* Generic
** Text: This is a widget that allows showing user defined text. Can be useful to structuring the dashboard with captions.
** Textbox: This widget allows typing and storing a text.
** Traffic graph: The graph will show interface throughput or PCAP traffic.
** Virtual link group: This will show traffic of a certain virtual link group.
* Layer 2
** Burst analysis: Displays utilization graphs for fast recognition of bursts per interface or MAC address. Virtual link groups can be used to monitor multiple interfaces.
** Global MAC statistics: Shows global statistics about the analysed MAC traffic. Available statistics are: total-, unicast- , broadcast- and multicast traffic.
** QoS: Shows statistics about a selected quality of service class. See [[QoS module]] for more infromation about QoS.
** Top MACs: A list of Top 5 Macs is shown. By clicking on the icon to the right of the caption, the display can be toggled between list or graph.
** VLAN: Show statistics about a specified VLAN. Traffic can be filtered by inner and outer VLAN tags.
* Layer 3
** Country: This widget shows traffic in- and outbound traffic statistics about a specific country.
** DNS server: Show statics about certain DNS server as graph or table. Available statistics are: requests/replies, reply codes and response times.
** IP: This widget displays graph or text information about a certain IP address. The IP address can either be filtered through the dashboards global filter fields or configured per widget. Traffic, TCP, connection, MTU, Layer 7 protocol counters and graphs are available.
** IP group: The IP group widget allows displaying graph or text information of a certain IP group.
** Multicast group: Shows statistics about IGMP and MLD multicast management packets of a specified multicast group as graph or table. See [[Multicast statistics]] for more information about the analysed management message types.
** Multicast overview: Show the same statistics as the mutlicast group widget but without a multicast group filter applied.
** QoS: Shows statistics about a selected quality of service class. See [[QoS module]] for more infromation about QoS.
** Top IPs: A list of Top 5 IP addresses is shown and can be toggled between list and graph representation.
* Layer 4
** Layer 4 server port: Shows statistics about a layer 4 server port filtered by layer 4 protocols.
** TCP statistics overview: Shows global TCP statistics as graph or table. Available statistics are: handshake times, response times, TCP retransmissions, TCP flags and zero window statistics.
* Layer 7
** HTTP overview: Shows global HTTP statistics as graph or table. Available statistics are: response times and response codes.
** RTP overview: Global statistics about RTP traffic. Available statistics are: Traffic, jitter, packet loss, max audio level and RMS.
** SIP overview: Global statistics about SIP traffic. Available statistics are: Concurrent calls and response codes.
** SSL overview: Global statistics about SSL traffic. Available statistics are: SSL hello handshake times and first data.
** Layer 7 protocol: Shows global statistics about a certain layer 7 protocol as graph or table.
** Top layer 7 protocols: A list of top layer 7 protocols is shown. It can be toggled between list and graph representation.
There is a search bar on top of the dialog that allows for fast searching of certain widgets.

After selecting a widget, the configuration dialog is shown. The widget configuration dialog can also be opened by clicking on the small wrench icon to the right of the widget.

The widget can be configured as follows:

[[File:Configure widget.png|frameless|800x800px]]

* Caption: The caption displayed on the dashboard
* Width: Either one column width or the whole page (two columns)
* Device and group: A dedicated virtual link group from the local or a remote device can be selected. By default the globally selected virtual link group from the top menu bar is used.
* Direction: Either RX or TX direction where applicable.
* Mode: Whether the widget may be toggled between list and graph representation
* Use filter: Several widgets allow filtering for e.g. an IP address or even a complex filter similar to the filter bar in the corresponding module. The filter can be either used globally so that it can be used for several widgets or locally configured for that particular widget.
* Display: Allows selecting different aspects such as traffic or TCP counters

Widgets can be moved with drag and drop simply by clicking on the two double arrows,dragging it around and dropping it on a drop zone.

Custom dashboards

2022-08-11T09:04:11Z

Simon: Adds some missing widget descriptions

It is possible to define customized dashboards and display configurable widgets that can show different aspects such as the whole traffic, a certain IP group or a particular IP address. By using custom dashboards you can create an overview page of a certain server or an IP group in a certain virtual link group or how it was seen on different remote Allegro Network Multimeter.

[[File:Custom dashboard 2.png|frameless|800x800px]]

To create a custom dashboard click on the "Add new dashboard" menu item in the "Dashboard" section. A dialog will be displayed that allows you to set a name, description and a group. Dashboards of the same group will form a section in the menu. Dashboards are defined per user session, however, it is possible to publish them as a template so that also other users can use them. Simply click on "Add dashboard to templates" and it will be placed in the template list and can be selected. Export and import as a file is possible, too. The dashboard configuration dialog can also be opened by clicking on "Configure dashboard" in the top right corner.

[[File:Create a custom dashboard.png|frameless|800x800px]]

After creating the dashboard, you will be redirected to the new, empty dashboard.

[[File:Empty dashboard.png|frameless|800x800px]]

By clicking on the field "Click to select a widget" or "Add widget" a dialog is shown and allows to select a widget from the list. Following widgets are available and are grouped by OSI layer:
* Generic
** Text: This is a widget that allows showing user defined text. Can be useful to structuring the dashboard with captions.
** Textbox: This widget allows typing and storing a text.
** Traffic graph: The graph will show interface throughput or PCAP traffic.
** Virtual link group: This will show traffic of a certain virtual link group.
* Layer 2
** Burst analysis: Displays utilization graphs for fast recognition of bursts per interface or MAC address. Virtual link groups can be used to monitor multiple interfaces.
** Global MAC statistics: Shows global statistics about the analysed MAC traffic. Available statistics are: total-, unicast- , broadcast- and multicast traffic.
** QoS: Shows statistics about a selected quality of service class. See [[QoS module]] for more infromation about QoS.
** Top MACs: A list of Top 5 Macs is shown. By clicking on the icon to the right of the caption, the display can be toggled between list or graph.
** VLAN: Show statistics about a specified VLAN. Traffic can be filtered by inner and outer VLAN tags.
* Layer 3
** Country: This widget shows traffic in- and outbound traffic statistics about a specific country.
** DNS server: Show statics about certain DNS server as graph or table. Available statistics are: requests/replies, reply codes and response times.
** IP: This widget displays graph or text information about a certain IP address. The IP address can either be filtered through the dashboards global filter fields or configured per widget. Traffic, TCP, connection, MTU, Layer 7 protocol counters and graphs are available.
** IP group: The IP group widget allows displaying graph or text information of a certain IP group.
** Multicast group: Shows statistics about IGMP and MLD multicast management packets of a specified multicast group as graph or table. See [[Multicast statistics]] for more information about the analysed management message types.
** Multicast overview: Show the same statistics as the mutlicast group widget but without a multicast group filter applied.
** QoS: Shows statistics about a selected quality of service class. See [[QoS module]] for more infromation about QoS.
** Top IPs: A list of Top 5 IP addresses is shown and can be toggled between list and graph representation.
* Layer 4
** Layer 4 server port: Shows statistics about a layer 4 server port filtered by layer 4 protocols.
** TCP statistics overview: Shows global TCP statistics as graph or table. Available statistics are: handshake times, response times, TCP retransmissions, TCP flags and zero window statistics.
* Layer 7
** HTTP overview: Shows global HTTP statistics as graph or table. Available statistics are: response times and response codes.
** RTP overview: Global statistics about RTP traffic. Available statistics are: Traffic, jitter, packet loss, max audio level and RMS.
** SIP overview: Global statistics about SIP traffic. Available statistics are: Concurrent calls and response codes.
** SSL overview: Global statistics about SSL traffic. Available statistics are: SSL hello handshake times and first data.
** Layer 7 protocol: Shows global statistics about a certain layer 7 protocol as graph or table.
** Top layer 7 protocols: A list of Top layer 7 protocols is shown. It can be toggled between list and graph representation.
There is a search bar on top of the dialog that allows for fast searching of certain widgets.

After selecting a widget, the configuration dialog is shown. The widget configuration dialog can also be opened by clicking on the small wrench icon to the right of the widget.

The widget can be configured as follows:

[[File:Configure widget.png|frameless|800x800px]]

* Caption: The caption displayed on the dashboard
* Width: Either one column width or the whole page (two columns)
* Device and group: A dedicated virtual link group from the local or a remote device can be selected. By default the globally selected virtual link group from the top menu bar is used.
* Direction: Either RX or TX direction where applicable.
* Mode: Whether the widget may be toggled between list and graph representation
* Use filter: Several widgets allow filtering for e.g. an IP address or even a complex filter similar to the filter bar in the corresponding module. The filter can be either used globally so that it can be used for several widgets or locally configured for that particular widget.
* Display: Allows selecting different aspects such as traffic or TCP counters

Widgets can be moved with drag and drop simply by clicking on the two double arrows,dragging it around and dropping it on a drop zone.

Custom dashboards

2022-08-11T07:31:30Z

Simon: Fix typo

File:Incidents add channel.png

2022-05-12T12:20:43Z

Simon: Simon uploaded a new version of File:Incidents add channel.png

Add channel

File:Skype rtp statistics ip detailed.png

2022-05-12T12:18:31Z

Simon: Simon uploaded a new version of File:Skype rtp statistics ip detailed.png

File:Skype response time.png

2022-05-12T12:18:18Z

Simon: Simon uploaded a new version of File:Skype response time.png

File:Sip dashboard.png

2022-05-12T12:18:07Z

Simon: Simon uploaded a new version of File:Sip dashboard.png

Sip dashboard

File:Ring buffer rule create ssl after handshake.png

2022-05-12T12:17:31Z

Simon: Simon uploaded a new version of File:Ring buffer rule create ssl after handshake.png

Ring buffer rule create ssl after handshake

File:RTP connections.png

2022-05-12T12:16:47Z

Simon: Simon uploaded a new version of File:RTP connections.png

File:Profinet Overview.png

2022-05-12T12:16:31Z

Simon: Simon uploaded a new version of File:Profinet Overview.png

Profinet Overview

File:Multi IP view1.png

2022-05-12T12:15:30Z

Simon: Simon uploaded a new version of File:Multi IP view1.png

Multi IP view1

File:Incidents module.png

2022-05-12T12:15:03Z

Simon: Simon uploaded a new version of File:Incidents module.png

Incidents module

File:IP statistics.png

2022-05-12T12:14:51Z

Simon: Simon uploaded a new version of File:IP statistics.png

IP statistics

File:Firmware update.png

2022-05-12T12:13:59Z

Simon: Simon uploaded a new version of File:Firmware update.png

Firmware update

File:Empty dashboard.png

2022-05-12T12:13:20Z

Simon: Simon uploaded a new version of File:Empty dashboard.png

Empty dashboard

File:Dns servers.png

2022-05-12T12:13:12Z

Simon: Simon uploaded a new version of File:Dns servers.png

List of DNS servers

File:Dns server response time.png

2022-05-12T12:13:04Z

Simon: Simon uploaded a new version of File:Dns server response time.png

DNS server response time

File:Dns server reply codes.png

2022-05-12T12:12:57Z

Simon: Simon uploaded a new version of File:Dns server reply codes.png

DNS server reply codes

File:Dns server names.png

2022-05-12T12:12:44Z

Simon: Simon uploaded a new version of File:Dns server names.png

DNS names and lookup times

File:Dns server details.png

2022-05-12T12:12:33Z

Simon: Simon uploaded a new version of File:Dns server details.png

DNS server details

File:Dns resolved names.png

2022-05-12T12:11:06Z

Simon: Simon uploaded a new version of File:Dns resolved names.png

List of resolved DNS names

File:Dns record types.png

2022-05-12T12:10:31Z

Simon: Simon uploaded a new version of File:Dns record types.png

DNS record types

File:Ap-mm-time-select-1-day.png

2022-05-12T12:09:03Z

Simon: Simon uploaded a new version of File:Ap-mm-time-select-1-day.png

Investigate Network Load

File:Advanced filter.png

2022-05-12T12:07:43Z

Simon: Simon uploaded a new version of File:Advanced filter.png

Advanced filter

File:ARP.png

2022-05-12T12:06:57Z

Simon: Simon uploaded a new version of File:ARP.png

ARP

Management interface settings

2021-12-02T09:13:01Z

Simon:

Access to the web interface of the Allegro Network Multimeter is handled by an out-of-band network connection separately connected to the device via a wired connection or wireless.
This section allows to configure the settings of the wireless and the wired access. The configuration of the [[Management interface settings on console]] is possible, too.

=== Wireless management interface ===

The wireless access can be disabled or enabled, regardless of a connected Wi-Fi device since such a device can be connected later at any time.
The wireless management interface can operate in two modes:

* Manage own network: In this mode (default), the Allegro will setup its own Access Point so you can connect a laptop or smartphone directly to the device and access the management interface. In this mode, the web interface can be accessed by entering the URL '''https://allegro/''' into a web browser.
* Join existing network: In this mode, the Allegro Network Multimeter will connect to an existing Wi-Fi network. To do so, enter the name (SSID) of the network and the password. The Wi-Fi Access Point or controller should list the IP it has assigned to the Allegro Network Multimeter.

Additionally, two other options are available under Wireless management interface settings:

* Channel: a fixed Wi-Fi channel can be selected so the Access Point only uses this channel instead of automatically choosing the best available channel.
* Disable default gateway: If enabled, the Access Point will not announce to be the default gateway/route for this network. If so, the device can only be accessed by using the IP address 192.168.4.1. If this option is disabled, the name server running on the device will also resolve the name '''allegro/''' to make it easier to access to the device. This option is useful if there is still another active connection which should still be used, such as a mobile connection or the internal company network.

=== LAN management interface ===

For wired connections there are three operation modes:

* Join existing network: in this mode the Allegro obtains an IP address (DHCP) from the network connected to the management port. The Router or DHCP server in the network should list the Allegro Network Multimeter IP address.
* Manage own network: In this mode, the Allegro will run a DHCP server on the management port, enabling you to connect another computer via a cable to the system. Be aware that in this mode, the management port should not be connected to the main network, since running multiple DHCP servers will disturb the network. In this mode, the web interface can be accessed by entering the URL '''https://allegro/''' into a web browser.
* Use static IP: It is also possible to configure a fixed IP address for the wired management port. You can enter any IP address for the port. The IP address must end with a slash followed by the subnet size. Example: /24 stands for a subnet mask of 255.255.255.0. Optionally you can enter the IP address of your gateway computer and the IP address of the DNS server. You can leave them empty if you want to directly connect the device to another computer with no Router involved. In this mode, the web interface can be reached by the static IP address you configured.

=== Secondary management interface ===

You can attach a USB Ethernet adapter to any USB port of the Allegro Network Multimeter and use this as an additional management interface. This management interface can be operated with a static IP address only. In the address input field, enter the IP address followed by a slash and the subnet size. Optionally you can enter the IP address of your gateway computer and the IP address of the DNS server. You can leave them empty if you want to directly connect the device to another computer with no Router involved. This feature is not supported by the Allegro 200.

=== Host name ===

By default, the host name is in the format '''allegro-mm-xxxx''' where the last four characters depend on the actual device. Because of this, multiple Allegro Network Multimeters can be used in the same network.
It is however, possible to choose your own host name. Enter a new name and save the changes. If the name field is empty, the default name will be used again following the next reboot.

=== LLDP ===

If enabled, the Allegro Network Multimeter will transmit LLDP (Link Layer Discovery Protocol) information for the management MAC and IP addresses on the management interface.
The LLDP system name will contain the hostname of the Allegro Network Multimeter and the LLDP system description will contain the platform type (e.g. Allegro-200-rev1) and the currently installed Firmware version.

=== Huawei E8372 | E3372 LTE Wingle ===

Allegro Network Multimeter 500 and upwards allow for one Management Interface to be connected via LTE through a Huawei E8372 or E3372 LTE Wingle. This setup allows for a remote management connection through the [https://allegro-packets.com/wiki/Using_the_Allegro_Remote_Service Allegro Remote Service] without a local internet connectivity. In order to do this, connect your USB Wingle to your Computer and follow Huawei's instructions to set up your LTE connection. Afterwards connect the Huawei Wingle to one of the USB ports on your Allegro Network Multimeter and go to '''Settings'''->'''Management Interfaces'''. Activate '''Use optional management interface''' and configure an available IP address (e.g. 192.168.8.2/24), gateway IP (e.g. 192.168.8.1) and name server (e.g. 192.168.8.1).

[[File:Secondary_lan_management.png|900px]]

Management interface settings

2021-12-01T16:22:40Z

Simon:

Access to the web interface of the Allegro Network Multimeter is handled by an out-of-band network connection separately connected to the device via a wired connection or wireless.
This section allows to configure the settings of the wireless and the wired access. The configuration of the [[Management interface settings on console]] is possible, too.

=== Wireless management interface ===

The wireless access can be disabled or enabled, regardless of a connected Wi-Fi device since such a device can be connected later at any time.
The wireless management interface can operate in two modes:

* Manage own network: In this mode (default), the Allegro will setup its own Access Point so you can connect a laptop or smartphone directly to the device and access the management interface. In this mode, the web interface can be accessed by entering the URL '''https://allegro/''' into a web browser.
* Join existing network: In this mode, the Allegro Network Multimeter will connect to an existing Wi-Fi network. To do so, enter the name (SSID) of the network and the password. The Wi-Fi Access Point or controller should list the IP it has assigned to the Allegro Network Multimeter.

Additionally, two other options are available under Wireless management interface settings:

* Channel: a fixed Wi-Fi channel can be selected so the Access Point only uses this channel instead of automatically choosing the best available channel.
* Disable default gateway: If enabled, the Access Point will not announce to be the default gateway/route for this network. If so, the device can only be accessed by using the IP address 192.168.4.1. If this option is disabled, the name server running on the device will also resolve the name '''allegro/''' to make it easier to access to the device. This option is useful if there is still another active connection which should still be used, such as a mobile connection or the internal company network.

=== LAN management interface ===

For wired connections there are three operation modes:

* Join existing network: in this mode the Allegro obtains an IP address (DHCP) from the network connected to the management port. The Router or DHCP server in the network should list the Allegro Network Multimeter IP address.
* Manage own network: In this mode, the Allegro will run a DHCP server on the management port, enabling you to connect another computer via a cable to the system. Be aware that in this mode, the management port should not be connected to the main network, since running multiple DHCP servers will disturb the network. In this mode, the web interface can be accessed by entering the URL '''https://allegro/''' into a web browser.
* Use static IP: It is also possible to configure a fixed IP address for the wired management port. You can enter any IP address for the port. The IP address must end with a slash followed by the subnet size. Example: /24 stands for a subnet mask of 255.255.255.0. Optionally you can enter the IP address of your gateway computer and the IP address of the DNS server. You can leave them empty if you want to directly connect the device to another computer with no Router involved. In this mode, the web interface can be reached by the static IP address you configured.

=== Secondary management interface ===

You can attach a USB Ethernet adapter to any USB port of the Allegro Network Multimeter and use this as an additional management interface. This management interface can be operated with a static IP address only. In the address input field, enter the IP address followed by a slash and the subnet size. Optionally you can enter the IP address of your gateway computer and the IP address of the DNS server. You can leave them empty if you want to directly connect the device to another computer with no Router involved. This feature is not supported by the Allegro 200.

=== Host name ===

By default, the host name is in the format '''allegro-mm-xxxx''' where the last four characters depend on the actual device. Because of this, multiple Allegro Network Multimeters can be used in the same network.
It is however, possible to choose your own host name. Enter a new name and save the changes. If the name field is empty, the default name will be used again following the next reboot.

=== LLDP ===

If enabled, the Allegro Network Multimeter will transmit LLDP (Link Layer Discovery Protocol) information for the management MAC and IP addresses on the management interface.
The LLDP system name will contain the hostname of the Allegro Network Multimeter and the LLDP system description will contain the platform type (e.g. Allegro-200-rev1) and the currently installed Firmware version.

=== Huawei E8372 LTE Wingle ===

Allegro Network Multimeter 500 and upwards allow for one Management Interface to be connected via LTE through a Huawei E8372 LTE Wingle. This setup allows for a remote management connection through the [https://allegro-packets.com/wiki/Using_the_Allegro_Remote_Service Allegro Remote Service] without a local internet connectivity. In order to do this, connect your USB Wingle to your Computer and follow Huawei's instructions to set up your LTE connection. Afterwards connect the Huawei Wingle to one of the USB ports on your Allegro Network Multimeter and go to '''Settings'''->'''Management Interfaces'''. Activate '''Use optional management interface''' and configure an available IP address (e.g. 192.168.8.2/24), gateway IP (e.g. 192.168.8.1) and name server (e.g. 192.168.8.1).

[[File:Secondary_lan_management.png|900px]]

Management interface settings

2021-12-01T16:22:26Z

Simon:

Access to the web interface of the Allegro Network Multimeter is handled by an out-of-band network connection separately connected to the device via a wired connection or wireless.
This section allows to configure the settings of the wireless and the wired access. The configuration of the [[Management interface settings on console]] is possible, too.

=== Wireless management interface ===

The wireless access can be disabled or enabled, regardless of a connected Wi-Fi device since such a device can be connected later at any time.
The wireless management interface can operate in two modes:

* Manage own network: In this mode (default), the Allegro will setup its own Access Point so you can connect a laptop or smartphone directly to the device and access the management interface. In this mode, the web interface can be accessed by entering the URL '''https://allegro/''' into a web browser.
* Join existing network: In this mode, the Allegro Network Multimeter will connect to an existing Wi-Fi network. To do so, enter the name (SSID) of the network and the password. The Wi-Fi Access Point or controller should list the IP it has assigned to the Allegro Network Multimeter.

Additionally, two other options are available under Wireless management interface settings:

* Channel: a fixed Wi-Fi channel can be selected so the Access Point only uses this channel instead of automatically choosing the best available channel.
* Disable default gateway: If enabled, the Access Point will not announce to be the default gateway/route for this network. If so, the device can only be accessed by using the IP address 192.168.4.1. If this option is disabled, the name server running on the device will also resolve the name '''allegro/''' to make it easier to access to the device. This option is useful if there is still another active connection which should still be used, such as a mobile connection or the internal company network.

=== LAN management interface ===

For wired connections there are three operation modes:

* Join existing network: in this mode the Allegro obtains an IP address (DHCP) from the network connected to the management port. The Router or DHCP server in the network should list the Allegro Network Multimeter IP address.
* Manage own network: In this mode, the Allegro will run a DHCP server on the management port, enabling you to connect another computer via a cable to the system. Be aware that in this mode, the management port should not be connected to the main network, since running multiple DHCP servers will disturb the network. In this mode, the web interface can be accessed by entering the URL '''https://allegro/''' into a web browser.
* Use static IP: It is also possible to configure a fixed IP address for the wired management port. You can enter any IP address for the port. The IP address must end with a slash followed by the subnet size. Example: /24 stands for a subnet mask of 255.255.255.0. Optionally you can enter the IP address of your gateway computer and the IP address of the DNS server. You can leave them empty if you want to directly connect the device to another computer with no Router involved. In this mode, the web interface can be reached by the static IP address you configured.

=== Secondary management interface ===

You can attach a USB Ethernet adapter to any USB port of the Allegro Network Multimeter and use this as an additional management interface. This management interface can be operated with a static IP address only. In the address input field, enter the IP address followed by a slash and the subnet size. Optionally you can enter the IP address of your gateway computer and the IP address of the DNS server. You can leave them empty if you want to directly connect the device to another computer with no Router involved. This feature is not supported by the Allegro 200.

=== Host name ===

By default, the host name is in the format '''allegro-mm-xxxx''' where the last four characters depend on the actual device. Because of this, multiple Allegro Network Multimeters can be used in the same network.
It is however, possible to choose your own host name. Enter a new name and save the changes. If the name field is empty, the default name will be used again following the next reboot.

=== LLDP ===

If enabled, the Allegro Network Multimeter will transmit LLDP (Link Layer Discovery Protocol) information for the management MAC and IP addresses on the management interface.
The LLDP system name will contain the hostname of the Allegro Network Multimeter and the LLDP system description will contain the platform type (e.g. Allegro-200-rev1) and the currently installed Firmware version.

=== Huawei E8372 LTE Wingle ===

Allegro Network Multimeter 500 and upwards allow for one Management Interface to be connected via LTE through a Huawei E8372 LTE Wingle. This setup allows for a remote management connection through the [https://allegro-packets.com/wiki/Using_the_Allegro_Remote_Service Allegro Remote Service] without a local internet connectivity. In order to do this, connect your USB Wingle to your Computer and follow Huawei's instructions to set up your LTE connection. Afterwards connect the Huawei Wingle to one of the USB ports on your Allegro Network Multimeter and go to '''Settings'''->'''Management Interfaces'''. Activate '''Use optional management interface''' and configure an available IP address (e.g. 192.168.8.2/24), gateway IP (e.g. 192.168.8.1) and name server (e.g. 192.168.8.1).

[[File:Secondary_lan_management.png|900px]]

File:Secondary lan management.png

2021-12-01T16:16:15Z

Simon:

Capture module

2021-09-15T09:17:38Z

Simon: /* Using expert filters to start captures */

==Capture module ==
The Network Multimeter allows direct capturing of network traffic as a HTTP download to your computer. No packet data is stored on the device itself. Traffic can be directly filtered for specific packets, only the relevant packets will be captured. In addition, it is also possible to capture network traffic to an attached storage device, see the settings section below for details. Capturing network traffic is usually started by clicking on a PCAP button in a certain module. These buttons allow
capturing specific traffic, for example for an certain IP address or a network protocol. The capture module allows to configure filter for traffic that has not even started right now, for example for an IP address that is not in use at the moment but later might be used. The capture module page displays all currently running captures and allows starting new captures with specific filters.

{| class="wikitable sortable"
|-
|[[File:Generic modules.png|800px|none|right]]
|}

==== Current captures ====
The first part of the page displays all downloads running for the current user session, and all downloads running for other user sessions (like when a download has been started outside the browser by directly using command line tools such as wget or curl).
The list contains the client IP and port of the user running the download. The next three counters describe the number of packets captured for the corresponding filter, the number of packets dropped by the capturing module, and the number of ignored packets. Packet drops happen when more packets are captured than can be transferred via HTTP to the client. Ignored packets do not match the given capture filter. The following columns list the applied filter criteria. The last column contains a button to stop the corresponding download. Downloads can also be stopped by clicking the same capture button that started the capture in the corresponding module. If multiple devices have been configured, the list also contains all captures from all multi-devices which can be stopped individually.

==== Recently captured ====
This list shows the most recently performed captures for the current user. The most recent capture is displayed on the top. Next to each capture there is a button to permanently save this capture as a favorite as well as a button to simply start this capture again. The '''Use as expert filter''' button will copy the capture filter into the expert filter input field and allows for customizing the capture. The button '''Delete list of recent captures''' will delete all entries from this list.

==== Favorites ====
This list shows favorite capture expressions. A capture can be marked as a favorite either in the capture dialog by clicking on the star button in the top right corner or by marking it as a favorite in the '''Recently captured''' list. A description can be given and will be displayed in this list. For each favorite capture a PCAP button is available to simply start this capture again. The '''Remove favorites''' button allows for cleaning the list. The '''Use as expert filter''' button will copy the capture filter into the expert filter input field and allows for customizing the capture.

==== Planned captures ====
On this tab captures to the storage device can be planned ahead of time and these captures can even be set to repeat automatically. A click on the '''Add planned capture''' button opens a dialog where the planned capture can be configured. This includes settings like the start date and time of the capture, the duration of the capture, if a capture should repeat and the filter expression used during the capture. It is important to know that planned captures are always stored on the active storage device and thus will not function if no storage device is active.

==== Capture profiles ====
[[File:Capture profiles config.png|thumb|600x600px|Capture profile configuration]]
[[File:Capture profiles edit profile.png|thumb|600x600px|Edit capture profile]]
Capture profiles can be used in the capture dialog for custom packet truncation rules. Such profiles defines custom rules for packet snapshot length similar to ring buffer filters. This allows to use a different snapshot length for specific layer 7 protocols, if for example traffic of one protocol shall be captured completely while for another protocol only the IP header shall be captured. Such a capture profile can be selected in the capture dialog in the "Truncate packet length" select box.

Up to 10 different profiles can be configured by clicking at the "Add profile" button. The add/edit dialog allows to enter a profile name and up to 10 rules for snapshot length. Similar to [[Packet ring buffer#Packet ring buffer snapshot length filter|ring buffer filters]], the first rule that matches for the selected type is used to decide for the snapshot length of the actual packet.

==== Simple capture ====
The second section of the capture page allow to select some fields to filter network traffic for. By default, only the IP field is visible, the other fields can be enabled by clicking on the corresponding toggle switch. Each line allows to enter a filter criterion for the corresponding network traffic element. To start the capture with the entered filter criteria just click at the '''Start capture''' button. For reference, the expert filter expression is shown at the end of the section so it can be used to copy and paste
the string into the expert filter section.

==== Using expert filters to start captures ====
The third part of the page allows for starting a download for any criterion combination using complex filter expressions. A capture filter is defined in a C-style syntax and supports combination of AND/OR operators, precedence order with parentheses and equal/not equal comparisons. If the filter exp Session can be evaluated to true, the packet is
captured.
If a value contains a space, the whole value must be quoted with “”.
Following operators are supported:
* '''and''', '''&&''' : AND operator. The filter expression will match if all operands could be evaluated to true.
* '''or''', '''||''': OR operator. The filter expression will match if any operand can be evaluated to true.

Following comparison operators are supported:
* '''==''': Will evaluate expression to true if left and right operand are equal.
* '''!=''': Will evaluate expression to true if left and right operand are not equal.

Following operands are supported:
* '''ip''': An IP address. The packet is captured if either source or destination IP address of the packet match. A netmask and a port can also be specified. For IPv6 addresses with a specific port, the address must be written in brackets.
:Example:
:{| class="wikitable sortable"
|-
|
ip == 10.0.0.1

ip == ff02::1:3

ip == 10.0/16

ip == 10.0.0.1:1234

ip == [2a02:810a:1340:1292:1c6b:e58d:6ebc:6cd2]:123
|-
|}

*'''mac''': A MAC address. The packet is captured if either source or destination MAC address of the packet match.
:Example:
:{| class="wikitable sortable"
|-
| mac == 12:34: :56:78:90:ab
|-
|}

* '''port''': A TCP or UDP port. The packet is captured if either source or destination port match.
:Example:
:{| class="wikitable sortable"
|-
| port == 80
|-
|}

* '''portrange''': A TCP or UDP port range. The range can be a single number or a comma separated list of values or value ranges.
:Example:
:{| class="wikitable sortable"
|-
| portrange == 80,100-120,-10,65000-
|-
|}

* '''serverport''': A TCP or UDP port of a server. The packet is captured if the given port is a port of the server and not of a client.
:Example:
:{| class="wikitable sortable"
|-
| serverport == 80
|-
|}

* '''macProtocol''': A MAC protocol such as IPv4 or IPv6. For all seen MAC protocols, please consult the MAC Protocol Statistics module.
:Example:
:{| class="wikitable sortable"
|-
| macProtocol == IPv4
macProtocol == "Non IP"
|-
|}

* '''l4Protocol''': A layer 4 protocol such as TCP or UDP or any IP protocol number. Protocols can also be OR combined as a comma seperated list.
:Example:
:{| class="wikitable sortable"
|-
| l4Protocol == ICMP,ICMPv6
|-
|}

* '''l7Protocol''' or '''dpiProtocol''': A layer 7 protocol. Protocols can also be OR combined as a comma seperated list. For all seen protocols please consult the Layer 7 protocols module.
* '''countryCode''': A country code such as US. For all seen country codes please consult the Geolocation module.
* '''arpip''': An IP address within an ARP request or response.
* '''vlan''': A VLAN tag of an outer or inner VLAN. May be a number or none or any.
* '''outervlan''': A VLAN tag of an outer VLAN. May be a number or none or any.
* '''innervlan''': A VLAN tag of an inner VLAN. May be a number or none or any.
* '''multicastGroup''': A multicast IP address or any. The filter will match all IGMP or MLD negotiation packets related to that multicast IP address.
* '''rtpPayloadType''': The RTP payload type such as PCMU or MP2T. This filter will match all RTP packets with the given payload type.
* '''interface''': The physical interface. This can be a single number or a range. For interface ids please consult the Interface stats page.
:Example:
:{| class="wikitable sortable"
|-
| interface == 1,3-5
|-
|}

* '''link''': The link pair of two interfaces as stated in Interface stats. A single link number can be given.
* '''ptpMsgType''': A specific PTP message type number or any for the whole PTP traffic.
* '''profinetFrameId''': A specific Profinet frame ID.
* '''profinetCmOpnum''': A specific operation number for Profinet CM (Context Manager) requests or responses. Can also be any for every operation number. Following values are used:
:#connect
:#release
:#read
:#write
:#control
:#read implicit

* '''mpls''': A label of an outer or inner MPLS. May be a number or none or any.
* '''outerMpls''': A label of an outer MPLS. May be a number or none or any.
* '''innerMpls''': A label of an inner MPLS. May be a number or none or any.
* '''qosIpDscp''': The DSCP value in the IP header. May be a number.
* '''qosMplsTc''': The traffic class value in the outermost MPLS label stack entry.
* '''qosVlanPcp''': The priority code point value in the outermost VLAN tag.
* '''group''': The name of a configured group or ‘default’. If the name contains whitespaces, the name must be enclosed in quotes.
* '''badCRC''': The value of this operand will be 1 for packets with a CRC error and will be 0 for good packets. Capturing packets with bad CRC is currently only supported on 1Gb interfaces.
* '''icmpType''': The value of a certain ICMP type (e.g. Echo request 8, Echo reply 0).
* '''tcpFlags''': A single TCP flag or a list of TCP flags joined by the ‘+’ sign. If a list of flags is given, all flags must be present in the packet. Supported TCP flags are syn, ack, fin, rst, psh and urg.
* '''callId''': The string value of a SIP call ID or similar identifier (e.g. P-Palladion-ID)
* '''ipFragment''': If set to 1 all IPv4 fragments will be captured (i.e. packets having the 'More fragments' flag and 'Fragment offset' set). If set to 0 all packets without IPv4 fragmentation will be captured.
* '''regexp''': The packet payload matches the quoted regular expression (RegEx) to the other side of the == operator or does not match the regular expression to the other side of the != operator. In case of IP packets the matching will be performed on the L7 payload of the packet. In case of non-IP packets the matching will be performed on the whole packet except the Ethernet header. Regular expressions largely support the pattern syntax used by the PCRE library with the exception of certain constructs. An invalid pattern will produce a descriptive error message and prevent the capture from being started.

For a specific precedence you may use parentheses '''('''/''')'''.

Examples:
* The expression
:{| class="wikitable sortable"
|-
| ip == 10.0.0.1:1234 and ip == 10.1.0.1:9876
|-
|}
:will match a connection from 10.0.0.1 to 10.1.0.1 or vice versa with the ports 1234 and 9876 involved.

* The expression
:{| class="wikitable sortable"
|-
| ip == 10.0.0.1 and ip != 10.0.0.2
|-
|}
:will match packets having 10.0.0.1 either as source or destination. If a communication peer of 10.0.0.1 is 10.0.0.2 the packets will not be captured.

* The expression
:{| class="wikitable sortable"
|-
| l4Protocol == ICMP,ICMPv6
|-
|}
:will match packets with ICMP or ICMPv6 layer 4 protocols.

* The expression
:{| class="wikitable sortable"
|-
| portrange == 80,443
|-
|}
:will match packets to or from port 80 or 443.

* The expression
:{| class="wikitable sortable"
|-
| regexp == "allegr[o,a]'''<nowiki>|</nowiki>'''HTTP"
|-
|}
:will case sensitive match packets that contain the string(s) 'allegro' and/or 'allegra' and/or 'HTTP' anywhere in the payload.
:NOTE: The use of regexp is CASE sensitive. You must use the (?i) modifier to enable case insensitive filtering.

* The expression
:{| class="wikitable sortable"
|-
| regexp == "(?i)allegro'''<nowiki>|</nowiki>'''http"
|-
|}
:will case insensitive match packets that contain the string(s) 'allegro' and/or 'http' anywhere in the payload.
:NOTE: The use of regexp is CASE sensitive. You must use the (?i) modifier to enable case insensitive filtering.

Of course the Allegro Network Multimeter regular expression (RegEx) capture filter, can also be used in combination with our other capture expressions.

* The expression
:{| class="wikitable sortable"
|-
| regexp == “allegro'''<nowiki>|</nowiki>'''analyzer” and l7protocol == "dns"
|-
|}
:Will case sensitive match and capture <u>only DNS packets</u> containing the string(s) “allegro” and/or “analyzer.

* The expression
:{| class="wikitable sortable"
|-
| regexp == “allegro'''<nowiki>|</nowiki>'''analyzer” and l7protocol != "dns"
|-
|}
:Will case sensitive match and capture all (except DNS) packets containing the string(s) “allegro” and/or “analyzer.

<i>Whenever you are unsure about the outcome of RegEx based packet capturing, you can pre-test the outcome of your expressions on https://pythex.org/.
While pre-testing on https://pythex.org/, avoid using the “IGNORECASE” button. Instead use the (?i) modifier for constructing case insensitive expressions, as mentioned above.
PCRE/Python based expression examples and explanations you'll find on https://www.programiz.com/python-programming/regex</i>

All captures can be limited to any amount of time or bytes, for example to capture only one minute or one megabyte of traffic.

Below the list of filter criteria, you will find the button to actually start (or stop) the capture. In case the filter expression is invalid, the button is disabled.

====Layer 7 protocol capture====
Layer 7 protocol detection engine may need several packets to recognize the currently used protocol. For these captures all not yet recognized packets will be skipped. As soon as the protocol recognition is finished, all packets matching the protocol filter will be captured.

====Configuration settings====
By clicking on the gear button on the top right of the Capture web page, you can access the configuration section.

*Split PCAP file after this size
: This option can be used to limit the size of the PCAP file when storing to an attached device. Once the captured traffic would exceed this threshold, a new PCAP file with the current time stamp is created and the traffic is written to the new file. If the time stamp is still the same, an index is attached to the filename.
: When set to 0, no splitting will be done.

*Split PCAP file after this duration
:This option can be used to limit the duration of the PCAP file when storing to an attached device. The duration starts counting with the start of the capture. Once the captured traffic would exceed the duration, a new PCAP file with the current time stamp is created and the traffic is written to the new file.
:When set to 0, no splitting will be done.
:Both split parameters can be combined. The PCAP file will be split as soon as one threshold has been reached.

*The maximum number of concurrent packet ring buffers
:This option is used to specify how many cluster packet ring buffers can run in parallel.
:Be aware that each cluster will have it's own queue in memory and therefore the memory required is the number of cluster packet ring buffers multiplied by the setting of '''The size in MB for the queue of the packet ring buffer'''.
:A reboot of the device or a restart of the processing is needed for a change to this option to take effect.

*The size in MB for the queue of the packet ring buffer
: This option allows to configure the size of the queue that holds processed packets before they are written to the packet ring buffer. Increasing the size of this queue may help if the disk used for the packet ring buffer cannot keep up with bursts of traffic so that packet drops occur in the packet ring buffer.
:Be aware that memory allocated to this queue is not available for storing statistics and metadata so that choosing a large value for this queue reduces the overall data storage time.
:Most users will not need to change this value from the default value.
:A reboot of the device or a restart of the processing is needed for a change to this option to take effect.

*The maximum size in MB for the packet reorder buffer when capturing from the packet ring buffer
:This setting allows to choose the maximum size that the packet reorder buffer may grow to. For performance reasons the packet ring buffer does not ensure a total order of packets when storing them on disk. The packet reorder buffer is used to restore the correct order of packets in a capture when capturing from the packet ring buffer. A larger packet reorder buffer makes it more likely that the packet order can be restored for all packets. The actual amount of memory used for the packet reorder buffer depends on this setting but also on the amount of free memory in the system so that the effectively used amount of memory may be less than this setting indicates.

====Capture settings dialog====
[[File:Choose capture settings.png|none|thumb|600x600px]]
This dialog appears after a capture button has been clicked. Following settings are possible:
*Start time and end time
:By clicking on the input field or on the calendar icon you can choose the start and end time of the capture. The input field is also editable with keyboard and allows entering a time on a second basis.
: If the start time is in the past, the complete capture is performed on the stored data of the capture ring buffer. When the capture reaches the newest packets it still continues to read from the capture ring buffer. The dialog will limit the start time input to the earliest data of the capture ring buffer. Be aware, that a possible capture ring buffer filter was applied on the past data and is also applied on future data in this mode.
: The start time may also be in the future. The capture is scheduled and starts as soon as a packet is received with a time later than the start time.
:If the whole time input field is marked and deleted, the start or end time will reset back to the default value. The default value for start time is '''now''', the capture will start with pushing the '''Start capturing''' button. The default value of the end time is '''unlimited''', the capture will not stop unless stopped manually by clicking on the stop button.
:Eight buttons offer quick selection of often used time settings.

*Packet ring buffer
:If multiple packet ring buffer clusters are active this dropdown menu allows to choose from which cluster the packets should be captured.

*Capture type
: This drop down menu allows to choose the method how packets are captured. The last successful setting is persistently stored per user. Following methods are available:

:*HTTP download
::This is the default method. The capture will start a HTTP download of a PCAP file directly in the browser.
:: Available HTTP download options:
::*Set file name: allow to configure a custom file name for the capture file
::*Download as zip archive: Download the capture file as a compressed zip archive '''[New in version 3.0]'''
:*Disk
::This method is only visible if a storage device is active and has some amount of free storage space. The capture will create a PCAP file on the storage device.
::If PCAP export via SFTP is enabled, an additional checkbox is displayed to store the capture file in the export directory, slated for upload according the SFTP export settings.

:*Interface
::This mode will transmit the captured packets on a physical network interface. It is not available when the system is analyzing a PCAP file or is analyzing the packet ring buffer.

:* ERSPAN
::This mode will transmit the captured packets encapsulated in a GRE + ERSPAN header on the management interface to a given target IP address. On the target system the traffic can be selectively captured using the filter '''ip proto 0x2f''' when using an application like Wireshark or tcpdump.

*File name
:If browser download or disk storage has been chosen, the file name of the created capture file can be set in this field. The default value shows the filename with date wildcards and the capture filter. The date wildcards are then replaced by the start time of the capture.
:Date format specifier can be used as supported by strftime() function call. Some common specifier:
:*%Y for year
:*%m for month
:* %d for day
:*%H for hours
:*%M for minutes
:*%S for seconds

*Storage directory
:If disk storage has been chosen, the target directory on the storage device can be set in this field. Sub-directories on the storage device can be created and inspected on the [[Storage#Working with storage contents|Storage]] page.

* Zip options '''[New in version 3.0]'''
:If browser download has been chosen and the zip download option is selected, the file size can be configured after which the pcap files within the archive is spit into additional files
:The number is entered in megabytes. 0 means no splitting.

*Interface to transmit on
:This dropdown menu is only shown when Capture type is Interface. Here the physical interface on which to transmit captured packets can be selected.

* ERSPAN target address
:This section is only shown when Capture type is ERSPAN. Here the target IP address or hostname for the ERSPAN encapsulated packets must be specified.

*ERSPAN session ID
:This section is only shown when Capture type is ERSPAN. The ERSPAN session ID can be used to differentiate between multiple capture session on the ERSPAN target.

*Transmit speed
: This dropdown menu is only shown when the Capture type is either Interface or ERSPAN and the start time is in the past so that packets are captured from the packet ring buffer. Here the limiting mode can be chosen which controls how fast captured packets are transmitted. Following modes are available:

:*none
::No limit will be applied and the packets are transmitted as fast as the network interface and the packet ring buffer allow.

:*limit to bandwidth
::A bandwidth limit will be applied so that the given bandwidth in Mbps is not exceeded. The bandwidth can be given as a decimal so that e.g. 500kbps can be configured with a value of 0.5.

:*realtime factor
:: Packets will be transmitted based on their recorded timing information. This means that with a real time factor of 1.0 packets will be transmitted approximately with the same timing as they were originally received. Using for example a real time factor of 2.0 would transmit the packets with twice the speed than they were received.

* Transmit bandwidth in Mbps
:This is only shown when limit to bandwidth has been selected in the Transmit speed dropdown menu. The meaning of this value is explained in the Transmit speed section.

*Transmit realtime factor
:This is only shown when realtime factor has been selected in the Transmit speed dropdown menu. The meaning of this value is explained in the :Transmit speed section.

*Truncate packet length:
:This dropdown menu is only shown when the Capture type is either HTTP or disk. You can truncate captured Packets with this setting. All packets will be captured, but truncated to the given length if they are longer than this setting. The length setting is applied on layer 2 without frame check sequence.
:Possible values are:
:*Full length
:*64 Bytes
:*1500 Bytes
:*Custom length with an input field for inserting any length between 64 and 15378 Bytes
:*Capture profile: select a configured capture profile which defines rules about how many bytes are saved depending on the configured rules.

*PCAP compatibility:
:This section is only shown when the Capture type is either HTTP or disk.
:*Omit interface ID
::Enabling this option will generate a PCAP file that only contains a single interface and treats all packets as if they arrived on that interface. This may improve compatibility with third party software that cannot handle PCAPs with multiple interfaces IDs.

*PCAP comment:
:Allows to add a user defined comment to the generated PCAP file.
:*Add device information to comment
::Enabling this option will insert additional device information such as name, serial, memory size or capture filter into he PCAP comment.

After pushing the '''Start capture''' button, the capture starts.

====Webshark====
The Allegro Nework Multimeter has a preview mode to see the first Megabyte of captured packets directly in the browser. By clicking the Webshark preview button in the capture dialog, the first Megabyte of the requested packets will be extracted. If this is extraction is finished, a modal dialog will open showing the captured packets similar to Wireshark. The capture can be moved from the modal dialog to a separate window by pressing the button in the upper right corner next to the close button.

====Capture URL====
It is possible to use an external tool like '''curl''' for creating and storing a PCAP.
{| class="wikitable sortable"
|-
| curl -k -u USER:PASSWORD 'https://allegro-mm-XXXX/API/data/modules/capture?startTime=1517306266000000&endTime=1517309267000000&expression=l7Protocol==HTTP&snapPacketLength=65535&fromCaptureBuffer=true' > path_to/capture.pcap
|-
|}
The user name, password and hostname similar to the access of the web interface have to be used.
Following parameters are possible:

* startTime: The start time of the capture. The first packet with exactly this or a later time will start the capture. The time format must be microseconds after January, 1st 1970 UTC (Unix time, epoch). If the start time is in the past, make sure you set fromCaptureBuffer parameter accordingly.
*endTime: The end time of the capture. The first packet with exactly this or a later time will stop the capture. The time format must be microseconds after January, 1st 1970 UTC (Unix time, epoch).
*expression: The filter expression. There are no whitespaces allowed. You may use ‘%20’ instead.
*snapPacketLength: The max size of a packet applied on layer 2 without frame check sequence. If a packet is larger than this value, it is truncated. Use 65535 for unlimited size.
* fromCaptureBuffer: Whether to extract data from the packet ring buffer or just live traffic.
*captureToMedia: Whether to store PCAP on external storage device or download with your browser on your computer.
* useSingleInterface: Whether to store only a single interface in the PCAP and treat all packets as if they arrived on that interface. This may improve compatibility with third party software that cannot handle PCAPs with multiple interfaces IDs.