Allegro Network Multimeter Manual

Capturing: Difference between revisions

Page Discussion

Capturing (view source)

Revision as of 15:23, 9 April 2020

122 bytes removed ,  9 April 2020
no edit summary
m (Martin.fesser moved page 5- Capturing to Capturing)
No edit summary
Line 2: Line 2:
PCAP format which can be opened in tools such as Wireshark.
PCAP format which can be opened in tools such as Wireshark.


<br>
== How can I get a PCAP of a certain IP or MAC address? ==
== ''' How can I get a PCAP of a certain IP or MAC address?''' ==
The different modules of the Allegro Network Multimeter provide a dedicated PCAP button
The different modules of the *Allegro Network Multimeter* provide a dedicated PCAP button
for nearly every type of traffic that allows to capture that particular
for nearly every type of traffic that allows to capture that particular
traffic. For capturing a certain IP address go to 'IP' -> 'IP' statistics, navigate to
traffic. For capturing a certain IP address go to 'IP' -> 'IP' statistics, navigate to
the desired IP address and push the PCAP button.
the desired IP address and push the PCAP button.
{|  
{|  
| [[File:Ap-mm-capture-ip-statistics.png|600px|thumb|right]]
| [[File:Ap-mm-capture-ip-statistics.png|600px|thumb|right]]
Line 19: Line 19:
to 'Generic' -> 'Capture traffic', enable the MAC switch, set an address and push the
to 'Generic' -> 'Capture traffic', enable the MAC switch, set an address and push the
"Start capture" button.
"Start capture" button.


{|  
{|  
Line 25: Line 24:
|}
|}


 
== What settings shall I choose? ==
<br>
== ''' What settings shall I choose?''' ==


After pushing the capture button the dialog "Choose capture settings" will be
After pushing the capture button the dialog "Choose capture settings" will be
Line 42: Line 39:
Pushing the "Start capture" begins the capture.
Pushing the "Start capture" begins the capture.


<br>
== How can I extract traffic from the past? ==
== '''How can I extract traffic from the past? ''' ==


By using the packet ring buffer of the *Allegro Network Multimeter* it is
By using the packet ring buffer of the Allegro Network Multimeter it is
possible to extract traffic from the past and create a PCAP. The packet ring
possible to extract traffic from the past and create a PCAP. The packet ring
buffer is stored on the external storage device that is attached to the USB
buffer is stored on the external storage device that is attached to the USB
port or an internal storage device if your *Allegro Network Multimeter* is
port or an internal storage device if your Allegro Network Multimeter is
equipped with one. As external device a fast USB3 capable SSD is recommended. An
equipped with one. As external device a fast USB3 capable SSD is recommended. An
USB thumb drive can be used, too, but some packets of a burst may be dropped if the
USB thumb drive can be used, too, but some packets of a burst may be dropped if the
Line 59: Line 55:
| [[File:Ap-mm-capture-storage.png|600px|thumb|right]]
| [[File:Ap-mm-capture-storage.png|600px|thumb|right]]
|}
|}


An external SSD is attached to the USB port and is not activated yet. Push the
An external SSD is attached to the USB port and is not activated yet. Push the
Line 70: Line 65:
| [[File:Ap-mm-capture-storage-active.png|600px|thumb|right]]
| [[File:Ap-mm-capture-storage-active.png|600px|thumb|right]]
|}
|}


Now that the storage is active, the ring buffer has to be created if not already
Now that the storage is active, the ring buffer has to be created if not already
Line 80: Line 73:
| [[File:Ap-mm-capture-create-ring-buffer.png|600px|thumb|right]]
| [[File:Ap-mm-capture-create-ring-buffer.png|600px|thumb|right]]
|}
|}


The size of the ring buffer has to be specified. If no PCAP shall be stored on
The size of the ring buffer has to be specified. If no PCAP shall be stored on
Line 89: Line 80:
|[[File:Ap-mm-capture-ring-buffer-size.png|600px|thumb|right]]
|[[File:Ap-mm-capture-ring-buffer-size.png|600px|thumb|right]]
|}
|}


When the packet ring buffer is created and running, the "Packet ring buffer"
When the packet ring buffer is created and running, the "Packet ring buffer"
Line 97: Line 85:
graphs about stored or filtered traffic are displayed. A filter can be applied
graphs about stored or filtered traffic are displayed. A filter can be applied
to control which packets are stored in the ring buffer. Check out the chapter
to control which packets are stored in the ring buffer. Check out the chapter
[[3-_Generic_modules(Teil_3)#Packet_ring_buffer|Packet ring buffer]] for more details.
[[Generic_modules(Teil_3)#Packet_ring_buffer|Packet ring buffer]] for more details.
 
{|  
{|  
|  
|  
[[File:Ap-mm-capture-ring-buffer-statistics.png|600px|thumb|right]]
[[File:Ap-mm-capture-ring-buffer-statistics.png|600px|thumb|right]]
|}
|}


Now that the packet ring buffer is up and running, any capture can use it and
Now that the packet ring buffer is up and running, any capture can use it and
Line 123: Line 108:
be adjusted to the start and a hint will be displayed.
be adjusted to the start and a hint will be displayed.


 
== Is it possible to plan a capture in the future? ==
<br>
== ''' Is it possible to plan a capture in the future?''' ==


Yes. Simply select the desired start time in the "Choose capture settings" dialog
Yes. Simply select the desired start time in the "Choose capture settings" dialog
and the capture will start with the first packet at that time.
and the capture will start with the first packet at that time.


 
== Create complex captures with several criteria ==
<br>
== ''' Create complex captures with several criteria''' ==


Captures can be stared with complex filter expressions for a specific capture of e.g.
Captures can be stared with complex filter expressions for a specific capture of e.g.
Line 145: Line 126:
[[File:Ap-mm-capture-filter-expression.png|600px|thumb|right]]
[[File:Ap-mm-capture-filter-expression.png|600px|thumb|right]]
|}
|}


On the "Capture traffic" page, by using the simple capture method, all frequently
On the "Capture traffic" page, by using the simple capture method, all frequently
used filter expressions are easily accessible. The resulting expression is
used filter expressions are easily accessible. The resulting expression is
displayed below.
displayed below.
{|  
{|  
|  
|  
Line 163: Line 142:
The chapter [[1-_Generic_modules(Teil_1)#Capture_module|Capture module]] explains every possible filter.
The chapter [[1-_Generic_modules(Teil_1)#Capture_module|Capture module]] explains every possible filter.


 
== Get a PCAP via command line ==
<br>
== ''' Get a PCAP via command line''' ==


It is quite easy to get a PCAP on the command line or in scripts with "curl"
It is quite easy to get a PCAP on the command line or in scripts with "curl"
Line 182: Line 159:
Check out the chapter [[1-_Generic_modules(Teil_1)#Capture_module|Capture module]] for further information.
Check out the chapter [[1-_Generic_modules(Teil_1)#Capture_module|Capture module]] for further information.


 
== It takes too long to open a PCAP file in Wireshark. What can I do? ==
<br>
== ''' It takes too long to open a PCAP file in Wireshark. What can I do?''' ==
If you are in a situation where you have a huge PCAP and are just
If you are in a situation where you have a huge PCAP and are just
interested in the traffic between two particular IP addresses, you can
interested in the traffic between two particular IP addresses, you can
use the *Allegro Network Multimeter* to analyze the pcap file and
use the Allegro Network Multimeter to analyze the pcap file and
extract the specific traffic for post-processing with other tools like
extract the specific traffic for post-processing with other tools like
Wireshark. See [[2-_Forensic_Pcap_Analysis|Forensic Pcap Analysis]] for details.
Wireshark. See [[Forensic_Pcap_Analysis|Forensic Pcap Analysis]] for details.
Martin.fesser
340

edits

Retrieved from "https://allegro-packets.com/wiki/Special:MobileDiff/1368"