Ring Buffer Configuration Guide

The Ring Buffer is a packet buffer. It stores raw Ethernet packets on one or many storage devices. A storage device is an internal or external HDD or SSD. If the buffer is full, it will overwrite the oldest packets as in a circular manner. The Ring Buffer is an optional feature for the Allegro Network Multimeter. It does not store any of the statistics of the In-Memory-Database.

Allegro recommend to take a look at the ring buffer white paper from the Allegro Packets website.

The Webshark and the Pcap extraction works with historic dates as in the screen shot here on the right. This dialog is shown by using the Pcap button in the Allegro. The Allegro Network Multimeter will search for all packets in the Ring Buffer if they match the criteria and extract the packets.

If there is no Ring Buffer configured, the Allegro allows a Pcap extraction of live traffic only.

The Ring Buffer support 2 different modes. The Single Shared Ring Buffer can be used if you need only one Ring Buffer that fits into your storage device. The Single Shared Ring Buffer uses one shared storage for the Ring Buffer and Pcap to Disk. This mode is recommended if only one storage device is used as it allows a Ring Buffer and space for Pcap files on the same storage. Please note that using both features at the same time might lead to a performance bottleneck.

The Cluster Ring Buffer mode allows to use multiple Ring Buffers where each Ring Buffer can have multiple disks. It allows having a separate disk for Pcap files which allows fast Ring Buffer and fast Pcap to Disk writes at the same time.

The Single Shared Ring Buffer the default setup on all Allegro Network Multimeters that are shipped with one internal or external storage. This mode is designed for ONE an internal or external storage. It does not allow to use multiple ring buffers with one Allegro Network Multimeter. You can check at Generic → Storage if the Allegro Network Multimeter has detected a storage. Here an example of ONE attached disk:

You can activate and deactivate the storage for Pcap files here. You can also format new disks by using the format option and erase the content of a disk if required. If the disk has not been formatted before, press the Format Button here. It will show the dialogue:

Here you can decide whether the disk encryption will be used or not, see #Limitations below. You can also decide if and how much space shall be used for the Packet Ring Buffer. Please note that you cannot save any Pcap files to the external disk when you use 100 % for the Ring Buffer.

If the disk has been formatted, you can continue with the configuration of the Ring Buffer at Generic → Ring Buffer. If you have created a disk with a ring buffer, you should see the statistics of the buffer as in the screen shot here below.

The Ring Buffer is now running and all Pcap buttons will work for historic dates. For advanced setup, please continue at the section #Filter Rules.

The Cluster Ring Buffer the default mode on all Allegro Network Multimeters that are shipped with two or more internal or external storages.

By default, the Allegro Network Multimeter uses One Cluster Ring Buffer. If you need more, please open the Settings Menu at the top right corner.

Here you can increase the number of cluster ring buffer. We will continue this tutorial with 2 ring buffers to show the full flexibility of the Allegro. Please note that you need to restart the processing when you change the parameter. This can be done at Settings → Administration → Restart Processing.

To enable the Cluster Ring Buffer mode, please check at Generic → Ring Buffer, if the tab cluster configuration is selected or not. If it is not, selected, delete the non-cluster ring buffer with:

Once this is done, you should see the dialogue:

Here you can select Create Cluster Ring Buffer. Once this is selected, you will see all available clusters of ring buffers. By default, the first Cluster is running but has no disk assigned to it. The size of the Buffer is 0 Bytes and it drops all packets written into it.

As a next step, please select configuration for the cluster.

Please select here Add to cluster to format a disk and add it to the cluster. Once you have added disks to a cluster, the packets will be written to the storage.

Both ring buffer modes support packet filtering mechanisms. Most situations require that only a subset of all packets are stored to the disk. Each ring buffer can be configured by a separate list of rules. All packet that are not matching a condition are captured. The first matching condition is applied to the packets.

The Allegro Network Multimeter supports packet slicing with the following conditions:

• all packets
• MAC address
• IP Address and IP Subnet
• TCP/UDP Ports

Please note that the Allegro Network Multimeter supports only EXT4 formatted disks for the Ring

ISCSI

disk encryption