Capturing: Difference between revisions
m (Martin.fesser moved page 5- Capturing to Capturing) |
No edit summary |
||
| (51 intermediate revisions by 8 users not shown) | |||
| Line 1: | Line 1: | ||
With the Allegro Network Multimeter it is | == Introduction == | ||
Network administrators frequently require capturing specific network traffic for troubleshooting intermittent connection issues, analyzing security incidents, or diagnosing performance bottlenecks.<br> | |||
With the Allegro Network Multimeter it is very easy to start and retrieve very specific network packet captures in pcap format.<br>Such pre-filtered pcap files, can then easily be investigated with Allegro Network Multimeter's built in Webshark or a tool like Wireshark. | |||
== How can I create a pcap of a specific IP or MAC address? == | |||
All Allegro Network Multimeter L2-L7 analysis modules, feature dedicated pcap buttons throughout the dashboard, | |||
to <u>very specifically</u> capture most traffic types in a really easy way. | |||
For example; to capture a specific IP address, in the left menu navigate to 'L3 - IP' -> 'IP' statistics.<br> | |||
Then, easily find the desired IP address by sorting and/or a filtered search, and clicking the capture button - [[File:Capture button.png]]. | |||
When a specific time interval is displayed in the dashboard, only the payload during that time interval is extracted. | |||
[[File:IP pcap.png|none|thumb|800x800px|alt=]] | |||
To quickly find an IP address, you can sort the IP table via almost every column. The search bar/filter bar provides a quick method to reduce the table content to your hearts content.<br>This can be done by typing in (fragments of) the | |||
IP address, (fragments of) the DNS name or by entering a "complex" filter. | |||
[[File:Search bar.png|1100px|thumb|alt=|none]] | |||
Another quick way to | Another quick way to create a pcap of a specific address, is to use Allegro Network Multimeter's Simple Capture feature. | ||
to ' | |||
In the menu go to 'Generic' -> 'Capture traffic'. Now, in the "start simple capture" section, toggle the desired capture fields (e.g. MAC, IP), type the address, and click the "Start capture" button. | |||
[[File:Ap-mm-capture-capture-simple.png|600px|thumb|alt=|none]] | |||
== Which settings should I choose? == | |||
== | |||
After | After clicking on the capture button, the dialogue "Choose capture settings" will be | ||
displayed. Here you can limit the start and end time of the capture and select | displayed. Here you can limit the start and end time of the capture and select | ||
whether the | whether to download the pcap file directly to your | ||
computer or | computer or store it on the Allegro Network Multimeter attached storage device. You can | ||
limit the captured packets to | limit the captured packets to a given length if you do not need the full packet | ||
and want a small | and just want a small pcap file that opens faster in Wireshark. | ||
[[File:Choose capture settings.png|none|thumb|600x600px]] | |||
Clicking the "Save capture" button begins the configured capture. | |||
Clicking on the "Webshark preview" will open a basis web-based Wireshark window within the Allegro Network Multimeter web interface. | |||
A fully detailed explanation of the "Choose Capture Settings" dialog is documented in our Wiki here: [[Capture module#Capture settings dialog]] | |||
== How can I extract traffic from the past? == | |||
With the Allegro Network Multimeter packet ring buffer, it is possible to extract traffic from the past as a pcap file. The packet ring buffer is stored on the internal storage device of an Allegro Network Multimeter (if your model is equipped with one), or on an externally attached USB storage device. A fast USB3.x capable SSD is recommended. A USB thumb drive can also be used, but some burst packets may be dropped if the thumb drive write speed is too slow. | |||
You can see an overview about all storage devices that can be used for the Allegro Network Multimeter under 'Generic' -> 'Storage'. | |||
{| | {| | ||
| [[File:Ap-mm-capture-storage.png|600px|thumb|right]] | | [[File:Ap-mm-capture-storage.png|600px|thumb|right]] | ||
|} | |} | ||
An external SSD is attached to the USB port and is not yet activated. Click the | |||
An external SSD is attached to the USB port and is not activated | |||
"Activate" button so the device can be used. If the filesystem of the disk is not | "Activate" button so the device can be used. If the filesystem of the disk is not | ||
suitable for the ring buffer a warning will pop up | suitable for the ring buffer a warning will pop up prompting you to format the disk. | ||
After formatting or activating, the storage page will display information | |||
on disk usage and an overview of all files on the disk. | |||
{| | {| | ||
| [[File:Ap-mm-capture-storage-active.png|600px|thumb|right]] | | [[File:Ap-mm-capture-storage-active.png|600px|thumb|right]] | ||
|} | |} | ||
Now that the storage is active, the ring buffer has to be created if not already | Now that the storage is active, the ring buffer has to be created if not already | ||
prepared during formatting. This can be achieved in 'Generic' -> 'Packet ring buffer'. | |||
Click the "Create ring buffer" button. | |||
{| | {| | ||
| Line 81: | Line 69: | ||
|} | |} | ||
The size of the ring buffer must be specified. If no pcap is required on | |||
the storage device, the ring buffer will use 100% of the storage device capacity. | |||
The size of the ring buffer | |||
the storage device, the ring buffer | |||
{| | {| | ||
| Line 90: | Line 76: | ||
|} | |} | ||
When the packet ring buffer is created and running, the "Packet ring buffer" | |||
statistics page displays information about the ring buffer usage and several | |||
graphs restored or filtered traffic are also displayed. A filter can be applied | |||
to determine which packets are stored in the ring buffer. Check out the chapter [[Packet ring buffer]] for more details. | |||
{| | {| | ||
| | | | ||
| Line 103: | Line 86: | ||
|} | |} | ||
When the packet ring buffer is up and running, any capture may be utilized to | |||
extract traffic from the past. Select a timespan in any graph of the user interface | |||
by left-clicking with the mouse and then click a pcap button. | |||
extract traffic from the past. | |||
by left clicking with the mouse and then | |||
The selected timespan will be displayed in the start and end time fields of the | The selected timespan will be displayed in the start and end time fields of the | ||
"Choose capture settings" | "Choose capture settings" dialogue. | ||
{| | {| | ||
| Line 118: | Line 97: | ||
|} | |} | ||
Start and end | Start and end times can be changed by using the date and time popup window when | ||
selecting the time fields or | selecting the time fields or clicking the dedicated buttons for commonly used times. | ||
If the start time is earlier than the start of the packet ring buffer, it will | If the start time is earlier than the start of the packet ring buffer, it will | ||
be adjusted to the start and a hint will be displayed. | be adjusted to the start and a hint will be displayed. | ||
== Is it possible to plan a future capture? == | |||
Yes. Simply select the desired start time in the "Choose capture settings" dialogue | |||
Yes. Simply select the desired start time in the "Choose capture settings" | |||
and the capture will start with the first packet at that time. | and the capture will start with the first packet at that time. | ||
On the 'Generic' -> 'Capture traffic' page there is also a tab 'Planned captures' where captures to a storage device can be configured and those captures can even be set to automatically repeat. | |||
== Create complex captures with several criteria == | |||
== | |||
Captures can be | Captures can be started with complex filter expressions for a specific capture of e.g. | ||
an IP address or a | an IP address or a Layer 7 protocol. | ||
To | To see a basic overview, start a capture from any module. You can see all running active captures at the capture button at the top bar of the web interface. | ||
{| | {| | ||
| Line 146: | Line 121: | ||
|} | |} | ||
On the "Start simple capture" page, all frequently | |||
On the " | |||
used filter expressions are easily accessible. The resulting expression is | used filter expressions are easily accessible. The resulting expression is | ||
displayed below. | displayed below. | ||
{| | {| | ||
| | | | ||
| Line 157: | Line 130: | ||
|} | |} | ||
This expression can be used and edited in the expert | This expression can be used and edited in the expert filter field. All | ||
filters can be combined with "and" / "&&" or "or" / "||". Parentheses may | filters can be combined with "and" / "&&" or "or" / "||". Parentheses may | ||
be used to clarify precedence. | be used to clarify precedence. | ||
The chapter [[ | The chapter [[Capture_module|Capture module]] explains every possible filter. | ||
== Generate a pcap via the command line == | |||
It is easy to generate a pcap via the command line or in scripts with "curl" | |||
It is | |||
which is a tool available for recent versions of Windows 10, Linux and MacOS. | which is a tool available for recent versions of Windows 10, Linux and MacOS. | ||
Just type: | |||
{| class="wikitable" | {| class="wikitable" | ||
| Line 176: | Line 147: | ||
|} | |} | ||
The user name, password and hostname have to be the same | The user name, password and hostname have to be the same as the ones used to access | ||
the web interface. Every filter expression that can be used in the web interface | the web interface. Every filter expression that can be used in the web interface | ||
can also be used here. | can also be used here. | ||
Check out the chapter [[ | Check out the chapter [[Capture_module|Capture module]] for further information. | ||
== It takes too long to open a pcap file in Wireshark. What can I do? == | |||
== | If you are in a situation where you have a large pcap and are only | ||
If you are in a situation where you have a | interested in the traffic between two specific IP addresses, you can | ||
interested in the traffic between two | use the Allegro Network Multimeter to analyze the pcap file and | ||
use the | extract the specific traffic for post-processing with tools such as | ||
extract the specific traffic for post-processing with | Wireshark. See [[Forensic_pcap_Analysis|Forensic Pcap Analysis]] for details. | ||
Wireshark. See [[ | |||
Latest revision as of 06:51, 30 April 2025
Introduction
Network administrators frequently require capturing specific network traffic for troubleshooting intermittent connection issues, analyzing security incidents, or diagnosing performance bottlenecks.
With the Allegro Network Multimeter it is very easy to start and retrieve very specific network packet captures in pcap format.
Such pre-filtered pcap files, can then easily be investigated with Allegro Network Multimeter's built in Webshark or a tool like Wireshark.
How can I create a pcap of a specific IP or MAC address?
All Allegro Network Multimeter L2-L7 analysis modules, feature dedicated pcap buttons throughout the dashboard, to very specifically capture most traffic types in a really easy way.
For example; to capture a specific IP address, in the left menu navigate to 'L3 - IP' -> 'IP' statistics.
Then, easily find the desired IP address by sorting and/or a filtered search, and clicking the capture button - 
.
When a specific time interval is displayed in the dashboard, only the payload during that time interval is extracted.
To quickly find an IP address, you can sort the IP table via almost every column. The search bar/filter bar provides a quick method to reduce the table content to your hearts content.
This can be done by typing in (fragments of) the
IP address, (fragments of) the DNS name or by entering a "complex" filter.
Another quick way to create a pcap of a specific address, is to use Allegro Network Multimeter's Simple Capture feature.
In the menu go to 'Generic' -> 'Capture traffic'. Now, in the "start simple capture" section, toggle the desired capture fields (e.g. MAC, IP), type the address, and click the "Start capture" button.
Which settings should I choose?
After clicking on the capture button, the dialogue "Choose capture settings" will be displayed. Here you can limit the start and end time of the capture and select whether to download the pcap file directly to your computer or store it on the Allegro Network Multimeter attached storage device. You can limit the captured packets to a given length if you do not need the full packet and just want a small pcap file that opens faster in Wireshark.
Clicking the "Save capture" button begins the configured capture.
Clicking on the "Webshark preview" will open a basis web-based Wireshark window within the Allegro Network Multimeter web interface.
A fully detailed explanation of the "Choose Capture Settings" dialog is documented in our Wiki here: Capture module#Capture settings dialog
How can I extract traffic from the past?
With the Allegro Network Multimeter packet ring buffer, it is possible to extract traffic from the past as a pcap file. The packet ring buffer is stored on the internal storage device of an Allegro Network Multimeter (if your model is equipped with one), or on an externally attached USB storage device. A fast USB3.x capable SSD is recommended. A USB thumb drive can also be used, but some burst packets may be dropped if the thumb drive write speed is too slow.
You can see an overview about all storage devices that can be used for the Allegro Network Multimeter under 'Generic' -> 'Storage'.
An external SSD is attached to the USB port and is not yet activated. Click the "Activate" button so the device can be used. If the filesystem of the disk is not suitable for the ring buffer a warning will pop up prompting you to format the disk. After formatting or activating, the storage page will display information on disk usage and an overview of all files on the disk.
Now that the storage is active, the ring buffer has to be created if not already prepared during formatting. This can be achieved in 'Generic' -> 'Packet ring buffer'. Click the "Create ring buffer" button.
The size of the ring buffer must be specified. If no pcap is required on the storage device, the ring buffer will use 100% of the storage device capacity.
When the packet ring buffer is created and running, the "Packet ring buffer" statistics page displays information about the ring buffer usage and several graphs restored or filtered traffic are also displayed. A filter can be applied to determine which packets are stored in the ring buffer. Check out the chapter Packet ring buffer for more details.
When the packet ring buffer is up and running, any capture may be utilized to extract traffic from the past. Select a timespan in any graph of the user interface by left-clicking with the mouse and then click a pcap button. The selected timespan will be displayed in the start and end time fields of the "Choose capture settings" dialogue.
Start and end times can be changed by using the date and time popup window when selecting the time fields or clicking the dedicated buttons for commonly used times. If the start time is earlier than the start of the packet ring buffer, it will be adjusted to the start and a hint will be displayed.
Is it possible to plan a future capture?
Yes. Simply select the desired start time in the "Choose capture settings" dialogue and the capture will start with the first packet at that time.
On the 'Generic' -> 'Capture traffic' page there is also a tab 'Planned captures' where captures to a storage device can be configured and those captures can even be set to automatically repeat.
Create complex captures with several criteria
Captures can be started with complex filter expressions for a specific capture of e.g. an IP address or a Layer 7 protocol.
To see a basic overview, start a capture from any module. You can see all running active captures at the capture button at the top bar of the web interface.
On the "Start simple capture" page, all frequently used filter expressions are easily accessible. The resulting expression is displayed below.
This expression can be used and edited in the expert filter field. All filters can be combined with "and" / "&&" or "or" / "||". Parentheses may be used to clarify precedence.
The chapter Capture module explains every possible filter.
Generate a pcap via the command line
It is easy to generate a pcap via the command line or in scripts with "curl" which is a tool available for recent versions of Windows 10, Linux and MacOS.
Just type:
| curl -k -u USER:PASSWORD https://allegro-mm-XXXX/API/data/modules/capture?expression=ip==10.1.2.3 > path_to/capture.pcap |
The user name, password and hostname have to be the same as the ones used to access the web interface. Every filter expression that can be used in the web interface can also be used here.
Check out the chapter Capture module for further information.
It takes too long to open a pcap file in Wireshark. What can I do?
If you are in a situation where you have a large pcap and are only interested in the traffic between two specific IP addresses, you can use the Allegro Network Multimeter to analyze the pcap file and extract the specific traffic for post-processing with tools such as Wireshark. See Forensic Pcap Analysis for details.