inactive
369
edits
Ring Buffer Configuration Guide: Difference between revisions
no edit summary
No edit summary |
|||
| Line 4: | Line 4: | ||
[[File:Historic capture dialog.png|thumb|300px]] | [[File:Historic capture dialog.png|thumb|300px]] | ||
The '''Ring Buffer''' is a packet buffer. It stores raw Ethernet packets on one or many '''storage devices'''. A '''storage device''' is an internal or external HDD or SSD. If the buffer is full, it will overwrite the oldest packets | The '''Ring Buffer''' is a packet buffer. It stores raw Ethernet packets on one or many '''storage devices'''. A '''storage device''' is an internal or external HDD or SSD. If the buffer is full, it will overwrite the oldest packets in a circular manner. The '''Ring Buffer''' is an optional feature for the Allegro Network Multimeter. It does not store any of the statistics of the In-Memory-Database. | ||
Allegro recommend to take a look at the [https://allegro-packets.com/en/resources-service/whitepaper/whitepaper-paket-ring-buffer| | Allegro recommend to take a look at the [https://allegro-packets.com/en/resources-service/whitepaper/whitepaper-paket-ring-buffer| Ring Buffer White Paper] from the Allegro Packets website. | ||
The '''Webshark''' and the '''Pcap''' extraction works with historic dates as in the | The '''Webshark''' and the '''Pcap''' extraction works with historic dates as in the screenshot here on the right. This dialog is shown by using the '''Pcap''' button in the Allegro User Interface. The Allegro Network Multimeter will search for all packets in the '''Ring Buffer''' if they match the criteria and extract the packets. | ||
If there is no '''Ring Buffer''' configured, the Allegro allows a '''Pcap''' extraction of live traffic only. | If there is no '''Ring Buffer''' configured, the Allegro allows a '''Pcap''' extraction of live traffic only. | ||
| Line 14: | Line 14: | ||
== Different '''Ring Buffer''' modes == | == Different '''Ring Buffer''' modes == | ||
The '''Ring Buffer''' | The '''Ring Buffer''' supports 2 different modes. | ||
The '''Single Shared Ring Buffer''' can be used if you need only one Ring Buffer that fits into your storage device. The '''Single Shared Ring Buffer''' uses '''one''' shared storage for the '''Ring Buffer''' and '''Pcap to Disk'''. This mode is recommended if only one storage device is used | The '''Single Shared Ring Buffer''' can be used if you need only one Ring Buffer that fits into your storage device. The '''Single Shared Ring Buffer''' uses '''one''' shared storage for the '''Ring Buffer''' and '''Pcap to Disk'''. This mode is recommended if only one storage device is used since it allows a '''Ring Buffer''' and space for '''Pcap files''' on the same storage device. Please note that using both features at the same time may lead to a performance bottleneck. | ||
The '''Cluster Ring Buffer''' mode allows to use multiple Ring Buffers where each Ring Buffer can have multiple disks. It allows having a separate disk for Pcap files which allows fast '''Ring Buffer''' and fast '''Pcap to | The '''Cluster Ring Buffer''' mode allows to use multiple Ring Buffers where each Ring Buffer can have multiple disks. It allows having a separate disk for Pcap files which allows fast '''Ring Buffer''' and fast '''Pcap to disk''' writes at the same time. | ||
== '''Single Shared Ring Buffer''' == | == '''Single Shared Ring Buffer''' == | ||
The Single Shared Ring Buffer the default setup on all Allegro Network Multimeters that are shipped with '''one''' internal or external storage. This mode is designed for '''ONE''' internal, external or iSCSI storage. ( Please see the section [[#iSCSI Ring Buffer]] for more information ). It does not allow to use multiple | The Single Shared Ring Buffer the default setup on all Allegro Network Multimeters that are shipped with '''one''' internal or external storage device. This mode is designed for '''ONE''' internal, external or iSCSI storage device. ( Please see the section [[#iSCSI Ring Buffer]] for more information ). It does not allow you to use multiple Ring Buffers with one Allegro Network Multimeter. You can check at '''Generic''' → '''Storage''' if the Allegro Network Multimeter has detected a storage device. Here an example of ONE attached disk: | ||
[[File:Storage no device active.png|border|600px]] | [[File:Storage no device active.png|border|600px]] | ||
You can activate and deactivate the storage for Pcap files here. You can also format new disks by using the format option and erase the content of a disk if required. If the disk has not been formatted before, press the ''Format'' Button here. It will show the dialogue: | You can activate and deactivate the storage device for Pcap files here. You can also format new disks by using the format option and erase the content of a disk if required. If the disk has not been formatted before, press the ''Format'' Button here. It will show the dialogue: | ||
[[File:Format disk dialogue.png|border|300px]] | [[File:Format disk dialogue.png|border|300px]] | ||
Here you can decide whether | Here you can decide whether disk encryption will be used or not, see [[#Encryption]] below. You can also decide if and how much space shall be used for the '''Packet Ring Buffer'''. Please note that you cannot save any Pcap files to the external disk when you use '''100 %''' for the '''Ring Buffer'''. | ||
If the disk has been formatted, you can continue with the configuration of the '''Ring Buffer''' at '''Generic''' → '''Ring Buffer'''. If you have created a disk with a | If the disk has been formatted, you can continue with the configuration of the '''Ring Buffer''' at '''Generic''' → '''Ring Buffer'''. If you have created a disk with a Ring Buffer, you should see the statistics of the Buffer as in the screen shot here below. | ||
[[File:Running packet ring buffer.png|600px]] | [[File:Running packet ring buffer.png|600px]] | ||
| Line 39: | Line 39: | ||
== '''Cluster Ring Buffer''' == | == '''Cluster Ring Buffer''' == | ||
The Cluster Ring Buffer the default mode on all Allegro Network Multimeters that are shipped with '''two or more''' internal or external | The Cluster Ring Buffer is the default mode on all Allegro Network Multimeters that are shipped with '''two or more''' internal or external storage devices. | ||
By default, the Allegro Network Multimeter uses '''One''' Cluster Ring Buffer. If you need more, please open the Settings Menu at the top right corner. | By default, the Allegro Network Multimeter uses '''One''' Cluster Ring Buffer. If you need more, please open the Settings Menu at the top right corner. | ||
| Line 45: | Line 45: | ||
[[File:Settings button.png|100px]] | [[File:Settings button.png|100px]] | ||
Here you can increase the number of | Here you can increase the number of Cluster Ring Buffers. We will continue this tutorial with 2 Ring Buffers to show the full flexibility of the Allegro. Please note that you need to restart the processing when you change the parameter. This can be done at '''Settings''' → '''Administration''' → '''Restart processing'''. | ||
To enable the Cluster Ring Buffer mode, please check at '''Generic''' → '''Ring Buffer''', if the tab ''cluster configuration'' is selected or not. If it is not, selected, delete the non- | To enable the Cluster Ring Buffer mode, please check at '''Generic''' → '''Ring Buffer''', if the tab ''cluster configuration'' is selected or not. If it is not, selected, delete the non-Cluster Ring Buffer with: | ||
[[File:Delete ring buffer button.png|100px]] | [[File:Delete ring buffer button.png|100px]] | ||
| Line 55: | Line 55: | ||
[[File:Select ring buffer.png|300px]] | [[File:Select ring buffer.png|300px]] | ||
Here you can select '''Create Cluster Ring Buffer'''. Once this is selected, you will see all available | Here you can select '''Create Cluster Ring Buffer'''. Once this is selected, you will see all available Clusters of Ring Buffers. By default, the first Cluster is running but has no disk assigned to it. The size of the Buffer is 0 Bytes and it drops all packets written into it. | ||
[[File:Cluster ring buffer initial startup.png|border|600px]] | [[File:Cluster ring buffer initial startup.png|border|600px]] | ||
As a next step, please select configuration for the | As a next step, please select the configuration for the Cluster. | ||
[[File:Cluster ring buffer configuration.png|border|600px]] | [[File:Cluster ring buffer configuration.png|border|600px]] | ||
Please select here '''Add to | Please select here '''Add to Cluster''' to format a disk and add it to the Cluster. Once you have added disks to a Cluster, the packets will be written to the storage device. | ||
[[File:Cluster ring buffer with disks.png|border|600px]] | [[File:Cluster ring buffer with disks.png|border|600px]] | ||
| Line 69: | Line 69: | ||
== Filter Rules == | == Filter Rules == | ||
Both | Both Ring Buffer modes support packet filtering mechanisms. Most situations require that only a subset of all packets are stored to the disk. Each Ring Buffer can be configured by a separate list of rules. All packet that do not match a condition are captured. The first matching condition is applied to the packets. | ||
=== Filter rule conditions === | === Filter rule conditions === | ||
| Line 75: | Line 75: | ||
The Allegro Network Multimeter supports packet slicing with the following conditions: | The Allegro Network Multimeter supports packet slicing with the following conditions: | ||
* | * All packets → matches on all Ehternet packets | ||
* MAC address → matches a specific L2 | * MAC address → matches a specific L2 MAC address | ||
* IP Address and IP Subnet → matches a specific IP address and Subnet, works for IPv4 and IPv6 | * IP Address and IP Subnet → matches a specific IP address and Subnet, works for IPv4 and IPv6 | ||
* TCP/UDP Ports → matches all TCP or UDP packets with a specific source or destination port | * TCP/UDP Ports → matches all TCP or UDP packets with a specific source or destination port | ||
* L7 Protocol → matches one of the built-in L7 Protocols | * L7 Protocol → matches one of the built-in L7 Protocols | ||
* Outer VLAN Tag → matches a single VLAN tag or the outer VLAN of a double tagged VLAN frame | * Outer VLAN Tag → matches a single VLAN tag or the outer VLAN of a double-tagged VLAN frame | ||
* Interface → matches a specific network interface | * Interface → matches a specific network interface | ||
* SIP Phone Number → matches a specific SIP caller or callee phone number and its correlated RTP flow | * SIP Phone Number → matches a specific SIP caller or callee phone number and its correlated RTP flow | ||
| Line 91: | Line 91: | ||
The following items are supported as actions: | The following items are supported as actions: | ||
* Snapshot Length → byte packet slicing | * Snapshot Length → byte packet slicing; allows for the capture of only a certain number of bytes per packet. | ||
* Discard → do not capture this packet | * Discard → do not capture this packet | ||
* Full → capture the full packet | * Full → capture the full packet | ||
| Line 98: | Line 98: | ||
=== Filter rule examples === | === Filter rule examples === | ||
Filter rules can be set up below the statistics of each | Filter rules can be set up below the statistics of each Ring Buffer. This is a list of the most-used filter rules. Please note that you can combine these rules. | ||
==== Capture all traffic from and to a single IP ==== | ==== Capture all traffic from and to a single IP ==== | ||
This use case is valid when you need to investigate the packets of one IP but you need the statistics of the total link. This is a very common use case where the link bandwidth is above the | This use case is valid when you need to investigate the packets of one IP but you need the statistics of the total link. This is a very common use case where the link bandwidth is above the Ring Buffer write rate. As an example, it can occur when you monitor a heavy loaded 10G or 40G link with a single HDD as the Ring Buffer device. | ||
You need to set up 2 rules to capture only one single IP. | You need to set up 2 rules to capture only one single IP. The first rule matches the IP address and captures the entire payload, the second rule drops all packets. This will also drop all non-IP packets like ARP requests. | ||
[[File:Ring buffer filter one ip.png|border|600px]] | [[File:Ring buffer filter one ip.png|border|600px]] | ||
| Line 110: | Line 110: | ||
==== Capture SSL traffic only until L4 ==== | ==== Capture SSL traffic only until L4 ==== | ||
Also a very common use case is to not capture encrypted content. This can be done by setting up a rule for encrypted L7 protocols to capture only up to L4 header for IP and TCP investigation. | Also a very common use case is to not capture encrypted content. This can be done by setting up a rule for encrypted L7 protocols to capture only up to the L4 header for IP and TCP investigation. This can be configured with the following settings: | ||
[[File:Ring buffer rule create ssl l4.png|400px]] | [[File:Ring buffer rule create ssl l4.png|400px]] | ||
| Line 121: | Line 121: | ||
==== Capture full SIP, capture RTP to the first 12 bytes of the payload and drop all other packets ==== | ==== Capture full SIP, capture RTP to the first 12 bytes of the payload and drop all other packets ==== | ||
This is a common VoIP use case where you are allowed to capture the signaling traffic and the RTP header ( 12 bytes ) but not | This is a common VoIP use case where you are allowed to capture the signaling traffic and the RTP header ( 12 bytes ) but not the RTP traffic payload. Here is the example rule setup: | ||
[[File:Ring buffer rule sip rtp.png|border|600px]] | [[File:Ring buffer rule sip rtp.png|border|600px]] | ||
| Line 167: | Line 167: | ||
The Allegro does ''not'' store the password of the encrypted device on the disk. you need to re-enter the password if you unmount, reboot or power-off the Allegro Network Multimeter. | The Allegro does ''not'' store the password of the encrypted device on the disk. you need to re-enter the password if you unmount, reboot or power-off the Allegro Network Multimeter. | ||
The encryption is not available for the | The encryption is not available for the Cluster Ring buffer. | ||