User manual CACE TECHNOLOGIES SHARK APPLIANCE 10-2010

[. . . ] User Manual THE SHARK DISTRIBUTED MONITORING SYSTEM PUBLISHED BY CACE Technologies, Inc. 1949 5th Street, Suite 103 Davis, CA 95616 Copyright © 2010 CACE Technologies, Inc. No part of the contents of this manuscript may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Wireshark and the Wireshark icon are registered trademarks of Wireshark Foundation, Inc. [. . . ] The form has two tabs: Packet Recording Parameters and Trending/Indexing Parameters. We will consider the Packet Recording Parameters in this section and the Trending/Indexing Parameters in the following section. Figure 12: Adding a Capture Job There are a number of configuration parameters that need to be set when creating a Capture Job: Job Description. Provide a descriptive name for the Capture Job. This will help in identifying the Capture Job since this name will appear in both the Pilot Console's Devices and Files source panels. The Capture Job takes traffic from a live interface and records it to disk. The available live interfaces appear in the drop-down list. Start Blink is used to quickly identify the hardware capture port on the Shark Appliance BPF Filter. A BPF filter can be provided to select a subset of the traffic for capturing. For example, the BPF filter "src host 172. 18. 5. 4" will only capture the packets with source IP address 172. 18. 5. 4 Packet Portion to Capture (snaplen) is used to put an upper bound on the amount of bytes saved for each packet ­ at most the first (snaplen) bytes from each packet are saved. Start/Stop criteria for a Capture Job o Absolute Start/Stop. The first check box can be used to specify absolute start time for the Capture Job and the second check box can be used to specify an absolute stopping time for the Capture Job Shark Appliance User Manual Page 14 Stop Capturing after. These check boxes can be used to specify stopping conditions based on size of the Capture Job in terms of megabytes or number of packets. Capture duration can also be used as a stopping condition. These parameters are used to limit the maximum amount of storage used by the Capture Job. Once a limit is reached, then the oldest packets are discarded so as to not exceed the limit. If more than one condition is chosen, then the most stringent condition is applied. o Note: When multiple conditions have been selected the most stringent condition is the controlling condition. For example, if an absolute time stopping condition and a stopping condition based on the number of captured packets are selected, then the first condition to be satisfied will stop the capture job. Trending/Indexing Parameters In this section we describe the use of Trending/Indexing Parameters. Figure 13: Trending/Indexing Parameters Before we describe the Trending/Indexing Parameters, we present a simplified version of the underlying computation performed by the Pilot Probe when the Trending/Indexing is enabled. For each packet, the Conversation Identifier consists of the 5-tuple: 1. Source IP address Shark Appliance User Manual Page 15 2. 5. Source Port Destination IP address Destination Port IP Protocol When the Trending/Indexing is enabled, the Pilot Probe computes the sum of the total bytes and packets for each unique conversation identifier in the traffic stream for each second. This information is stored in a file and is referred to as Trending/Indexing Data. Example Suppose that the incoming traffic stream consists of the following packets over the first three seconds: Second 1: packet 1, packet2, packet3 Second 2: packet4, packet5 Second 3: packet6, packet7, packet8, packet9 Traffic Recording Pkt. [. . . ] CanApplyViewsOnInterfaces: if set to true, allows the user or the group to apply views to the network interfaces on the Shark Appliance. CanCreateFiles: if set to true, the user or the group can create files on the Shark Appliance, by selecting the "send to file" buttons in the Pilot Console. CanImportFiles: if set to true, the user can import files into the Shark Appliance, through drag and drop or by clicking on the "Import Files Into Shark Appliance" button in the Remote ribbon. Shark Appliance User Manual Page 30 CanExportFiles: if set to true, allows the user to export files from the Shark Appliance, and move them to the Pilot Console or to another Shark Appliance (assuming the user has sufficient privilege on the target Shark Appliance to create a trace file). [. . . ]