Capture module: Difference between revisions

* '''and''', '''&&''' : AND operator. The filter expression will match if all operands could be evaluated to true.

* '''or''', '''||''': OR operator. The filter expression will match if any operand can be evaluated to true.

* '''==''': Will evaluate expression to true if left and right operand are equal.

* '''!=''': Will evaluate expression to true if left and right operand are not equal.

* '''ip''': An IP address. The packet is captured if either source or destination IP address of the packet match.

*'''mac''': A MAC address. The packet is captured if either source or destination MAC address of the packet

* '''port''': A TCP or UDP port. The packet is captured if either source or destination port match. Example:

* '''portrange''': A TCP or UDP port range. The range can be a single number or a comma separated list of values

* '''serverport''': A TCP or UDP port of a server. The packet is captured if the given port is a port of the server

* '''macProtocol''': A MAC protocol such as IPv4 or IPv6. For all seen MAC protocols, please consult the MAC

* '''l4Protocol''': A layer 4 protocol such as TCP or UDP. Protocols can also be OR combined as a comma seperated list. Example:

* '''l7Protocol''' or '''dpiProtocol''': A layer 7 protocol. Protocols can also be OR combined as a comma seperated list.For all seen protocols please consult the Layer 7 protocols module.

* '''countryCode''': A country code such as US. For all seen country codes please consult the Geolocation module.

* '''arpip''': An IP address within an ARP request or response.

* '''vlan''': A VLAN tag of an outer or inner VLAN. May be a number or none or any.

* '''outervlan''': A VLAN tag of an outer VLAN. May be a number or none or any.

* '''innervlan''': A VLAN tag of an inner VLAN. May be a number or none or any.

* '''multicastGroup''': A multicast IP address or any. The filter will match all IGMP or MLD negotiation packets

* '''rtpPayloadType''': The RTP payload type such as PCMU or MP2T. This filter will match all RTP packets with

* '''interface''': The physical interface. This can be a single number or a range. For interface ids please consult

* '''link''': The link pair of two interfaces as stated in Interface stats. A single link number can be given.

* '''ptpMsgType''': A specific PTP message type number or any for the whole PTP traffic.

* '''profinetFrameId''': A specific Profinet frame ID.

* '''profinetCmOpnum''': A specific operation number for Profinet CM (Context Manager) requests or responses.

===== Can also be any for every operation number. Following values are used:=====

'''0-''' connect

'''1-''' release

'''2-''' read

'''3-''' write

'''4-''' control

'''5-''' read implicit

* '''mpls''': A label of an outer or inner MPLS. May be a number or none or any.

* '''outerMpls''': A label of an outer MPLS. May be a number or none or any.

* '''innerMpls''': A label of an inner MPLS. May be a number or none or any.

* '''qosIpDscp''': The DSCP value in the IP header. May be a number.

* '''qosMplsTc''': The traffic class value in the outermost MPLS label stack entry.

* '''qosVlanPcp''': The priority code point value in the outermost VLAN tag.

* '''group''': The name of a configured group or ‘default’. If the name contains whitespaces, the name must be enclosed in quotes.

* '''badCRC''': The value of this operand will be 1 for packets with a CRC error and will be 0 for good packets. Capturing packets with bad CRC is currently only supported on 1Gb interfaces.

* '''icmpType''': The value of a certain ICMP type (e.g. Echo request 8, Echo reply 0).

* '''tcpFlags''': A single TCP flag or a list of TCP flags joined by the ‘+’ sign. If a list of flags is given, all flags must be present in the packet. Supported TCP flags are syn, ack, fin, rst, psh and urg.

 

For a specific precedence you may use ( '''or''' ) parentheses.

will match packets having 10.0.0.1 either as source or destination. If a communication peer of 10.0.0.1 is 10.0.0.2 the packets will not be captured.

* The expression

The capture can be limited to any amount of time or bytes for example to capture only one minute or one megabyte of traffic.

Below the list of filter criteria there is a button the actually start (or stop) the capture. In case the filter expression is invalid, the button is disabled.

Layer 7 protocol detection engine may need several packets to recognize the currently used protocol. For these captures all not yet recognized packets will be skipped. As soon as the protocol recognition is finished, all packets matching the protocol filter will be captured.

* Split PCAP file after this size This option can be used to limit the size of the PCAP file when storing to an attached device. Once the captured traffic would exceed this threshold, a new PCAP file with the current time stamp is created and the traffic is written to the new file. If the time stamp is still the same, an index is attached to the filename.

 

When set to 0, no splitting will be done. Both split parameters can be combined. The PCAP file will be split as soon as one threshold has been reached.

* The size in MB for the queue of the packet ring buffer This option allows to configure the size of the queue that holds processed packets before they are written to

the packet ring buffer. Increasing the size of this queue may help if the disk used for the packet ring buffer cannot keep up with bursts of traffic so that packet drops occur in the packet ring buffer. Be aware that memory allocated to this queue is not available for storing statistics and metadata so that choosing a large value for this queue reduces the overall data storage time. Most users will not need to change this value from the default value. A reboot of the device or a restart of the processing is needed for a change to this option to take effect.

* The maximum size in MB for the packet reorder buffer when capturing from the packet ring buffer This setting allows to choose the maximum size that the packet reorder buffer may grow to. For performance reasons the packet ring buffer does not ensure a total order of packets when storing them on disk. The packet reorder buffer is used to restore the correct order of packets in a capture when capturing from the packet ring buffer. A larger packet reorder buffer makes it more likely that the packet order can be restored for all packets. The actual amount of memory used for the packet reorder buffer depends on this setting but also on the amount of free memory in the system so that the effectively used amount of memory may be less than this setting indicates.

By clicking on the input field or on the calendar icon you can choose the start and end time of the capture. The input field is also editable with keyboard and allows entering a time on a second basis. If the start time is in the past, the complete capture is performed on the stored data of the capture ring buffer. When the capture reaches the newest packets it still continues to read from the capture ring buffer. The dialog will limit the start time input to the earliest data of the capture ring buffer. Be aware, that a possible capture ring buffer filter was applied on the past data and is also applied on future data in this mode. The start time may also be in the future. The capture is scheduled and starts as soon as a packet is received with a time later than the start time. If the whole time input field is marked and deleted, the start or end time will reset back to the default value. The default value for start time is “now”, the capture will start with pushing the “Start capturing” button. The default value of the end time is “unlimited”, the capture will not stop unless stopped manually by clicking on the stop button. Eight buttons offer quick selection of often used time settings.

* Capture type This drop down menu allows to choose the method how packets are captured. The last successful setting is persistently stored per user. Following methods are available:

This method is only visible if a storage device is active and has some amount of free storage space. The capture will create a PCAP file on the storage device.

This dropdown menu is only shown when Capture type is Interface. Here the physical interface on which to transmit captured packets can be selected.

This section is only shown when Capture type is ERSPAN. Here the target IP address or hostname for the ERSPAN encapsulated packets must be specified.

* Transmit speed This dropdown menu is only shown when the Capture type is either Interface or ERSPAN and the start time is in the past so that packets are captured from the packet ring buffer. Here the limiting mode can be chosen which controls how fast captured packets are transmitted. Following modes are available:

No limit will be applied and the packets are transmitted as fast as the network interface and the packet ring buffer allow.

A bandwidth limit will be applied so that the given bandwidth in Mbps is not exceeded. The bandwidth can be given as a decimal so that e.g. 500kbps can be configured with a value of 0.5.

Packets will be transmitted based on their recorded timing information. This means that with a real time factor of 1.0 packets will be transmitted approximately with the same timing as they were originally received. Using for example a real time factor of 2.0 would transmit the packets with twice the speed than they were received.

This is only shown when limit to bandwidth has been selected in the Transmit speed dropdown menu. The meaning of this value is explained in the Transmit speed section.

* Transmit realtime factor This is only shown when realtime factor has been selected in the Transmit speed dropdown menu. The

meaning of this value is explained in the Transmit speed section. * Truncate packet length:

This dropdown menu is only shown when the Capture type is either HTTP or disk. You can truncate captured Packets with this setting. All packets will be captured, but truncated to the given length if they are longer than this setting. The length setting is applied on layer 2 without frame check sequence.

'''– Omit interface ID:''' Enabling this option will generate a PCAP file that only contains a single interface and treats all packets as if they arrived on that interface. This may improve compatibility with third party software that cannot handle PCAPs with multiple interfaces IDs.

The Allegro Nework Multimeter has a preview mode to see the first Megabyte of captured packets directly in the browser. By clicking the Webshark preview button in the capture dialog, the first Megabyte of the requested packets will be extracted. If this is extraction is finished, a modal dialog will open showing the captured packets similar to Wireshark. The capture can be moved from the modal dialog to a separate window by pressing the button in the upper right corner next to the close button.

* startTime: The start time of the capture. The first packet with exactly this or a later time will start the capture. The time format must be microseconds after January, 1st 1970 UTC (Unix time, epoch). If the start time is in the past, make sure you set fromCaptureBuffer parameter accordingly.

* endTime: The end time of the capture. The first packet with exactly this or a later time will stop the capture. The time format must be microseconds after January, 1st 1970 UTC (Unix time, epoch).

* snapPacketLength: The max size of a packet applied on layer 2 without frame check sequence. If a packet is larger than this value, it is truncated. Use 65535 for unlimited size.

* captureToMedia: Whether to store PCAP on external storage device or download with your browser on your computer.

* useSingleInterface: Whether to store only a single interface in the PCAP and treat all packets as if they arrived on that interface. This may improve compatibility with third party software that cannot handle PCAPs with multiple interfaces IDs.