Capturing
With the Allegro Network Multimeter it is possible to create a capture in PCAP format which can be opened in tools such as Wireshark.
How can I get a PCAP of a certain IP or MAC address?
The different modules of the *Allegro Network Multimeter* provide a dedicated PCAP button for nearly every type of traffic that allows to capture that particular traffic. For capturing a certain IP address go to 'IP' -> 'IP' statistics, navigate to the desired IP address and push the PCAP button.
To find an IP faster, you can sort the IP table by almost every column. The filter offers a quick way to reduce the table content, e.g. by typing fragments of the IP address or the DNS name in the filter input field.
Another quick way to get a PCAP of a certain address is the simple capture. Go to 'Generic' -> 'Capture traffic', enable the MAC switch, set an address and push the "Start capture" button.
What settings shall I choose?
After pushing the capture button the dialog "Choose capture settings" will be displayed. Here you can limit the start and end time of the capture and select whether the created PCAP file is downloaded by your browser directly to your computer or stored on the attached storage device of the Multimeter. You can limit the captured packets to the given length if you do not need the full packet and want a small PCAP file that opens faster in Wireshark.
Pushing the "Start capture" begins the capture.
How can I extract traffic from the past?
By using the packet ring buffer of the *Allegro Network Multimeter* it is possible to extract traffic from the past and create a PCAP. The packet ring buffer is stored on the external storage device that is attached to the USB port or an internal storage device if your *Allegro Network Multimeter* is equipped with one. As external device a fast USB3 capable SSD is recommended. An USB thumb drive can be used, too, but some packets of a burst may be dropped if the thumb drive is too slow.
You can see an overview about all storage devices available to the Multimeter under 'Generic' -> 'Storage'.
An external SSD is attached to the USB port and is not activated yet. Push the
"Activate" button so the device can be used. If the filesystem of the disk is not
suitable for the ring buffer a warning will pop up and let you format the disk
properly. After formatting or activating the storage page will show informations
about disk usage and an overview off all files on the disk.
Now that the storage is active, the ring buffer has to be created if not already done during formatting. This can be done under 'Generic' -> 'Packet ring buffer'. Push the "Create ring buffer" button.
The size of the ring buffer has to be specified. If no PCAP shall be stored on the storage device, the ring buffer may use 100% of the size of the device.
When the packet ring buffer is created and running, the "Packet ring buffer"
statistics page shows information about the usage of the ring buffer and several
graphs about stored or filtered traffic are displayed. A filter can be applied
to control which packets are stored in the ring buffer. Check out the chapter
Packet ring buffer for more details.
Now that the packet ring buffer is up and running, any capture can use it and extract traffic from the past. Just select a timespan in any graph of the user interface by left clicking with the mouse and then push a PCAP button. The selected timespan will be displayed in the start and end time fields of the "Choose capture settings" dialog.
Start and end time can be changed by using the date and time popup window when selecting the time fields or pushing the dedicated buttons for commonly used times. If the start time is earlier than the start of the packet ring buffer, it will be adjusted to the start and a hint will be displayed.
Is it possible to plan a capture in the future?
Yes. Simply select the desired start time in the "Choose capture settings" dialog and the capture will start with the first packet at that time.
Create complex captures with several criteria
Captures can be stared with complex filter expressions for a specific capture of e.g. an IP address or a layer 7 protocol.
To get a basic overview just start a capture from any module and the expression of that capture is shown by clicking on the "Active captures" button on top of every page.
On the "Capture traffic" page, by using the simple capture method, all frequently
used filter expressions are easily accessible. The resulting expression is
displayed below.
This expression can be used and edited in the expert capture filter field. All filters can be combined with "and" / "&&" or "or" / "||". Parentheses may be used to clarify precedence.
The chapter Capture module explains every possible filter.
Get a PCAP via command line
It is quite easy to get a PCAP on the command line or in scripts with "curl" which is a tool available for recent versions of Windows 10, Linux and MacOS.
Basically it is just typing:
| curl -k -u USER:PASSWORD https://allegro-mm-XXXX/API/data/modules/capture?expression=ip==10.1.2.3 > path_to/capture.pcap |
The user name, password and hostname have to be the same that are used to access the web interface. Every filter expression that can be used in the web interface can also be used here.
Check out the chapter Capture module for further information.
It takes too long to open a PCAP file in Wireshark. What can I do?
If you are in a situation where you have a huge PCAP and are just interested in the traffic between two particular IP addresses, you can use the *Allegro Network Multimeter* to analyze the pcap file and extract the specific traffic for post-processing with other tools like Wireshark. See Forensic Pcap Analysis for details.