Ring Buffer Configuration Guide: Difference between revisions
mNo edit summary |
|||
| (45 intermediate revisions by 7 users not shown) | |||
| Line 1: | Line 1: | ||
This section describes the ''' | This section describes the '''ring buffer''' configuration and options for the Allegro Network Multimeter. | ||
== What is the ''' | == What is the '''ring buffer?''' == | ||
[[File:Historic capture dialog.png|thumb|300px]] | [[File:Historic capture dialog.png|thumb|300px]] | ||
The ''' | The '''ring buffer''' is a packet buffer. It stores raw Ethernet packets on one or many '''storage devices'''. A '''storage device''' is an internal or external HDD or SSD. If the buffer is full, it will overwrite the oldest packets in a circular manner. The '''ring buffer''' is an optional feature for the Allegro Network Multimeter. It does not store any of the statistics of the In-Memory-Database. | ||
Allegro recommend to take a look at the [https://allegro-packets.com/en/resources-service/whitepaper/whitepaper-paket-ring-buffer | Allegro recommend you to take a look at the [https://allegro-packets.com/en/resources-service/whitepaper/whitepaper-paket-ring-buffer ring buffer White Paper] from the Allegro Packets website. | ||
The '''Webshark''' and the ''' | The '''Webshark''' and the '''pcap''' extraction works with historic dates as in the screenshot here on the right. This dialogue is shown by using the '''pcap''' button in the Allegro User Interface. The Allegro Network Multimeter will search for all packets in the '''ring buffer''' if they match the criteria and extracts the packets. | ||
If there is no ''' | If there is no '''ring buffer''' configured, the Allegro Network Multimeter allows a '''pcap''' extraction of live traffic only. | ||
== Different ''' | == Different '''ring buffer''' storages == | ||
The '''Ring Buffer''' supports 2 different | The '''Packet Ring Buffer''' supports 2 different way to add storage space. | ||
Storage space can be allocated on active storage devices to share the space of a storage device between the Packet Ring Buffer and e.g. capture PCAPs on the storage device. If multiple Packet Ring Buffers are used they can allocate space on the same storage device. This is only recommended with fast storage devices like SSDs. | |||
The ''' | The '''Packet Ring Buffer''' also allows to add one or multiple whole disks. It allows having a separate disk for pcap files which allows fast '''ring buffer''' and fast '''pcap to disk''' writes at the same time. | ||
== '''Single | == '''Single shared ring buffer''' == | ||
The | The single shared ring buffer is the default setup on all Allegro Network Multimeters that are shipped with '''one''' internal or external storage device. This is designed for using '''ONE''' internal, external or iSCSI storage device. ( Please see the section [[#iSCSI ring buffer|iSCSI ring buffer]] for more information ). You can check at '''Generic''' → '''Storage''' if the Allegro Network Multimeter has detected a storage device. Here an example of ONE attached disk: | ||
[[File:Storage no device active.png|border|600px]] | [[File:Storage no device active.png|border|600px]] | ||
You can activate and deactivate the storage device for | You can activate and deactivate the storage device for pcap files here. You can also format new disks by using the format option and erase the content of a disk if required. If the disk has not been formatted before, press the ''Format'' button here. It will show the dialogue: | ||
[[File:Format disk dialogue.png|border|300px]] | [[File:Format disk dialogue.png|border|300px]] | ||
Here you can decide whether disk encryption will be used or not, see [[#Encryption]] below. You can also decide if and how much space can be used for the ''' | Here you can decide whether disk encryption will be used or not, see [[#Encryption|Encryption]] below. You can also decide if and how much space can be used for the '''packet ring buffer'''. Please note that you cannot save any pcap files to the external disk when you use '''100 %''' for the '''ring buffer'''. | ||
If the disk has been formatted, you can continue with the configuration of the ''' | If the disk has been formatted, you can continue with the configuration of the '''ring buffer''' at '''Generic''' → '''ring buffer'''. If you have created a disk with a ring buffer, you should see the statistics of the buffer as in the screenshot here below. | ||
[[File:Running packet ring buffer.png|600px]] | [[File:Running packet ring buffer.png|border|600px]] | ||
The | The ring buffer is now running and all pcap buttons will work for historic dates. For advanced setup, please continue at the section [[#Filter Rules|Filter Rules]]. | ||
== ''' | == '''Packet Ring Buffer with multiple disks''' == | ||
The | The Packet Ring Buffer with multiple disks is active on all Allegro Network Multimeters that are shipped with '''two or more''' internal or external storage devices. | ||
By default, the Allegro Network Multimeter uses '''One''' | By default, the Allegro Network Multimeter uses '''One''' Packet Ring Buffer. If you need more, please open the Settings menu at the top right corner. | ||
[[File:Settings button.png|100px]] | [[File:Settings button.png|border|100px]] | ||
Here you can increase the number of | Here you can increase the number of Packet Ring Buffers. We will continue this tutorial with 2 Packet Ring Buffers to show the full flexibility of the Allegro Network Multimeter. Please note that you need to restart the processing when you change the parameter. This can be done at '''Settings''' → '''Administration''' → '''Restart processing'''. | ||
[[File:Cluster ring buffer initial startup.png|border|600px]] | [[File:Cluster ring buffer initial startup.png|border|600px]] | ||
As a next step, please select the configuration for the | As a next step, please select the configuration for the Packet Ring Buffer. | ||
[[File:Cluster ring buffer configuration.png|border|600px]] | [[File:Cluster ring buffer configuration.png|border|600px]] | ||
Please select here '''Add to | Please select here '''Add to Packet Ring Buffer''' to format a disk and add it to the Packet Ring Buffer. Once you have added disks to a Packet Ring Buffer, the packets will be written to the storage device. | ||
[[File:Cluster ring buffer with disks.png|border|600px]] | [[File:Cluster ring buffer with disks.png|border|600px]] | ||
| Line 69: | Line 59: | ||
== Filter Rules == | == Filter Rules == | ||
Both | Both ring buffer modes support packet filtering mechanisms. Most situations require that only a subset of all packets are stored to the disk. Each ring buffer can be configured by a separate list of rules. All packets that do not match a condition are captured. The first matching condition is applied to the packets. | ||
=== Filter rule conditions === | === Filter rule conditions === | ||
| Line 75: | Line 65: | ||
The Allegro Network Multimeter supports packet slicing with the following conditions: | The Allegro Network Multimeter supports packet slicing with the following conditions: | ||
* All packets → matches on all | * All packets → matches on all Ethernet packets | ||
* MAC address → matches a specific L2 MAC address | * MAC address → matches a specific L2 MAC address | ||
* IP Address and IP Subnet → matches a specific IP address and | * IP Address and IP Subnet → matches a specific IP address and subnet, works for IPv4 and IPv6 | ||
* TCP/UDP Ports → matches all TCP or UDP packets with a specific source or destination port | * TCP/UDP Ports → matches all TCP or UDP packets with a specific source or destination port | ||
* L7 Protocol → matches one of the built-in L7 | * L7 Protocol → matches one of the built-in L7 protocols | ||
* Outer VLAN Tag → matches a single VLAN tag or the outer VLAN of a double-tagged VLAN frame | * Outer VLAN Tag → matches a single VLAN tag or the outer VLAN of a double-tagged VLAN frame. It is also possible to match packets that have no VLAN tag at all by choosing 'no VLAN' from the drop-down menu or match packets with an arbitrary VLAN tag by choosing 'any VLAN' form the drop-down menu | ||
* Interface → matches a specific network interface | * Interface → matches a specific network interface | ||
* SIP Phone Number → matches a specific SIP caller or callee phone number and its correlated RTP flow | * SIP Phone Number → matches a specific SIP caller or callee phone number and its correlated RTP flow | ||
* Virtual Link Group → matches a virtual link group | * Virtual Link Group → matches a virtual link group | ||
* IP group → matches an IP group | |||
* SSL after handshake → matches packets of SSL connections that occur after the SSL handshake | |||
All conditions can be negated to match everything except an IP subnet and similar. | All conditions can be negated to match everything except an IP subnet and similar. | ||
| Line 91: | Line 83: | ||
The following items are supported as actions: | The following items are supported as actions: | ||
* Snapshot Length → byte packet slicing; allows for the capture of only a certain number of bytes per packet | * Snapshot Length → byte packet slicing; allows for the capture of only a certain number of bytes per packet | ||
* Discard → do not capture this packet | * Discard → do not capture this packet | ||
* Full → capture the full packet | * Full → capture the full packet | ||
* Header+Data → capture only up to L3 or L4 or a specified | * Header+Data → capture only up to L3 or L4 or a specified quantity of L7 bytes. | ||
=== Filter rule examples === | === Filter rule examples === | ||
Filter rules can be set up below the statistics of each | Filter rules can be set up below the statistics of each ring buffer. This is a list of the most-used filter rules. Note that you can combine these rules. | ||
==== Capture all traffic from and to a single IP ==== | ==== Capture all traffic from and to a single IP ==== | ||
This use case is valid when you need to investigate the packets of one IP but you need the statistics of the total link. This is a | This use case is valid when you need to investigate the packets of one IP but you need the statistics of the total link. This is a common use case where the link bandwidth is above the ring buffer write rate. As an example, it can occur when you monitor a heavy loaded 10G or 40G link with a single HDD as the ring buffer device. | ||
You need to set up 2 rules to capture only one single IP. The first rule matches the IP address and captures the entire payload, the second rule drops all packets. This will also drop all non-IP packets like ARP requests. | You need to set up 2 rules to capture only one single IP. The first rule matches the IP address and captures the entire payload, the second rule drops all packets. This will also drop all non-IP packets like ARP requests. | ||
| Line 108: | Line 100: | ||
[[File:Ring buffer filter one ip.png|border|600px]] | [[File:Ring buffer filter one ip.png|border|600px]] | ||
==== Capture SSL traffic | ==== Capture only the handshake of SSL traffic and limit the encrypted part to L4 ==== | ||
Also a common use case is to not capture encrypted content. This can be done by setting up a rule for | Also a common use case is to not capture encrypted content. This can be done by setting up a rule for SSL after handshake packets to capture only up to the L4 header for IP and TCP investigation. This can be configured with the following settings: | ||
[[File:Ring buffer rule create ssl | [[File:Ring buffer rule create ssl after handshake.png|alt=|border|399x399px]] | ||
The configured rule will look like: | The configured rule will look like: | ||
[[File:Ring buffer rule ssl | [[File:Ring buffer rule ssl after handshake.png|alt=|border|600x600px]] | ||
==== Capture full SIP, capture RTP to the first 12 bytes of the payload and drop all other packets ==== | ==== Capture full SIP, capture RTP to the first 12 bytes of the payload and drop all other packets ==== | ||
| Line 123: | Line 115: | ||
[[File:Ring buffer rule sip rtp.png|border|600px]] | [[File:Ring buffer rule sip rtp.png|border|600px]] | ||
==== Capture all packets except SIP and RTP ==== | |||
This use case is very common for all environments where no voice is allowed to be captured. Here is the example rule setup: | |||
[[File:Ring buffer rule drop sip rtp.png|600px]] | |||
== Performance == | == Performance == | ||
=== Disk write | === Disk read and write performance === | ||
Hard disk drives have a high constant write rate when only one write is active. | |||
The Allegro Network Multimeter has a ''write first'' policy on the | The Allegro Network Multimeter has a ''write first'' policy on the ring buffer devices. The Allegro Network Multimeter prioritizes writes over reads for storage. A pcap read can be very slow when there is a high write rate to the ring buffer. | ||
=== Concurrent ''' | === Concurrent '''ring buffer''' and live '''pcap''' recording === | ||
Note that HDDs are not made for 2 simultaneous write streams. The write rate will be very low if you capture a live pcap to the single shared storage device while having an active ring buffer. Please use the browser download feature, different disks with the Packet Ring Buffer or pause the ring buffer while capturing the live pcap. | |||
=== Buffering traffic peaks or disk slowdowns === | === Buffering traffic peaks or disk slowdowns === | ||
Note that most HDDs and SSDs do not have a guaranteed write rate. Especially HDDs via the USB or SATA3 protocol can have downtimes of hundreds of milliseconds between writes. Each ring buffer uses a certain amount of memory to buffer traffic peaks. This buffer can be configured at the '''Settings''' of the '''ring buffer'''. | |||
[[File:Ring buffer queue resize config.png|border|800px]] | [[File:Ring buffer queue resize config.png|border|800px]] | ||
You can check if the queue length is | You can check if the queue length is large enough with the '''Bytes in Flight''' graph and the '''Dropped Bytes''' graph in the ring buffer statistics. | ||
[[File:Ring buffer data in flight.png|border|800px]] | [[File:Ring buffer data in flight.png|border|800px]] | ||
== iSCSI | == iSCSI ring buffer == | ||
'''''DISCLAIMER''' Whenever possible, use a direct-connected exclusive external storage device via USB. The Allegro Network Multimeter can control the USB channel far better than an iSCSI channel due exclusivity.'' | '''''DISCLAIMER''' Whenever possible, use a direct-connected exclusive external storage device via USB. The Allegro Network Multimeter can control the USB channel far better than an iSCSI channel due to exclusivity.'' | ||
The iSCSI | The iSCSI ring buffer feature allows you to mount an iSCSI volume via the management interface. Allegro recommends to use this feature only for capture rates up to 1GBit/s. The iSCSI controller will have an exclusive low-latency connection to the Allegro Network Multimeter and the rate shall be exclusive to the Allegro Network Multimeter. Also, the management traffic between the Allegro Network Multimeter and the iSCSI rate will not be monitored by the Allegro Network Multimeter to prevent a write loop. | ||
If the | If the rate is non-exclusive, other reads or writes will heavily reduce the constant write rate. Note that the iSCSI connection is not encrypted. | ||
== Advanced Options == | == Advanced Options == | ||
| Line 162: | Line 160: | ||
The Allegro Network Multimeter uses an '''AES256 LUKS encryption container''' for encrypted single shared ring buffers. You can connect and mount the encrypted disk with many Linux Distributions. It will ask for your password to mount the container. | The Allegro Network Multimeter uses an '''AES256 LUKS encryption container''' for encrypted single shared ring buffers. You can connect and mount the encrypted disk with many Linux Distributions. It will ask for your password to mount the container. | ||
The Allegro uses hardware encryption if available. The Allegro 200 does not have HW encryption support and can encrypt up to 400MBit/s in software. All other Allegro devices can encrypt with 2GB/s by using the built-in hardware encryption. | The Allegro Network Multimeter uses hardware encryption if available. The Allegro 200 does not have HW encryption support and can encrypt up to 400MBit/s in software. All other Allegro devices can encrypt with 2GB/s by using the built-in hardware encryption. | ||
The Allegro Network Multimeter does ''not'' store the password of the encrypted device on the disk. you need to re-enter the password if you unmount, reboot or power-off the Allegro Network Multimeter. | |||
The encryption is not available when entire disks are used in the Packet Ring Buffer. | |||
==== Random, device specific passwords ==== | |||
The | Randomly generated password can be used for the encrypted storage device. When used, the storage can be activated and deactivated without entering the password. Also, the storage device is automatically activated on system start/restart. | ||
The password is stored encrypted on the device and cannot be moved to a different device. The password is also deleted on a configuration reset of the Allegro Network Multimeter. | |||
Since the password is stored on the Allegro Network Multimeter, the storage device cannot be used on a different Allegro Network Multimeter without reformatting. | |||
When the key is removed (on configuration reset or reformat), it cannot be restored! | |||
Latest revision as of 12:17, 18 September 2024
This section describes the ring buffer configuration and options for the Allegro Network Multimeter.
What is the ring buffer?
The ring buffer is a packet buffer. It stores raw Ethernet packets on one or many storage devices. A storage device is an internal or external HDD or SSD. If the buffer is full, it will overwrite the oldest packets in a circular manner. The ring buffer is an optional feature for the Allegro Network Multimeter. It does not store any of the statistics of the In-Memory-Database.
Allegro recommend you to take a look at the ring buffer White Paper from the Allegro Packets website.
The Webshark and the pcap extraction works with historic dates as in the screenshot here on the right. This dialogue is shown by using the pcap button in the Allegro User Interface. The Allegro Network Multimeter will search for all packets in the ring buffer if they match the criteria and extracts the packets.
If there is no ring buffer configured, the Allegro Network Multimeter allows a pcap extraction of live traffic only.
Different ring buffer storages
The Packet Ring Buffer supports 2 different way to add storage space. Storage space can be allocated on active storage devices to share the space of a storage device between the Packet Ring Buffer and e.g. capture PCAPs on the storage device. If multiple Packet Ring Buffers are used they can allocate space on the same storage device. This is only recommended with fast storage devices like SSDs.
The Packet Ring Buffer also allows to add one or multiple whole disks. It allows having a separate disk for pcap files which allows fast ring buffer and fast pcap to disk writes at the same time.
The single shared ring buffer is the default setup on all Allegro Network Multimeters that are shipped with one internal or external storage device. This is designed for using ONE internal, external or iSCSI storage device. ( Please see the section iSCSI ring buffer for more information ). You can check at Generic → Storage if the Allegro Network Multimeter has detected a storage device. Here an example of ONE attached disk:
You can activate and deactivate the storage device for pcap files here. You can also format new disks by using the format option and erase the content of a disk if required. If the disk has not been formatted before, press the Format button here. It will show the dialogue:
Here you can decide whether disk encryption will be used or not, see Encryption below. You can also decide if and how much space can be used for the packet ring buffer. Please note that you cannot save any pcap files to the external disk when you use 100 % for the ring buffer.
If the disk has been formatted, you can continue with the configuration of the ring buffer at Generic → ring buffer. If you have created a disk with a ring buffer, you should see the statistics of the buffer as in the screenshot here below.
The ring buffer is now running and all pcap buttons will work for historic dates. For advanced setup, please continue at the section Filter Rules.
Packet Ring Buffer with multiple disks
The Packet Ring Buffer with multiple disks is active on all Allegro Network Multimeters that are shipped with two or more internal or external storage devices.
By default, the Allegro Network Multimeter uses One Packet Ring Buffer. If you need more, please open the Settings menu at the top right corner.
Here you can increase the number of Packet Ring Buffers. We will continue this tutorial with 2 Packet Ring Buffers to show the full flexibility of the Allegro Network Multimeter. Please note that you need to restart the processing when you change the parameter. This can be done at Settings → Administration → Restart processing.
As a next step, please select the configuration for the Packet Ring Buffer.
Please select here Add to Packet Ring Buffer to format a disk and add it to the Packet Ring Buffer. Once you have added disks to a Packet Ring Buffer, the packets will be written to the storage device.
Filter Rules
Both ring buffer modes support packet filtering mechanisms. Most situations require that only a subset of all packets are stored to the disk. Each ring buffer can be configured by a separate list of rules. All packets that do not match a condition are captured. The first matching condition is applied to the packets.
Filter rule conditions
The Allegro Network Multimeter supports packet slicing with the following conditions:
- All packets → matches on all Ethernet packets
- MAC address → matches a specific L2 MAC address
- IP Address and IP Subnet → matches a specific IP address and subnet, works for IPv4 and IPv6
- TCP/UDP Ports → matches all TCP or UDP packets with a specific source or destination port
- L7 Protocol → matches one of the built-in L7 protocols
- Outer VLAN Tag → matches a single VLAN tag or the outer VLAN of a double-tagged VLAN frame. It is also possible to match packets that have no VLAN tag at all by choosing 'no VLAN' from the drop-down menu or match packets with an arbitrary VLAN tag by choosing 'any VLAN' form the drop-down menu
- Interface → matches a specific network interface
- SIP Phone Number → matches a specific SIP caller or callee phone number and its correlated RTP flow
- Virtual Link Group → matches a virtual link group
- IP group → matches an IP group
- SSL after handshake → matches packets of SSL connections that occur after the SSL handshake
All conditions can be negated to match everything except an IP subnet and similar.
Filter rule actions
The following items are supported as actions:
- Snapshot Length → byte packet slicing; allows for the capture of only a certain number of bytes per packet
- Discard → do not capture this packet
- Full → capture the full packet
- Header+Data → capture only up to L3 or L4 or a specified quantity of L7 bytes.
Filter rule examples
Filter rules can be set up below the statistics of each ring buffer. This is a list of the most-used filter rules. Note that you can combine these rules.
Capture all traffic from and to a single IP
This use case is valid when you need to investigate the packets of one IP but you need the statistics of the total link. This is a common use case where the link bandwidth is above the ring buffer write rate. As an example, it can occur when you monitor a heavy loaded 10G or 40G link with a single HDD as the ring buffer device.
You need to set up 2 rules to capture only one single IP. The first rule matches the IP address and captures the entire payload, the second rule drops all packets. This will also drop all non-IP packets like ARP requests.
Capture only the handshake of SSL traffic and limit the encrypted part to L4
Also a common use case is to not capture encrypted content. This can be done by setting up a rule for SSL after handshake packets to capture only up to the L4 header for IP and TCP investigation. This can be configured with the following settings:
The configured rule will look like:
Capture full SIP, capture RTP to the first 12 bytes of the payload and drop all other packets
This is a common VoIP use case where you are allowed to capture the signaling traffic and the RTP header ( 12 bytes ) but not the RTP traffic payload. Here is the example rule setup:
Capture all packets except SIP and RTP
This use case is very common for all environments where no voice is allowed to be captured. Here is the example rule setup:
Performance
Disk read and write performance
Hard disk drives have a high constant write rate when only one write is active.
The Allegro Network Multimeter has a write first policy on the ring buffer devices. The Allegro Network Multimeter prioritizes writes over reads for storage. A pcap read can be very slow when there is a high write rate to the ring buffer.
Concurrent ring buffer and live pcap recording
Note that HDDs are not made for 2 simultaneous write streams. The write rate will be very low if you capture a live pcap to the single shared storage device while having an active ring buffer. Please use the browser download feature, different disks with the Packet Ring Buffer or pause the ring buffer while capturing the live pcap.
Buffering traffic peaks or disk slowdowns
Note that most HDDs and SSDs do not have a guaranteed write rate. Especially HDDs via the USB or SATA3 protocol can have downtimes of hundreds of milliseconds between writes. Each ring buffer uses a certain amount of memory to buffer traffic peaks. This buffer can be configured at the Settings of the ring buffer.
You can check if the queue length is large enough with the Bytes in Flight graph and the Dropped Bytes graph in the ring buffer statistics.
iSCSI ring buffer
DISCLAIMER Whenever possible, use a direct-connected exclusive external storage device via USB. The Allegro Network Multimeter can control the USB channel far better than an iSCSI channel due to exclusivity.
The iSCSI ring buffer feature allows you to mount an iSCSI volume via the management interface. Allegro recommends to use this feature only for capture rates up to 1GBit/s. The iSCSI controller will have an exclusive low-latency connection to the Allegro Network Multimeter and the rate shall be exclusive to the Allegro Network Multimeter. Also, the management traffic between the Allegro Network Multimeter and the iSCSI rate will not be monitored by the Allegro Network Multimeter to prevent a write loop. If the rate is non-exclusive, other reads or writes will heavily reduce the constant write rate. Note that the iSCSI connection is not encrypted.
Advanced Options
Disk format
The Allegro Network Multimeter uses EXT4 for all formatted file systems for the ring buffer. EXT4 file systems support advanced features that are mandatory to capture with full SSD speed.
Encryption
The Allegro Network Multimeter uses an AES256 LUKS encryption container for encrypted single shared ring buffers. You can connect and mount the encrypted disk with many Linux Distributions. It will ask for your password to mount the container. The Allegro Network Multimeter uses hardware encryption if available. The Allegro 200 does not have HW encryption support and can encrypt up to 400MBit/s in software. All other Allegro devices can encrypt with 2GB/s by using the built-in hardware encryption.
The Allegro Network Multimeter does not store the password of the encrypted device on the disk. you need to re-enter the password if you unmount, reboot or power-off the Allegro Network Multimeter.
The encryption is not available when entire disks are used in the Packet Ring Buffer.
Random, device specific passwords
Randomly generated password can be used for the encrypted storage device. When used, the storage can be activated and deactivated without entering the password. Also, the storage device is automatically activated on system start/restart. The password is stored encrypted on the device and cannot be moved to a different device. The password is also deleted on a configuration reset of the Allegro Network Multimeter. Since the password is stored on the Allegro Network Multimeter, the storage device cannot be used on a different Allegro Network Multimeter without reformatting. When the key is removed (on configuration reset or reformat), it cannot be restored!