Difference between revisions of "HowTo Configure and Run a Ring Buffer Capture Session Using: "nstringbufcap""
(→Overview) |
(→Mode: install) |
||
| Line 12: | Line 12: | ||
<div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstringbufcap-m install -i fw0 -t dumpcap -d /opt/ringbufcap1 -s firewall -c fw --max-file-size 2000 --max-file-cnt 20 -v;</div> | <div class="userInput"><span class="prompt">[root@probe ~]# </span>/usr/bin/nstringbufcap-m install -i fw0 -t dumpcap -d /opt/ringbufcap1 -s firewall -c fw --max-file-size 2000 --max-file-cnt 20 -v;</div> | ||
<pre class="computerOutput"> | <pre class="computerOutput"> | ||
| + | |||
A new Ring Buffer dumpcap Capture session environment file was | A new Ring Buffer dumpcap Capture session environment file was | ||
created and installed: "/etc/nstringbufcap.d/firewall" | created and installed: "/etc/nstringbufcap.d/firewall" | ||
| Line 41: | Line 42: | ||
OPTIONS="-q -i fw0 -b filesize:2000 -b files:20 -w '/opt/ringbufcap1/fw.pcap'" | OPTIONS="-q -i fw0 -b filesize:2000 -b files:20 -w '/opt/ringbufcap1/fw.pcap'" | ||
========================================================================================= | ========================================================================================= | ||
| + | |||
</pre> | </pre> | ||
<div class="userInput"><span class="prompt">[root@probe ~]# </span></div> | <div class="userInput"><span class="prompt">[root@probe ~]# </span></div> | ||
</div> | </div> | ||
Revision as of 17:05, 19 October 2016
Contents
Overview
A new NST script: "nstringbufcap" has been developed with NST 24 for managing one or more network packet capture sessions that utilize a ring buffer storage mechanism. This capability allows one to capture network traffic pre and post a controlled event. Currently, an NST Network Interface Bandwidth Monitor 2 Threshold Pause State Notification Execs template: "/etc/nst/notifications/bwmon/tp_state_nstringbufcap_snapwuimerge.template" is provided for snapping a capture when a Pause event occurs and then the NST WUI Single-Tap Network Packet Capture page can be used for capture decode and analysis.
The nstringbufcap script has a specific mode used for installing and configuring a ring buffer capture session. Once install, a capture session can be started under the control of a systemd service. The life cycle of the capture session can then be controlled by a nstringbufcap mode that internally uses systemd control commands (i.e., systemctl). At any point in time, a snapshot capture can be taking to preserve captured network traffic packets.
This page will describe the use of the nstringbufcap script by way of example use cases.
Mode: install
A new Ring Buffer dumpcap Capture session environment file was
created and installed: "/etc/nstringbufcap.d/firewall"
=========================================================================================
firewall (dumpcap): Ring Buffer Capture Configuration Directory: "/etc/nstringbufcap.d"
-----------------------------------------------------------------------------------------
/bin/ls -Al "/etc/nstringbufcap.d";
total 4
-rw-r--r-- 1 root root 479 Oct 19 17:03 firewall
Configuration: "firewall"
-----------------------------------------------------------------------------------------
/bin/cat "/etc/nstringbufcap.d/firewall";
#
# An nstringbufcap environment file (Installed on: Wed Oct 19 17:03:28 EDT 2016).
#
# Capture Tool: dumpcap
#
# Ring Buffer File Count: 20
#
# Required Syntax:
# 1) Make sure the entire OPTIONS variable value is enclosed
# in double quotes (").
#
# 2) Make sure the Ring Buffer directory (-w) and/or the Capture Filter
# expression (-f) parameters are enclosed in single quotes (').
OPTIONS="-q -i fw0 -b filesize:2000 -b files:20 -w '/opt/ringbufcap1/fw.pcap'"
=========================================================================================
