Wire-speed Packet Filter and Capture on 10 Gbps Ethernet Networks
Welcome to another August 2017 issue of GL Communications' Newsletter providing information and insights into our enhanced 1G/10G Dual Port Ethernet Tester referred to as PacketExpert™ 10G. The Record Only application on PacketExpert™ 10G has been enhanced with advanced filtering options that provide improved packet capture capability on 10 Gbps Ethernet Networks.
Overview
Real-time network monitoring function such as checking network usage, security threat detection, VoIP QoS analysis, bandwidth monitoring etc. are some of the important network management system functions and they play a vital role in ensuring optimum performance of networks.
Typically, in Ethernet network monitoring, it is very useful to monitor backbone links, where traffic from different sources pass through the network. 10 Gbps links are commonly used in backbone links between switches/routers to connect different parts of the hierarchical network. It makes sense to monitor/capture traffic on such 10 Gbps Ethernet backbone links for detail analysis. Among various tools available for real-time network monitoring, the test tool that performs non-intrusive traffic capture is an important tool.
'Record Only' feature of PacketExpert™ 10G helps capture live traffic non-intrusively on 10 Gbps Ethernet links.
Functional Capability
To capture traffic efficiently, one of the best ways is to filter the traffic flowing through the network, and capture only the traffic of interest. For example, to monitor QoS on VoIP traffic, it may be necessary to capture only VoIP traffic flowing through 2 end points.
The 'Record Only' application within PacketExpert™ 10G provides this filtering capability. It provides up to 16 filters that can operate in both directions at full wirespeed of 10 Gbps. User can define different filter options on Ethernet, VLAN, MPLS, IP, UDP and TCP Packet header fields, allowing full flexibility to capture only required Ethernet/IP traffic types.
Important Features
'Record Only' application of PacketExpert™ 10G provides the following features:
- Network Tap - Port1 and Port2 of the PacketExpert™ 10G act as pass-through ports (or Span ports), allowing traffic to flow through them without affecting its flow.
- Wire-speed Filter and Capture - Traffic flowing through Port1 and Port2 can be filtered and captured based on highly flexible user defined filter criteria.
- Traffic Aggregation - Traffic from either direction: (P1 ? P2) and (P2 ? P1) are aggregated and temporarily stored in the onboard 8 GB DDR3 memory buffer for transfer to the host PC.
- Transfer to host PC and storage for Offline analysis - Onboard 8 GB buffer allows the traffic to be temporarily stored in it. This information can be transferred to the connected host PC through USB 2.0 connection, and saved to a file for later offline analysis by tools such as GL's PacketScan™ or the open source Wireshark®. Supported file formats are DAT (GL proprietary raw format), HDL (GL Proprietary format for offline analysis by GL's PacketScan™), PCAP (used by Wireshark®) and PCAP-NG (*.pcapng/.ntar - next generation Wireshark®) formats.
Filter Features:
- Up to 16 filters per port can be defined
- Each filter supports filtering on the following fields:
- Each field can be matched to a fixed value or a range of values
- 16 filters can be combined into 'OR' or 'AND' combination
- Turn on/off each of the 16 filters at run time. A 'Not' option is available for each filter, with which user can either capture a packet that matches the filter or capture all packets that do not match the filter. This can also be toggled at run time.
- Raw mode filter allows user to define filter as a raw 120-byte Hex value. Combined with an offset field, this mode allows users to set a raw 120-byte filter anywhere within the packet, even within the payload. User can drill down to the bit level using a 120-byte Hex Mask.
Capture Features:
- Capture traffic on both directions or only in single direction
- Supported file formats are DAT (GL proprietary raw format), HDL (GL Proprietary format for offline analysis by GL’s PacketScan™), PCAP (used by Wireshark®) and PCAP-NG (*.pcapng/.ntar - next generation Wireshark®) formats.
- Capture at full wirespeed up to 8 GB size, as it is stored in the onboard temporary buffer of 8 GB
- Capture a very large file size (up to hard disk capacity) by filtering traffic of interest, reduce the capture rate to < USB 2.0 transfer rate (around 250 Mbps)
- Limit capture based on size (in Mbytes) or number of frames