Difference between revisions of "HowTo Configure and Run a Ring Buffer Capture Session Using: "nstringbufcap""
(→Overview) |
(→Overview) |
||
Line 6: | Line 6: | ||
This page will describe the use of the '''nstringbufcap''' script by way of example use cases. | This page will describe the use of the '''nstringbufcap''' script by way of example use cases. | ||
+ | |||
+ | == Mode: install == | ||
+ | |||
+ | <div class="screen"> | ||
+ | <div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstringbufcap-m install -i fw0 -t dumpcap -d /opt/ringbufcap1 -s firewall -c fw --max-file-size 2000 --max-file-cnt 20 -v;</div> | ||
+ | <pre class="computerOutput"> | ||
+ | A new Ring Buffer dumpcap Capture session environment file was | ||
+ | created and installed: "/etc/nstringbufcap.d/firewall" | ||
+ | ========================================================================================= | ||
+ | |||
+ | firewall (dumpcap): Ring Buffer Capture Configuration Directory: "/etc/nstringbufcap.d" | ||
+ | ----------------------------------------------------------------------------------------- | ||
+ | /bin/ls -Al "/etc/nstringbufcap.d"; | ||
+ | total 4 | ||
+ | -rw-r--r-- 1 root root 479 Oct 19 17:03 firewall | ||
+ | |||
+ | Configuration: "firewall" | ||
+ | ----------------------------------------------------------------------------------------- | ||
+ | /bin/cat "/etc/nstringbufcap.d/firewall"; | ||
+ | # | ||
+ | # An nstringbufcap environment file (Installed on: Wed Oct 19 17:03:28 EDT 2016). | ||
+ | # | ||
+ | # Capture Tool: dumpcap | ||
+ | # | ||
+ | # Ring Buffer File Count: 20 | ||
+ | # | ||
+ | # Required Syntax: | ||
+ | # 1) Make sure the entire OPTIONS variable value is enclosed | ||
+ | # in double quotes ("). | ||
+ | # | ||
+ | # 2) Make sure the Ring Buffer directory (-w) and/or the Capture Filter | ||
+ | # expression (-f) parameters are enclosed in single quotes ('). | ||
+ | |||
+ | OPTIONS="-q -i fw0 -b filesize:2000 -b files:20 -w '/opt/ringbufcap1/fw.pcap'" | ||
+ | ========================================================================================= | ||
+ | </pre> | ||
+ | <div class="userInput"><span class="prompt">[root@probe ~]# </span></div> | ||
+ | </div> |
Revision as of 17:04, 19 October 2016
Contents
Overview
A new NST script: "nstringbufcap" has been developed with NST 24 for managing one or more network packet capture sessions that utilize a ring buffer storage mechanism. This capability allows one to capture network traffic pre and post a controlled event. Currently, an NST Network Interface Bandwidth Monitor 2 Threshold Pause State Notification Execs template: "/etc/nst/notifications/bwmon/tp_state_nstringbufcap_snapwuimerge.template" is provided for snapping a capture when a Pause event occurs and then the NST WUI Single-Tap Network Packet Capture page can be used for capture decode and analysis.
The nstringbufcap script has a specific mode used for installing and configuring a ring buffer capture session. Once install, a capture session can be started under the control of a systemd service. The life cycle of the capture session can then be controlled by a nstringbufcap mode that internally uses systemd control commands (i.e., systemctl). At any point in time, a snapshot capture can be taking to preserve captured network traffic packets.
This page will describe the use of the nstringbufcap script by way of example use cases.
Mode: install
A new Ring Buffer dumpcap Capture session environment file was created and installed: "/etc/nstringbufcap.d/firewall" ========================================================================================= firewall (dumpcap): Ring Buffer Capture Configuration Directory: "/etc/nstringbufcap.d" ----------------------------------------------------------------------------------------- /bin/ls -Al "/etc/nstringbufcap.d"; total 4 -rw-r--r-- 1 root root 479 Oct 19 17:03 firewall Configuration: "firewall" ----------------------------------------------------------------------------------------- /bin/cat "/etc/nstringbufcap.d/firewall"; # # An nstringbufcap environment file (Installed on: Wed Oct 19 17:03:28 EDT 2016). # # Capture Tool: dumpcap # # Ring Buffer File Count: 20 # # Required Syntax: # 1) Make sure the entire OPTIONS variable value is enclosed # in double quotes ("). # # 2) Make sure the Ring Buffer directory (-w) and/or the Capture Filter # expression (-f) parameters are enclosed in single quotes ('). OPTIONS="-q -i fw0 -b filesize:2000 -b files:20 -w '/opt/ringbufcap1/fw.pcap'" =========================================================================================