1,775
edits
Capture module: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
==Capture module == | ==Capture module == | ||
The Network Multimeter allows direct capturing of network traffic as a HTTP download to your computer. No | The Network Multimeter allows direct capturing of network traffic as a HTTP download to your computer. No packet data is stored on the device itself. Traffic can be directly filtered for specific packets, only the relevant packets will be captured. In addition, it is also possible to capture network traffic to an attached storage device, see the settings section below for details. Capturing network traffic is usually started by clicking on a PCAP button in a certain module. These buttons allow | ||
packet data is stored on the device itself. Traffic can be directly filtered for specific packets, only the relevant | capturing specific traffic, for example for an certain IP address or a network protocol. The capture module allows to configure filter for traffic that has not even started right now, for example for an IP address that is not in use at the moment but later might be used. The capture module page displays all currently running captures and allows starting new captures with specific filters. | ||
packets will be captured. | |||
In addition, it is also possible to capture network traffic to an attached storage device, see the settings section | |||
below for details. | |||
Capturing network traffic is usually started by clicking on a PCAP button in a certain module. These buttons allow | |||
capturing specific traffic, for example for an certain IP address or a network protocol. | |||
The capture module allows to configure filter for traffic that has not even started right now, for example for an IP | |||
address that is not in use at the moment but later might be used. | |||
The capture module page displays all currently running captures and allows starting new captures with specific | |||
filters. | |||
==== Current captures ==== | ==== Current captures ==== | ||
The first part of the page displays all downloads running for the current user session, and all downloads running | The first part of the page displays all downloads running for the current user session, and all downloads running for other user sessions (like when a download has been started outside the browser by directly using command line tools such as wget or curl). | ||
for other user sessions (like when a download has been started outside the browser by directly using command | The list contains the client IP and port of the user running the download. The next three counters describe the number of packets captured for the corresponding filter, the number of packets dropped by the capturing module, and the number of ignored packets. Packet drops happen when more packets are captured than can be transferred via HTTP to the client. Ignored packets do not match the given capture filter. The following columns list the applied filter criteria. The last column contains a button to stop the corresponding download. Downloads can also be stopped by clicking the same capture button that started the capture in the corresponding module. If multiple devices have been configured, the list also contains all captures from all multi-devices which can be stopped individually. | ||
line tools such as wget or curl). | |||
The list contains the client IP and port of the user running the download. The next three counters describe the | |||
number of packets captured for the corresponding filter, the number of packets dropped by the capturing module, | |||
and the number of ignored packets. Packet drops happen when more packets are captured than can be transferred | |||
via HTTP to the client. Ignored packets do not match the given capture filter. | |||
The following columns list the applied filter criteria. | |||
The last column contains a button to stop the corresponding download. Downloads can also be stopped by clicking | |||
the same capture button that started the capture in the corresponding module. | |||
If multiple devices have been configured, the list also contains all captures from all multi-devices which can be | |||
stopped individually. | |||
==== Recently captured ==== | ==== Recently captured ==== | ||
This list shows the most recently performed captures for the current user. The most recent capture is displayed on | This list shows the most recently performed captures for the current user. The most recent capture is displayed on the top. Next to each capture there is a button to permanently save this capture as a favorite as well as a button to simply start this capture again. The button “Delete list of recent captures” will delete all entries from this list. | ||
the top. Next to each capture there is a button to permanently save this capture as a favorite as well as a button | |||
to simply start this capture again. The button “Delete list of recent captures” will delete all entries from this list. | |||
==== Favourites ==== | ==== Favourites ==== | ||
This list shows favourite capture expressions. A capture can be marked as a favorite either in the capture dialog by | This list shows favourite capture expressions. A capture can be marked as a favorite either in the capture dialog by clicking on the star button in the top right corner or by marking it as a favorite in the “Recently captured” list. A description can be given and will be displayed in this list. For each favorite capture a PCAP button is available to simply start this capture again. The “Remove favorites” button allows for cleaning the list. macProtocol | ||
clicking on the star button in the top right corner or by marking it as a favorite in the “Recently captured” list. A | |||
description can be given and will be displayed in this list. For each favorite capture a PCAP button is available to | |||
simply start this capture again. The “Remove favorites” button allows for cleaning the list. | |||
==== Simple capture ==== | ==== Simple capture ==== | ||
The second section of the capture page allow to select some fields to filter network traffic for. By default, only the | The second section of the capture page allow to select some fields to filter network traffic for. By default, only the IP field is visible, the other fields can be enabled by clicking on the corresponding toggle switch. Each line allows to enter a filter criterion for the corresponding network traffic element. To start the capture with the entered filter criteria just click at the “Start capture” button. For reference, the expert filter expression is shown at the end of the section so it can be used to copy and paste | ||
IP field is visible, the other fields can be enabled by clicking on the corresponding toggle switch. | |||
Each line allows to enter a filter criterion for the corresponding network traffic element. | |||
To start the capture with the entered filter criteria just click at the “Start capture” button. | |||
For reference, the expert filter expression is shown at the end of the section so it can be used to copy and paste | |||
the string into the expert filter section. | the string into the expert filter section. | ||
==== Using expert filters to start captures ==== | ==== Using expert filters to start captures ==== | ||
The third part of the page allows for starting a download for any criterion combination using complex filter expressions. | The third part of the page allows for starting a download for any criterion combination using complex filter expressions. A capture filter is defined in a C-style syntax and supports combination of AND/OR operators, precedence order with parentheses and equal/not equal comparisons. If the filter exp Session can be evaluated to true, the packet is | ||
A capture filter is defined in a C-style syntax and supports combination of AND/OR operators, precedence order | |||
with parentheses and equal/not equal comparisons. If the filter | |||
captured. | captured. | ||
If a value contains a space, the whole value must be quoted with “”. | If a value contains a space, the whole value must be quoted with “”. | ||
| Line 58: | Line 28: | ||
* '''==''': Will evaluate expression to true if left and right operand are equal. | * '''==''': Will evaluate expression to true if left and right operand are equal. | ||
* '''!=''': Will evaluate expression to true if left and right operand are not equal. | * '''!=''': Will evaluate expression to true if left and right operand are not equal. | ||
Following operands are supported: | Following operands are supported: | ||
* '''ip''': An IP address. The packet is captured if either source or destination IP address of the packet match. | * '''ip''': An IP address. The packet is captured if either source or destination IP address of the packet match. A netmask and a port can also be specified. For IPv6 addresses with a specific port, the address must be written in brackets. | ||
A netmask and a port can also be specified. For IPv6 addresses with a specific port, the address must be | |||
written in brackets. Example: | Example: | ||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
| Line 78: | Line 50: | ||
*'''mac''': A MAC address. The packet is captured if either source or destination MAC address of the packet | *'''mac''': A MAC address. The packet is captured if either source or destination MAC address of the packet match. | ||
match. Example: | |||
Example: | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
| Line 86: | Line 59: | ||
|} | |} | ||
* '''port''': A TCP or UDP port. The packet is captured if either source or destination port match. Example: | * '''port''': A TCP or UDP port. The packet is captured if either source or destination port match. | ||
Example: | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
| Line 93: | Line 68: | ||
|} | |} | ||
* '''portrange''': A TCP or UDP port range. The range can be a single number or a comma separated list of values | * '''portrange''': A TCP or UDP port range. The range can be a single number or a comma separated list of values or value ranges. | ||
or value ranges. Example: | |||
Example: | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
| Line 101: | Line 77: | ||
|} | |} | ||
* '''serverport''': A TCP or UDP port of a server. The packet is captured if the given port is a port of the server | * '''serverport''': A TCP or UDP port of a server. The packet is captured if the given port is a port of the server and not of a client. | ||
and not of a client. Example: | |||
Example: | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
| Line 109: | Line 86: | ||
|} | |} | ||
* '''macProtocol''': A MAC protocol such as IPv4 or IPv6. For all seen MAC protocols, please consult the MAC | * '''macProtocol''': A MAC protocol such as IPv4 or IPv6. For all seen MAC protocols, please consult the MAC Protocol Statistics module. | ||
Protocol Statistics module. Example: | |||
Example: | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
| Line 118: | Line 96: | ||
|} | |} | ||
* '''l4Protocol''': A layer 4 protocol such as TCP or UDP. Protocols can also be OR combined as a comma seperated list. Example: | * '''l4Protocol''': A layer 4 protocol such as TCP or UDP. Protocols can also be OR combined as a comma seperated list. | ||
Example: | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
| Line 131: | Line 111: | ||
* '''outervlan''': A VLAN tag of an outer VLAN. May be a number or none or any. | * '''outervlan''': A VLAN tag of an outer VLAN. May be a number or none or any. | ||
* '''innervlan''': A VLAN tag of an inner VLAN. May be a number or none or any. | * '''innervlan''': A VLAN tag of an inner VLAN. May be a number or none or any. | ||
* '''multicastGroup''': A multicast IP address or any. The filter will match all IGMP or MLD negotiation packets | * '''multicastGroup''': A multicast IP address or any. The filter will match all IGMP or MLD negotiation packets related to that multicast IP address. | ||
related to that multicast IP address. | * '''rtpPayloadType''': The RTP payload type such as PCMU or MP2T. This filter will match all RTP packets with the given payload type. | ||
* '''rtpPayloadType''': The RTP payload type such as PCMU or MP2T. This filter will match all RTP packets with | * '''interface''': The physical interface. This can be a single number or a range. For interface ids please consult the Interface stats page. | ||
the given payload type. | |||
* '''interface''': The physical interface. This can be a single number or a range. For interface ids please consult | Example: | ||
the Interface stats page. Example: | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
|- | |- | ||
| Line 147: | Line 126: | ||
* '''profinetFrameId''': A specific Profinet frame ID. | * '''profinetFrameId''': A specific Profinet frame ID. | ||
* '''profinetCmOpnum''': A specific operation number for Profinet CM (Context Manager) requests or responses. | * '''profinetCmOpnum''': A specific operation number for Profinet CM (Context Manager) requests or responses. | ||
===== Can also be any for every operation number. Following values are used:===== | ===== Can also be any for every operation number. Following values are used:===== | ||
| Line 173: | Line 154: | ||
For a specific precedence you may use ( '''or''' ) parentheses. | For a specific precedence you may use ( '''or''' ) parentheses. | ||
Examples: | Examples: | ||
* The expression | * The expression | ||
| Line 189: | Line 172: | ||
|- | |- | ||
|} | |} | ||
will match packets having 10.0.0.1 either as source or destination. If a communication peer of 10.0.0.1 is 10.0.0.2 the packets will not be captured. | will match packets having 10.0.0.1 either as source or destination. If a communication peer of 10.0.0.1 is 10.0.0.2 the packets will not be captured. | ||
* The expression | * The expression | ||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
| Line 197: | Line 181: | ||
|- | |- | ||
|} | |} | ||
will match packets with ICMP or ICMPv6 layer 4 protocols. | will match packets with ICMP or ICMPv6 layer 4 protocols. | ||
* The expression | * The expression | ||
| Line 204: | Line 190: | ||
|- | |- | ||
|} | |} | ||
will match packets to or from port 80 or 443. | will match packets to or from port 80 or 443. | ||
| Line 209: | Line 196: | ||
'''Web interface''' | '''Web interface''' | ||
The capture can be limited to any amount of time or bytes for example to capture only one minute or one megabyte of traffic. | The capture can be limited to any amount of time or bytes for example to capture only one minute or one megabyte of traffic. Below the list of filter criteria there is a button the actually start (or stop) the capture. In case the filter expression is invalid, the button is disabled. | ||
Below the list of filter criteria there is a button the actually start (or stop) the capture. In case the filter expression is invalid, the button is disabled. | |||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
| Line 236: | Line 222: | ||
==== Capture settings dialog ==== | ==== Capture settings dialog ==== | ||
This dialog appears after a capture button has been clicked. Following settings are possible: | This dialog appears after a capture button has been clicked. Following settings are possible: | ||
* Start time and end time | * Start time and end time | ||
By clicking on the input field or on the calendar icon you can choose the start and end time of the capture. The input field is also editable with keyboard and allows entering a time on a second basis. If the start time is in the past, the complete capture is performed on the stored data of the capture ring buffer. When the capture reaches the newest packets it still continues to read from the capture ring buffer. The dialog will limit the start time input to the earliest data of the capture ring buffer. Be aware, that a possible capture ring buffer filter was applied on the past data and is also applied on future data in this mode. The start time may also be in the future. The capture is scheduled and starts as soon as a packet is received with a time later than the start time. If the whole time input field is marked and deleted, the start or end time will reset back to the default value. The default value for start time is “now”, the capture will start with pushing the “Start capturing” button. The default value of the end time is “unlimited”, the capture will not stop unless stopped manually by clicking on the stop button. Eight buttons offer quick selection of often used time settings. | By clicking on the input field or on the calendar icon you can choose the start and end time of the capture. The input field is also editable with keyboard and allows entering a time on a second basis. If the start time is in the past, the complete capture is performed on the stored data of the capture ring buffer. When the capture reaches the newest packets it still continues to read from the capture ring buffer. The dialog will limit the start time input to the earliest data of the capture ring buffer. Be aware, that a possible capture ring buffer filter was applied on the past data and is also applied on future data in this mode. The start time may also be in the future. The capture is scheduled and starts as soon as a packet is received with a time later than the start time. If the whole time input field is marked and deleted, the start or end time will reset back to the default value. The default value for start time is “now”, the capture will start with pushing the “Start capturing” button. The default value of the end time is “unlimited”, the capture will not stop unless stopped manually by clicking on the stop button. Eight buttons offer quick selection of often used time settings. | ||
* Capture type This drop down menu allows to choose the method how packets are captured. The last successful setting is persistently stored per user. Following methods are available: | * Capture type This drop down menu allows to choose the method how packets are captured. The last successful setting is persistently stored per user. Following methods are available: | ||
| Line 264: | Line 252: | ||
* Interface to transmit on | * Interface to transmit on This dropdown menu is only shown when Capture type is Interface. Here the physical interface on which to transmit captured packets can be selected. | ||
This dropdown menu is only shown when Capture type is Interface. Here the physical interface on which to transmit captured packets can be selected. | * ERSPAN target address This section is only shown when Capture type is ERSPAN. Here the target IP address or hostname for the ERSPAN encapsulated packets must be specified. | ||
* ERSPAN target address | |||
This section is only shown when Capture type is ERSPAN. Here the target IP address or hostname for the ERSPAN encapsulated packets must be specified. | |||
* Transmit speed This dropdown menu is only shown when the Capture type is either Interface or ERSPAN and the start time is in the past so that packets are captured from the packet ring buffer. Here the limiting mode can be chosen which controls how fast captured packets are transmitted. Following modes are available: | * Transmit speed This dropdown menu is only shown when the Capture type is either Interface or ERSPAN and the start time is in the past so that packets are captured from the packet ring buffer. Here the limiting mode can be chosen which controls how fast captured packets are transmitted. Following modes are available: | ||
| Line 287: | Line 273: | ||
* Transmit bandwidth in Mbps | * Transmit bandwidth in Mbps | ||
This is only shown when limit to bandwidth has been selected in the Transmit speed dropdown menu. The meaning of this value is explained in the Transmit speed section. | This is only shown when limit to bandwidth has been selected in the Transmit speed dropdown menu. The meaning of this value is explained in the Transmit speed section. | ||
* Transmit realtime factor This is only shown when realtime factor has been selected in the Transmit speed dropdown menu. The | * Transmit realtime factor This is only shown when realtime factor has been selected in the Transmit speed dropdown menu. The meaning of this value is explained in the Transmit speed section. | ||
meaning of this value is explained in the Transmit speed section. * Truncate packet length: | * Truncate packet length: | ||
This dropdown menu is only shown when the Capture type is either HTTP or disk. You can truncate captured Packets with this setting. All packets will be captured, but truncated to the given length if they are longer than this setting. The length setting is applied on layer 2 without frame check sequence. | This dropdown menu is only shown when the Capture type is either HTTP or disk. You can truncate captured Packets with this setting. All packets will be captured, but truncated to the given length if they are longer than this setting. The length setting is applied on layer 2 without frame check sequence. | ||
Possible values are: | Possible values are: | ||
| Line 302: | Line 291: | ||
* PCAP compatibility: | * PCAP compatibility: | ||
This section is only shown when the Capture type is either HTTP or disk. | This section is only shown when the Capture type is either HTTP or disk. | ||