PCAP parallel analysis

The PCAP parallel analysis feature allows to analyse pcap files or the packet ring buffer in parallel to the live measurement. This means that the packet processing do not need to be stopped to be able to run analysis of a previously captured PCAP file.

This feature must be enabled before use as it reserves a fixed but configurable part of the main memory for the parallel analysis.

Once enabled, the PCAP analysis dialog allow to select the replay slot to use. After starting an analysis, the drop-down menu in the top menu bar allows to select the replay slot indicated by the suffix :1 ... :10, depending on the slot number used.

Selecting a replay slot will switch the display to that analysis result while the live analysis (and any other replay slot) still work as usual.

Configuration

The generic settings section in the Global settings allows to enable the feature by toggling the switch. If enabled, there will be two additional options.

The first option Reserved memory in percent of main memory configures how much main memory is used for parallel analysis. The value is the percentage of the main memory. The minimum value is 1% and the maximum value is 90%. The larger the value, the more memory is available for parallel analysis which allows to analyse larger PCAP files. Of course, more memory for parallel analysis also means less memory for the live analysis so the amount of time that can be stored from the past reduces accordingly.

A good value to start with is 10%.

The second option Number of offline parallel analysis slots defines how many PCAP files can be analysed separately in parallel. This means that mulitple files can be analysed without disturbing each other. However, the memory is split among all slots so the more slots are used, the less memory is available per slot.

For example, with a memory reservation of 30% and 3 slots, each slot can only use 10% of the main memory (30 / 3).

To take affect, the new settings must be saved and the processing (including the live processing) must be restarted in the Administration menu.

Usage

The feature is easy to use. If enabled, every button to analyse a pcap or ring buffer (in the Storage menu, in the Packet ring buffer, or in the Pcap analysis module) will open the dialog to start the analysis. In this dialog, there will be a choose box to select the replay slot to use. After confirmation, a window will ask to switch to the replay slot to see the results.

In the top menu a group selector box appears which allows to select the live mode or any active replay slot.

The analysis can be finished after use to free up resources, but the dialog also allows to choose a replay slot already in use. In this case, the previous analysis will be stopped and the new file will be analysed.

The dashboard will show the currently selected packet mode and additional information about the replay. There will also be a button to finish the replay.