Allegro Network Multimeter Manual

Capture module: Difference between revisions

Page Discussion

Capture module (view source)

Revision as of 13:16, 4 May 2020

106 bytes removed ,  4 May 2020
no edit summary
No edit summary
Line 2: Line 2:
The Network Multimeter allows direct capturing of network traffic as a HTTP download to your computer. No packet data is stored on the device itself. Traffic can be directly filtered for specific packets, only the relevant packets will be captured. In addition, it is also possible to capture network traffic to an attached storage device, see the settings section below for details. Capturing network traffic is usually started by clicking on a PCAP button in a certain module. These buttons allow
The Network Multimeter allows direct capturing of network traffic as a HTTP download to your computer. No packet data is stored on the device itself. Traffic can be directly filtered for specific packets, only the relevant packets will be captured. In addition, it is also possible to capture network traffic to an attached storage device, see the settings section below for details. Capturing network traffic is usually started by clicking on a PCAP button in a certain module. These buttons allow
capturing specific traffic, for example for an certain IP address or a network protocol. The capture module allows to configure filter for traffic that has not even started right now, for example for an IP address that is not in use at the moment but later might be used. The capture module page displays all currently running captures and allows starting new captures with specific filters.
capturing specific traffic, for example for an certain IP address or a network protocol. The capture module allows to configure filter for traffic that has not even started right now, for example for an IP address that is not in use at the moment but later might be used. The capture module page displays all currently running captures and allows starting new captures with specific filters.
{| class="wikitable sortable"
|-
|[[File:Generic modules.png|800px|none|right]]
|}


==== Current captures ====
==== Current captures ====
Line 32: Line 37:
Following operands are supported:
Following operands are supported:
* '''ip''': An IP address. The packet is captured if either source or destination IP address of the packet match. A netmask and a port can also be specified. For IPv6 addresses with a specific port, the address must be written in brackets.  
* '''ip''': An IP address. The packet is captured if either source or destination IP address of the packet match. A netmask and a port can also be specified. For IPv6 addresses with a specific port, the address must be written in brackets.  
:Example:
:Example:
{| class="wikitable sortable"   
:{| class="wikitable sortable"   
|-           
|-           
|   
|   
Line 51: Line 55:


*'''mac''': A MAC address. The packet is captured if either source or destination MAC address of the packet match.  
*'''mac''': A MAC address. The packet is captured if either source or destination MAC address of the packet match.  
:Example:
:Example:
{| class="wikitable sortable"   
:{| class="wikitable sortable"   
|-           
|-           
|  mac == 12:34: :56:78:90:ab
|  mac == 12:34: :56:78:90:ab
|-
|-
|}
|}


* '''port''': A TCP or UDP port. The packet is captured if either source or destination port match.  
* '''port''': A TCP or UDP port. The packet is captured if either source or destination port match.  
:Example:
:Example:
{| class="wikitable sortable"   
:{| class="wikitable sortable"   
|-         
|-         
| port == 80
| port == 80
|-
|-
|}
|}


* '''portrange''': A TCP or UDP port range. The range can be a single number or a comma separated list of values or value ranges.  
* '''portrange''': A TCP or UDP port range. The range can be a single number or a comma separated list of values or value ranges.  
:Example:
:Example:
{| class="wikitable sortable"   
:{| class="wikitable sortable"   
|-                     
|-                     
| portrange == 80,100-120,-10,65000-
| portrange == 80,100-120,-10,65000-
|-
|-
|}
|}


* '''serverport''': A TCP or UDP port of a server. The packet is captured if the given port is a port of the server and not of a client.  
* '''serverport''': A TCP or UDP port of a server. The packet is captured if the given port is a port of the server and not of a client.  
:Example:
:Example:
{| class="wikitable sortable"   
:{| class="wikitable sortable"   
|-           
|-           
| serverport =: = 80
| serverport =: = 80
|-
|-
|}
|}


* '''macProtocol''': A MAC protocol such as IPv4 or IPv6. For all seen MAC protocols, please consult the MAC Protocol Statistics module.  
* '''macProtocol''': A MAC protocol such as IPv4 or IPv6. For all seen MAC protocols, please consult the MAC Protocol Statistics module.  
:Example:
:Example:
{| class="wikitable sortable"   
:{| class="wikitable sortable"   
|-           
|-           
| macProtocol == IPv4
| macProtocol == IPv4
Line 101: Line 94:
|-
|-
|}
|}


* '''l4Protocol''': A layer 4 protocol such as TCP or UDP. Protocols can also be OR combined as a comma seperated list.  
* '''l4Protocol''': A layer 4 protocol such as TCP or UDP. Protocols can also be OR combined as a comma seperated list.  
:Example:
:Example:
{| class="wikitable sortable"   
:{| class="wikitable sortable"   
|-           
|-           
| l4Protocol == ICMP,ICMPv6
| l4Protocol == ICMP,ICMPv6
|-
|-
|}
|}


* '''l7Protocol''' or '''dpiProtocol''': A layer 7 protocol. Protocols can also be OR combined as a comma seperated list.For all seen protocols please consult the Layer 7 protocols module.
* '''l7Protocol''' or '''dpiProtocol''': A layer 7 protocol. Protocols can also be OR combined as a comma seperated list.For all seen protocols please consult the Layer 7 protocols module.
Line 122: Line 112:
* '''rtpPayloadType''': The RTP payload type such as PCMU or MP2T. This filter will match all RTP packets with the given payload type.
* '''rtpPayloadType''': The RTP payload type such as PCMU or MP2T. This filter will match all RTP packets with the given payload type.
* '''interface''': The physical interface. This can be a single number or a range. For interface ids please consult the Interface stats page.  
* '''interface''': The physical interface. This can be a single number or a range. For interface ids please consult the Interface stats page.  
:Example:
:Example:
{| class="wikitable sortable"   
:{| class="wikitable sortable"   
|-           
|-           
| interface == 1,3-5
| interface == 1,3-5
Line 133: Line 122:
* '''ptpMsgType''': A specific PTP message type number or any for the whole PTP traffic.
* '''ptpMsgType''': A specific PTP message type number or any for the whole PTP traffic.
* '''profinetFrameId''': A specific Profinet frame ID.
* '''profinetFrameId''': A specific Profinet frame ID.
* '''profinetCmOpnum''': A specific operation number for Profinet CM (Context Manager) requests or responses.
* '''profinetCmOpnum''': A specific operation number for Profinet CM (Context Manager) requests or responses. Can also be any for every operation number. Following values are used:
 
 
===== Can also be any for every operation number. Following values are used:=====
 
:#connect
:#connect
:#release
:#release
Line 164: Line 149:
Examples:
Examples:
* The expression
* The expression
{| class="wikitable sortable"   
:{| class="wikitable sortable"   
|-           
|-           
| ip == 10.0.0.1:1234 and ip == 10.1.0.1:9876
| ip == 10.0.0.1:1234 and ip == 10.1.0.1:9876
|-
|-
|}
|}
will match a connection from 10.0.0.1 to 10.1.0.1 or vice versa with the ports 1234 and 9876 involved.
:will match a connection from 10.0.0.1 to 10.1.0.1 or vice versa with the ports 1234 and 9876 involved.
 


* The expression
* The expression
{| class="wikitable sortable"   
:{| class="wikitable sortable"   
|-           
|-           
| ip == 10.0.0.1 and ip != 10.0.0.2
| ip == 10.0.0.1 and ip != 10.0.0.2
|-
|-
|}
|}
will match packets having 10.0.0.1 either as source or destination. If a communication peer of 10.0.0.1 is 10.0.0.2 the packets will not be captured.
:will match packets having 10.0.0.1 either as source or destination. If a communication peer of 10.0.0.1 is 10.0.0.2 the packets will not be captured.
 


* The expression
* The expression
{| class="wikitable sortable"   
:{| class="wikitable sortable"   
|-           
|-           
| l4Protocol == ICMP,ICMPv6
| l4Protocol == ICMP,ICMPv6
|-
|-
|}
|}
will match packets with ICMP or ICMPv6 layer 4 protocols.
:will match packets with ICMP or ICMPv6 layer 4 protocols.
 


* The expression
* The expression
{| class="wikitable sortable"   
:{| class="wikitable sortable"   
|-           
|-           
| portrange == 80,443
| portrange == 80,443
|-
|-
|}
|}
will match packets to or from port 80 or 443.
:will match packets to or from port 80 or 443.
 
 
'''Web interface'''


The capture can be limited to any amount of time or bytes for example to capture only one minute or one megabyte of traffic. Below the list of filter criteria there is a button the actually start (or stop) the capture. In case the filter expression is invalid, the button is disabled.
The capture can be limited to any amount of time or bytes for example to capture only one minute or one megabyte of traffic.


{| class="wikitable sortable"
Below the list of filter criteria there is a button the actually start (or stop) the capture. In case the filter expression is invalid, the button is disabled.
|-
|[[File:Generic modules.png|800px|none|right]]
|}


==== Layer 7 protocol capture ====
==== Layer 7 protocol capture ====
Line 214: Line 190:
==== Configuration settings ====
==== Configuration settings ====
By clicking on the gear button on the top right of the Capture web page, you can access the configuration section.
By clicking on the gear button on the top right of the Capture web page, you can access the configuration section.
* Split PCAP file after this size This option can be used to limit the size of the PCAP file when storing to an attached device. Once the captured traffic would exceed this threshold, a new PCAP file with the current time stamp is created and the traffic is written to the new file. If the time stamp is still the same, an index is attached to the filename. When set to 0, no splitting will be done.


* Split PCAP file after this duration This option can be used to limit the duration of the PCAP file when storing to an attached device. The duration starts counting with the start of the capture. Once the captured traffic would exceed the duration, a new PCAP file with the current time stamp is created and the traffic is written to the new file. When set to 0, no splitting will be done. Both split parameters can be combined. The PCAP file will be split as soon as one threshold has been reached.
* Split PCAP file after this size
: This option can be used to limit the size of the PCAP file when storing to an attached device. Once the captured traffic would exceed this threshold, a new PCAP file with the current time stamp is created and the traffic is written to the new file. If the time stamp is still the same, an index is attached to the filename.
: When set to 0, no splitting will be done.
 
* Split PCAP file after this duration
: This option can be used to limit the duration of the PCAP file when storing to an attached device. The duration starts counting with the start of the capture. Once the captured traffic would exceed the duration, a new PCAP file with the current time stamp is created and the traffic is written to the new file.
: When set to 0, no splitting will be done.
: Both split parameters can be combined. The PCAP file will be split as soon as one threshold has been reached.


* The maximum number of concurrent packet ring buffers
* The maximum number of concurrent packet ring buffers
Line 223: Line 205:
: A reboot of the device or a restart of the processing is needed for a change to this option to take effect.
: A reboot of the device or a restart of the processing is needed for a change to this option to take effect.


* The size in MB for the queue of the packet ring buffer This option allows to configure the size of the queue that holds processed packets before they are written to the packet ring buffer. Increasing the size of this queue may help if the disk used for the packet ring buffer cannot keep up with bursts of traffic so that packet drops occur in the packet ring buffer. Be aware that memory allocated to this queue is not available for storing statistics and metadata so that choosing a large value for this queue reduces the overall data storage time. Most users will not need to change this value from the default value. A reboot of the device or a restart of the processing is needed for a change to this option to take effect.
* The size in MB for the queue of the packet ring buffer
: This option allows to configure the size of the queue that holds processed packets before they are written to the packet ring buffer. Increasing the size of this queue may help if the disk used for the packet ring buffer cannot keep up with bursts of traffic so that packet drops occur in the packet ring buffer.
: Be aware that memory allocated to this queue is not available for storing statistics and metadata so that choosing a large value for this queue reduces the overall data storage time.
: Most users will not need to change this value from the default value.
: A reboot of the device or a restart of the processing is needed for a change to this option to take effect.


* The maximum size in MB for the packet reorder buffer when capturing from the packet ring buffer This setting allows to choose the maximum size that the packet reorder buffer may grow to. For performance reasons the packet ring buffer does not ensure a total order of packets when storing them on disk. The packet reorder buffer is used to restore the correct order of packets in a capture when capturing from the packet ring buffer. A larger packet reorder buffer makes it more likely that the packet order can be restored for all packets. The actual amount of memory used for the packet reorder buffer depends on this setting but also on the amount of free memory in the system so that the effectively used amount of memory may be less than this setting indicates.
* The maximum size in MB for the packet reorder buffer when capturing from the packet ring buffer
: This setting allows to choose the maximum size that the packet reorder buffer may grow to. For performance reasons the packet ring buffer does not ensure a total order of packets when storing them on disk. The packet reorder buffer is used to restore the correct order of packets in a capture when capturing from the packet ring buffer. A larger packet reorder buffer makes it more likely that the packet order can be restored for all packets. The actual amount of memory used for the packet reorder buffer depends on this setting but also on the amount of free memory in the system so that the effectively used amount of memory may be less than this setting indicates.


==== Capture settings dialog ====
==== Capture settings dialog ====
Line 231: Line 218:
This dialog appears after a capture button has been clicked. Following settings are possible:
This dialog appears after a capture button has been clicked. Following settings are possible:
* Start time and end time  
* Start time and end time  
:By clicking on the input field or on the calendar icon you can choose the start and end time of the capture. The input field is also editable with keyboard and allows entering a time on a second basis. If the start time is in the past, the complete capture is performed on the stored data of the capture ring buffer. When the capture reaches the newest packets it still continues to read from the capture ring buffer. The dialog will limit the start time input to the earliest data of the capture ring buffer. Be aware, that a possible capture ring buffer filter was applied on the past data and is also applied on future data in this mode. The start time may also be in the future. The capture is scheduled and starts as soon as a packet is received with a time later than the start time. If the whole time input field is marked and deleted, the start or end time will reset back to the default value. The default value for start time is '''now''', the capture will start with pushing the '''Start capturing''' button. The default value of the end time is '''unlimited''', the capture will not stop unless stopped manually by clicking on the stop button. Eight buttons offer quick selection of often used time settings.
: By clicking on the input field or on the calendar icon you can choose the start and end time of the capture. The input field is also editable with keyboard and allows entering a time on a second basis.
 
: If the start time is in the past, the complete capture is performed on the stored data of the capture ring buffer. When the capture reaches the newest packets it still continues to read from the capture ring buffer. The dialog will limit the start time input to the earliest data of the capture ring buffer. Be aware, that a possible capture ring buffer filter was applied on the past data and is also applied on future data in this mode.
: The start time may also be in the future. The capture is scheduled and starts as soon as a packet is received with a time later than the start time.
: If the whole time input field is marked and deleted, the start or end time will reset back to the default value. The default value for start time is '''now''', the capture will start with pushing the '''Start capturing''' button. The default value of the end time is '''unlimited''', the capture will not stop unless stopped manually by clicking on the stop button.
: Eight buttons offer quick selection of often used time settings.


* Packet ring buffer
* Packet ring buffer
:If multiple packet ring buffer clusters are active this dropdown menu allows to choose from which cluster the packets should be captured.
: If multiple packet ring buffer clusters are active this dropdown menu allows to choose from which cluster the packets should be captured.
 
 
* Capture type This drop down menu allows to choose the method how packets are captured. The last successful setting is persistently stored per user. Following methods are available:
 
 
:'''– HTTP download'''
 
:This is the default method. The capture will start a HTTP download of a PCAP file directly in the browser.
 
 
       
:''' – Disk'''
:This method is only visible if a storage device is active and has some amount of free storage space. The capture will create a PCAP file on the storage device.
:If PCAP export via SFTP is enabled, an additional checkbox is displayed to store the capture file in the export directory, slated for upload according the SFTP export settings.


* Capture type
: This drop down menu allows to choose the method how packets are captured. The last successful setting is persistently stored per user. Following methods are available:


:''' – Interface'''
:* HTTP download
:This mode will transmit the captured packets on a physical network interface. It is not available when the system is analyzing a PCAP file or is analyzing the packet ring buffer.
:: This is the default method. The capture will start a HTTP download of a PCAP file directly in the browser.
:* Disk
:: This method is only visible if a storage device is active and has some amount of free storage space. The capture will create a PCAP file on the storage device.
:: If PCAP export via SFTP is enabled, an additional checkbox is displayed to store the capture file in the export directory, slated for upload according the SFTP export settings.


:* Interface
:: This mode will transmit the captured packets on a physical network interface. It is not available when the system is analyzing a PCAP file or is analyzing the packet ring buffer.


:''' – ERSPAN '''
:* ERSPAN
:This mode will transmit the captured packets encapsulated in a GRE + ERSPAN header on the management interface to a given target IP address. On the target system the  traffic can be  selectively captured using the filter '''ip proto 0x2f''' when using an application like Wireshark or tcpdump.
:: This mode will transmit the captured packets encapsulated in a GRE + ERSPAN header on the management interface to a given target IP address. On the target system the  traffic can be  selectively captured using the filter '''ip proto 0x2f''' when using an application like Wireshark or tcpdump.


* File name
* File name
Line 269: Line 252:
:* %S for seconds
:* %S for seconds


* Interface to transmit on This dropdown menu is only shown when Capture type is Interface. Here the physical interface on which to transmit captured packets can be selected.
* Interface to transmit on
* ERSPAN target address This section is only shown when Capture type is ERSPAN. Here the target IP address or hostname for the ERSPAN encapsulated packets must be specified.
: This dropdown menu is only shown when Capture type is Interface. Here the physical interface on which to transmit captured packets can be selected.
* Transmit speed This dropdown menu is only shown when the Capture type is either Interface or ERSPAN and the start time is in the past so that packets are captured from the packet ring buffer. Here the limiting mode can be chosen which controls how fast captured packets are transmitted. Following modes are available:
 


:'''– none'''
* ERSPAN target address
:No limit will be applied and the packets are transmitted as fast as the network interface and the packet ring buffer allow.
: This section is only shown when Capture type is ERSPAN. Here the target IP address or hostname for the ERSPAN encapsulated packets must be specified.


* Transmit speed
: This dropdown menu is only shown when the Capture type is either Interface or ERSPAN and the start time is in the past so that packets are captured from the packet ring buffer. Here the limiting mode can be chosen which controls how fast captured packets are transmitted. Following modes are available:


:'''– limit to bandwidth'''
:* none
:A bandwidth limit will be applied so that the given bandwidth in Mbps is not exceeded. The bandwidth can be given as a decimal so that e.g. 500kbps can be configured with a value of 0.5.
:: No limit will be applied and the packets are transmitted as fast as the network interface and the packet ring buffer allow.


:'''– realtime factor'''
:* limit to bandwidth
:Packets will be transmitted based on their recorded timing information. This means that with a real time factor of 1.0 packets will be transmitted approximately with the same timing as they were originally received. Using for example a real time factor of 2.0 would transmit the packets with twice the speed than they were received.
:: A bandwidth limit will be applied so that the given bandwidth in Mbps is not exceeded. The bandwidth can be given as a decimal so that e.g. 500kbps can be configured with a value of 0.5.


:* realtime factor
:: Packets will be transmitted based on their recorded timing information. This means that with a real time factor of 1.0 packets will be transmitted approximately with the same timing as they were originally received. Using for example a real time factor of 2.0 would transmit the packets with twice the speed than they were received.


* Transmit bandwidth in Mbps
* Transmit bandwidth in Mbps
:This is only shown when limit to bandwidth has been selected in the Transmit speed dropdown menu. The meaning of this value is explained in the Transmit speed section.
: This is only shown when limit to bandwidth has been selected in the Transmit speed dropdown menu. The meaning of this value is explained in the Transmit speed section.
* Transmit realtime factor This is only shown when realtime factor has been selected in the Transmit speed dropdown menu. The meaning of this value is explained in the :Transmit speed section.
* Truncate packet length:
:This dropdown menu is only shown when the Capture type is either HTTP or disk. You can truncate captured Packets with this setting. All packets will be captured, but truncated to the given length if they are longer than this setting. The length setting is applied on layer 2 without frame check sequence.


* Transmit realtime factor
: This is only shown when realtime factor has been selected in the Transmit speed dropdown menu. The meaning of this value is explained in the :Transmit speed section.


Possible values are:
* Truncate packet length:
 
: This dropdown menu is only shown when the Capture type is either HTTP or disk. You can truncate captured Packets with this setting. All packets will be captured, but truncated to the given length if they are longer than this setting. The length setting is applied on layer 2 without frame check sequence.
:'''– Full length '''
: Possible values are:
 
:* Full length
:'''– 64 Bytes '''
:* 64 Bytes
 
:* 1500 Bytes
:'''– 1500 Bytes '''
:* Custom length with an input field for inserting any length between 64 and 15378 Bytes
 
:'''– Custom length with an input field for inserting any length between 64 and 15378 Bytes '''
 


* PCAP compatibility:
* PCAP compatibility:
: This section is only shown when the Capture type is either HTTP or disk.
:* Omit interface ID
:: Enabling this option will generate a PCAP file that only contains a single interface and treats all packets as if they arrived on that interface. This may improve compatibility with third party software that cannot handle PCAPs with multiple interfaces IDs.


 
After pushing the '''Start capture''' button, the capture starts.
This section is only shown when the Capture type is either HTTP or disk.
 
:'''– Omit interface ID:''' Enabling this option will generate a PCAP file that only contains a single interface and treats all packets as if they arrived on that interface. This may improve compatibility with third party software that cannot handle PCAPs with multiple interfaces IDs.
:After pushing the '''Start capture''' button, the capture starts.


==== Webshark ====
==== Webshark ====
Line 320: Line 300:
{| class="wikitable sortable"   
{| class="wikitable sortable"   
|-           
|-           
| curl -k -u USER:PASSWORD 'https://allegro-mm-XXXX/API/data/modules/capture? startTime=1517306266000000&endTime=1517309267000000&expression=l7Protocol==HTTP& snapPacketLength=65535&fromCaptureBuffer=true' > path_to/capture.pcap
| curl -k -u USER:PASSWORD 'https://allegro-mm-XXXX/API/data/modules/capture?startTime=1517306266000000&endTime=1517309267000000&expression=l7Protocol==HTTP&snapPacketLength=65535&fromCaptureBuffer=true' > path_to/capture.pcap
|-
|-
|}
|}
Ralf
547

edits

Retrieved from "https://allegro-packets.com/wiki/Special:MobileDiff/2530"