WireSpeed Packet Capture and Playback Tool
Welcome to another February 2014 issue of GL Communications' Newsletter providing information and insight into our enhanced PacketExpert™ - An Ethernet/IP Testing Tool with WireSpeed Ethernet Packet Capture and Playback application.
Overview
PacketExpert™ is a portable (USB based) Quad Port Ethernet / VLAN / MPLS / IP / UDP Tester with 4 Electrical (10/100/1000 Mbps) and 2 Optical Ports (1000 Mbps). Each GigE port provides independent Ethernet/VLAN/MPLS/IP/UDP testing at WireSpeed for applications such as BERT, RFC 2544, IP Link Simulation and Loopback.
Enhanced PacketExpert™ with Record/ Playback application is designed for (optical or electrical interfaces for up to 1 Gb/s) high-precision
- WireSpeed Packet Filter
- WireSpeed Packet Capture & Aggregation
- WireSpeed Packet Traffic Generation
The application supports WireSpeed filtering and capturing on multiple ports and traffic aggregation (packets filtered from multiple ports are aggregated as a single stream and saved to hard disk for offline analysis). PacketExpert™ with Record/ Playback also supports WireSpeed multi-port transmission (playback) of recorded traffic with high precision reproduction of the recorded timestamps.
New optical SFP module Information display provides SFP information like Connector Type, Link Length, Tx Power, Rx Power, Status etc.
The Record to File application with the powerful "WireSpeed Packet Filter" allows user to filter out unwanted traffic, and continuously capture the traffic of interest, and the limitation being only the hard disk size and the disk write speed.
The enhanced Packet Filter feature provides two modes for editing filters - Raw Mode and Packet Mode. Raw Mode provides maximum flexibility in defining the filter, whereas Packet Mode provides user convenience to edit individual header fields. In Raw Mode, each bit anywhere within the packet can be set/reset for filtering. Packet Mode allows user to edit MAC, VLAN (up to 3 levels), MPLS (up to 3 levels), IP and UDP/TCP headers and also the payload field.
Timestamp precision for file capture/playback is increased from Microsecond to Nanosecond. Now captured file will have the timestamp recorded in nanosecond precision. While playing back the file, the nanosecond timestamp recorded in the file is maintained for each packet. For both, the accuracy is maintained within 10s of nanoseconds.
Support for PCAP-NG (Next generation pcap) format has been added. This is the new format used by Wireshark®. This new format supports important enhancements like nanosecond time resolution and interface information (like the captured port number).
Recording has been enhanced with the option for limited Lossless Capture/Continous Capture. In Lossless Capture, the recording stops automatically when the Onboard 2 GB buffer fills up. In Continous Capture, the recording continues even after the Onboard buffer is full with discontinuous recording indication.
Enhanced Playback application now supports the "As per File" option. This option allows user to precisely regenerate the traffic from a pre recorded file i.e. traffic is transmitted at the precise rate at which it was captured (by maintaining the recorded timestamps). And the packets are sent out on the same port as they were captured.
Now there is also a report generation capability for Record and Playback application.
WireSpeed Packet Capture
The application allows continuous or limited capture of Ethernet packets using the 2 optical or electrical GigE ports. The captured packets are aggregated and stored temporarily on the 2 GB Onboard memory buffer, before being transferred to the host via the USB 2.0 interface at run time and stored on the host PC’s hard disk. The capture can either run continuously or be limited to a specified file size (MB), number of packets, or specified time duration.
Some of the important Features
- Capture on 1, 2 or 3 ports simultaneously at WireSpeed on either Electrical or Optical interface
- WireSpeed capture can be accomplished utilising the Onboard DDR2 memory size of 2GB
- Continous capture can be accomplished for lower rate traffic, as the captured packets are transferred in real time to the host via USB 2.0, and stored on the hard disk. The limit for capture is only the hard disk size.
- Supported output file formats are pcap (wireshark format), pcapng/ntar (next generation wireshark formats), hdl (GL proprietary format used by GL PacketScan™) and dat (GL proprietary format used to store captured data). High precision timestamp is recorded along with the packet. Precision upto 10s of nanoseconds possible.
- WireSpeed filter to capture only traffic of interest
WireSpeed Packet Filter
The Record to File feature includes a powerful "WireSpeed Packet Filter" that allows user to filter out unwanted traffic, and continuously capture the traffic of interest, the limitation being only the hard disk size and the disk write speed.
Some of the important Features
- Filter simultaneously on 2 ports with 40 bytes deep filter per port (for Record Only module) or on 3 ports with 16 bytes deep filter (for Record and Playback module) and set filter on any one of the ports or all ports
- Up to 16 filters can be defined per port. Each filter is up to 40/16 bytes wide
- Offset can be specified per filter so that the filter can be set anywhere within the packet, including the payload.
- Packet filtering can be based on all Layer 2 (Ethernet), Layer 3 (IP) Layer 4 (UDP/TCP) Headers and also the payload
- Raw Mode Filter editing allows user great flexibility - each bit in the filter can be edited and set to be filtered or not.
- Packet Mode Filter editing allows user to define values for specific fields within MAC/VLAN/MPLS/IP/UDP/TCP headers.
- Allows combining multiple filters using "AND" and "OR" conditions
- Allows to accept or reject the packet on filter match
- Provides detailed statistics like the number of packets matched to each filter.
As depicted below, in Raw Mode, user can edit individual bit within the filter and its mask. In Packet Mode, user can define the Layer structure (Protocol Stack) of the packet, define the offset and edit individual field's data/mask.
WireSpeed Packet Playback
The application allows continuous or limited playback of Ethernet traffic from a prerecorded file. For limited playback, a prerecorded traffic file up to 2 GB in size can be transferred and stored temporarily on the Onboard memory. The traffic file is then played back "As is" i.e. the packets will be sent out at exactly the same rate at which it was captured,which is achieved by maintaining each packet’s transmission time within 10s of nanoseconds of the recorded per packet timestamp, thus faithfully reproducing highly precise Inter Frame Gaps. Also, the packets are sent out from the same ports on which they were captured. The application has the capability to do WireSpeed transmission on up to 3 ports simultaneously.
WireSpeed Packet Playback application also supports continuous playback - where packets are continuously transferred to the hardware from a file on the disk, and transmitted. Since the packets are transmitted via USB 2.0, the overall rate is limited to the USB 2.0 transfer rate. The Playback can also limited to a specified file size (MB), number of packets, or specified time duration.
Some of the important Features
- Playback on 1, 2 or 3 ports simultaneously at WireSpeed on either Electrical or Optical ports
- Generates traffic at the exact rate at which it was captured. This is achieved by maintaining the transmission time within 10s of nanoseconds of the recorded timestamp with the Playback "As Per File" option
- Supported file formats are pcap (wireshark format), pcapng/ntar (next generation wireshark formats), hdl (GL proprietary format used by GL PacketScan™) and dat (GL proprietary format used to store captured data).
- WireSpeed transmission can be accomplished by utilising the Onboard DDR2 memory size of 2GB
- Continuous playback can be accomplished for lower rate traffic, as the transmitted packets are stored on the hard disk, and are transferred at run time to the Onboard memory via USB 2.0. The limit for the transmitted file is only the hard disk size.
Applications
- Capture WireSpeed traffic on multiple ports in the field for later offline analysis in the lab
- Troubleshoot isolated network problems - get specific traffic from the total traffic by filtering the WireSpeed traffic and capturing only the traffic of interest. E.g. filter a single VoIP call out of thousands of VoIP calls, and capture traffic for that single VoIP call.
- Precisely recreate real world traffic conditions in the lab using the playback feature. E.g. Capture traffic for thousands of VoIP calls and recreate them in the lab.
- Setup complex capture scenarios using the powerful and flexible filters. E.g. Capture only HTTP packets from a set of Source and Destination IP Addresses and reject all other packets.
- Run long term capture of huge amount of data by filtering and lowering the traffic rate and continuously capturing. E.g. Filter/Capture all the traffic between 2 IP Addresses for 1 month. Applying the filter reduces the capture rate so that it can be transferred in real time to the host’s hard disk. The capture can run continuously as the captured data is stored on a file on the hard disk. The limitation for the capture in this case is the hard disk capacity itself.
- Generate real world background (bursty and unpredictable) traffic to load switches/routers etc. while the actual test is running in the foreground. E.g. while running BERT/RFC 2544 testing on a switch/router, playback a real world captured traffic file on other ports to load the switch/router with realistic background traffic i.e.bursty and unpredictable traffic.