404
edits
Ring Buffer Configuration Guide: Difference between revisions
→Filter rule examples
| Line 98: | Line 98: | ||
=== Filter rule examples === | === Filter rule examples === | ||
Filter rules can be set up below the statistics of each ring buffer. This is a list of the most-used filter rules. Please note that you can combine these rules. | |||
==== Capture all traffic from and to a single IP ==== | ==== Capture all traffic from and to a single IP ==== | ||
This can | This use case is valid when you need to investigate the packets of one IP but you need the statistics of the total link. This is a very common use case where the link bandwidth is above the ring buffer write rate. As an example, it can happen when you monitor a heavy loaded 10G or 40G link with a single HDD as ring buffer device. | ||
You need to set up 2 rules to capture only one single IP. First rule matches the IP address and captures full payload, second rule drops all packets. This will also drop all non-IP packets like ARP requests. | |||
[[File:Ring buffer filter one ip.png|border|600px]] | [[File:Ring buffer filter one ip.png|border|600px]] | ||
| Line 107: | Line 111: | ||
==== Capture SSL traffic only until L4 ==== | ==== Capture SSL traffic only until L4 ==== | ||
Also a very common use case is to not capture encrypted content. This can be done by setting up a rule for encrypted L7 protocols to capture only up to L4 header for IP and TCP investigation. The create can be configured with the following settings: | |||
[[File:Ring buffer rule create ssl l4.png|400px]] | |||
The configured rule will look like: | |||
[[File:Ring buffer rule ssl l4.png|border|600px]] | |||