1,775
edits
Packet ring buffer: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
| Line 16: | Line 16: | ||
* Total size: The total size of the ring buffer on the external storage device. | * Total size: The total size of the ring buffer on the external storage device. | ||
If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. | :If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. | ||
The raw on-disk value will be displayed next to it in parentheses. | The raw on-disk value will be displayed next to it in parentheses. | ||
* Used size: The currently used amount of memory in the capture buffer. | * Used size: The currently used amount of memory in the capture buffer. | ||
If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses. | :If the cluster packet ring buffer feature is active and the Write redundancy level is set to a different value than no replication an adjusted value is displayed to reflect the redundant copies of packet data. The raw on-disk value will be displayed next to it in parentheses. | ||
* Overall bytes captured since start: The amount of captured bytes since system start. | * Overall bytes captured since start: The amount of captured bytes since system start. | ||
This may be smaller than the used size if the system has been restarted. | :This may be smaller than the used size if the system has been restarted. And it may be larger than the used size in case the ring buffer is full. | ||
And it may be larger than the used size in case the ring buffer is full. | |||
The history graph shows the captured traffic of the last minute or in the selected interval (if set). | The history graph shows the captured traffic of the last minute or in the selected interval (if set). | ||
* Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. | * Bytes dropped since start: The traffic which was processed but could not be written to the ring buffer since the start of processing. | ||
This is usually an indicator that writes to the external storage device were not fast enough. | :This is usually an indicator that writes to the external storage device were not fast enough. The history graph shows the drops over time. | ||
The history graph shows the drops over time. | |||
* Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. | * Bytes discarded due to snapshot length rules since start: The traffic which matched the snapshot length rules criteria and was not written to the ring buffer. | ||
The history graph shows discarding over time. | :The history graph shows discarding over time. | ||
* Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. | * Data in flight: The amount of data which is currently stored in the queue that holds processed packets before they are written to the packet ring buffer. | ||
If larger bursts of traffic need to be stored in this queue the size can be modified in the capture module settings. | :If larger bursts of traffic need to be stored in this queue the size can be modified in the capture module settings. | ||
| Line 83: | Line 81: | ||
In the last unlabeled column there are three buttons displayed which have the following functionality: | In the last unlabeled column there are three buttons displayed which have the following functionality: | ||
* Add to cluster: Add a fresh disk to the cluster. | * Add to cluster: Add a fresh disk to the cluster. | ||
The disk will be formatted and added as empty storage to the cluster. | :The disk will be formatted and added as empty storage to the cluster. All previous data on the disk is lost. | ||
All previous data on the disk is lost. | |||
* Resume in cluster: If the disk was previously part of a cluster it can be resumed. | * Resume in cluster: If the disk was previously part of a cluster it can be resumed. | ||
The data on that disk is now part of the packet ring buffer. | :The data on that disk is now part of the packet ring buffer. | ||
* Remove from cluster: Remove the disk from the ring buffer. | * Remove from cluster: Remove the disk from the ring buffer. | ||
The data stored on that disk is not part of the packet ring buffer anymore but the data is not removed from the disk. | :The data stored on that disk is not part of the packet ring buffer anymore but the data is not removed from the disk. It can be resumed in the cluster at a later time. | ||
It can be resumed in the cluster at a later time. | |||
If a disk is missing because it was e.g. removed from the enclosure it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer. | If a disk is missing because it was e.g. removed from the enclosure it will be displayed in a separate list with much of the information as in the list described above but only one button with the option to remove it from the cluster packet ring buffer. | ||
| Line 104: | Line 100: | ||
These rules can also be used to prevent certain packets from being stored in the packet ring buffer. | These rules can also be used to prevent certain packets from being stored in the packet ring buffer. | ||
This allows to fine tune how much packet data needs to be written to the packet ring buffer. | This allows to fine tune how much packet data needs to be written to the packet ring buffer. | ||
The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a | The information about the original length of a packet will still be available in captures except when the packet was not written to the packet ring buffer at all (e.g. due to a '''discard''' rule). | ||
These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons. | These rules can be created, edited, deleted, moved up and moved down in the rules list by using the respective buttons. | ||
| Line 115: | Line 111: | ||
When creating a snapshot length filter rule, a dialog is displayed and allows following options: | When creating a snapshot length filter rule, a dialog is displayed and allows following options: | ||
* Rule condition: Match all packets or a certain MAC or IP address, TCP/UDP port, a layer 7 protocol a VLAN tag or an interface. | * Rule condition: Match all packets or a certain MAC or IP address, TCP/UDP port, a layer 7 protocol a VLAN tag or an interface. | ||
The input field below allows entering the corresponding value. | :The input field below allows entering the corresponding value. | ||
* Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. | * Negate: Controls comparison of the rule condition to the value. If this is off, the value must match. | ||
If this is on, the value must not match. | :If this is on, the value must not match. | ||
* Action: What shall be done with the matching packets. | * Action: What shall be done with the matching packets. | ||