Ring Buffer Configuration Guide

From Allegro Network Multimeter Manual
Jump to navigation Jump to search
Access restrictions were established for this page. If you see this message, you have no access to this page.

This section describes the Ring Buffer configuration and options for the Allegro Network Multimeter.

What is the Ring Buffer

Historic capture dialog.png

The Ring Buffer is a packet buffer. It stores raw Ethernet packets on one or many storage devices. A storage device is an internal or external HDD or SSD. If the buffer is full, it will overwrite the oldest packets as in a circular manner. The Ring Buffer is an optional feature for the Allegro Network Multimeter. It does not store any of the statistics of the In-Memory-Database.

Allegro recommend to take a look at the ring buffer white paper from the Allegro Packets website.

The Webshark and the Pcap extraction works with historic dates as in the screen shot here on the right. This dialog is shown by using the Pcap button in the Allegro. The Allegro Network Multimeter will search for all packets in the Ring Buffer if they match the criteria and extract the packets.

If there is no Ring Buffer configured, the Allegro allows a Pcap extraction of live traffic only.

Different Ring Buffer modes

The Ring Buffer support 2 different modes. The Single Shared Ring Buffer can be used if you need only one Ring Buffer that fits into your storage device. The Single Shared Ring Buffer uses one shared storage for the Ring Buffer and Pcap to Disk. This mode is recommended if only one storage device is used as it allows a Ring Buffer and space for Pcap files on the same storage. Please note that using both features at the same time might lead to a performance bottleneck.

The Cluster Ring Buffer mode allows to use multiple Ring Buffers where each Ring Buffer can have multiple disks. It allows having a separate disk for Pcap files which allows fast Ring Buffer and fast Pcap to Disk writes at the same time.

Single Shared Ring Buffer

The Single Shared Ring Buffer the default setup on all Allegro Network Multimeters that are shipped with one internal or external storage. This mode is designed for ONE an internal or external storage. It does not allow to use multiple ring buffers with one Allegro Network Multimeter. You can check at GenericStorage if the Allegro Network Multimeter has detected a storage. Here an example of ONE attached disk:

Storage no device active.png

You can activate and deactivate the storage for Pcap files here. You can also format new disks by using the format option and erase the content of a disk if required. If the disk has not been formatted before, press the Format Button here. It will show the dialogue:

Format disk dialogue.png

Here you can decide whether the disk encryption will be used or not, see #Limitations below. You can also decide if and how much space shall be used for the Packet Ring Buffer. Please note that you cannot save any Pcap files to the external disk when you use 100 % for the Ring Buffer.

If the disk has been formatted, you can continue with the configuration of the Ring Buffer at GenericRing Buffer. If you have created a disk with a ring buffer, you should see the statistics of the buffer as in the screen shot here below.

Running packet ring buffer.png

The Ring Buffer is now running and all Pcap buttons will work for historic dates. For advanced setup, please continue at the section #Filter Rules.

Cluster Ring Buffer

The Cluster Ring Buffer the default mode on all Allegro Network Multimeters that are shipped with two or more internal or external storages.

By default, the Allegro Network Multimeter uses One Cluster Ring Buffer. If you need more, please open the Settings Menu at the top right corner.

Settings button.png

Here you can increase the number of cluster ring buffer. We will continue this tutorial with 2 ring buffers to show the full flexibility of the Allegro. Please note that you need to restart the processing when you change the parameter. This can be done at SettingsAdministrationRestart Processing.

To enable the Cluster Ring Buffer mode, please check at GenericRing Buffer, if the tab cluster configuration is selected or not. If it is not, selected, delete the non-cluster ring buffer with:

Delete ring buffer button.png

Once this is done, you should see the dialogue:

Select ring buffer.png

Here you can select Create Cluster Ring Buffer. Once this is selected, you will see all available clusters of ring buffers. By default, the first Cluster is running but has no disk assigned to it. The size of the Buffer is 0 Bytes and it drops all packets written into it.

Cluster ring buffer initial startup.png

As a next step, please select configuration for the cluster.

Cluster ring buffer configuration.png

Please select here Add to cluster to format a disk and add it to the cluster. Once you have added disks to a cluster, the packets will be written to the storage.

Cluster ring buffer with disks.png

Filter Rules

Both ring buffer modes support packet filtering mechanisms. Most situations require that only a subset of all packets are stored to the disk. Each ring buffer can be configured by a separate list of rules. All packet that are not matching a condition are captured. The first matching condition is applied to the packets.

The Allegro Network Multimeter supports packet slicing with the following conditions:

  • all packets
  • MAC address
  • IP Address and IP Subnet
  • TCP/UDP Ports

Performance

Limitations

Please note that the Allegro Network Multimeter supports only EXT4 formatted disks for the Ring

ISCSI

disk encryption

Retrieved from "https://allegro-packets.com/wiki/index.php?title=Ring_Buffer_Configuration_Guide&oldid=1054"