Capture management

IOTA 10 CORE+ features two 10G SFP+ capture interfaces ([1] [2] in the image above), and can capture 10G traffic from both of these interfaces at the same time, either in in-line mode or out-of-band.

The Capture Interfaces tab displays the state and statistics of the capture interfaces.

The Capture Interface Configuration section allows you to change the mode of the capture interfaces between in-line and out-of-band (SPAN).

• In in-line mode, traffic is transmitted between both capture ports: devices connected through ports A and B can communicate, and traffic will be captured in both directions.
• In SPAN mode, the connection between ports A and B is severed: traffic is only received (and captured), on either or both ports.

The Timestamp Synchronization section provides information and controls for timestamping.

• Current Source: Time source currently used for timestamp synchronization.
• Last Sync Time: Snapshot of the timestamping time (UTC).
• Capture Time Source: Time source used to initialize the capture time. If System Time is selected, the settings on the Administration > Setup page will be used, unless the device is receiving time information on the PTP port, in which case PTP will supercede other time sources. If GPS Time is selected, the system will wait for a lock before starting the capture.
• Synchronization Source: Priority system to select the order in which the device will check the time sources to use for the timestamp clock synchronization (clock disciplining). Each source can be enabled or disabled. When disabled, the source will be ignored for clock synchronization.

The right side of the Timestamp Synchronization section displays the current state of the different time synchronization sources. These are updated independently from the priority configuration and provide an overview about their state.

Note: For the best results, the GPS antenna should be set up outside, or near a window. Other factors can affect results, such as weather, cloudiness, and geographical location in regards to satellite availability.

The Traffic Analysis tab provides controls for the capture and analysis of traffic.

The Analysis Session section displays the capture state and statistics, and allows you to start and stop the capture via the Start Capture/Stop Capture button. The Session Name field allows you to change the name of the capture session. When a capture is in progress, the Session Identifier displays an identifier for the current capture session, based on the start time of the capture.

The use of capture sessions will allow to join traffic incoming from different sources in a single metadata domain, enabling the use of the device at the core of your visibility infrastructure. Metadata on certain analysis dashboards will be able to be filtered based on capture session name and capture session start time.

The Traffic Analysis Settings section allows you to configure the following traffic analysis options:

• Flows Time Sampling Period: Sampling period used to create traffic metadata entries in the device storage. Lower values allow more detailed traffic analysis but it will increase storage usage.
• VLAN/MPLS Correlation: If enabled, VLAN tags and MPLS labels will be used to identify traffic flows. If disabled, they will be ignored.
• Packet Re-ordering: Enabling TCP packets reordering will improve application detection but it may impact traffic timing and metrics evaluation.
• TCP Performance Analysis: When enabled, the analysis engine will generate TCP performance metrics. This may impact analysis performance.
• DNS Performance Analysis: When enabled, the analysis engine will generate DNS performance metrics. This may impact analysis performance.
• HTTP Performance Analysis: When enabled, the analysis engine will generate HTTP performance metrics. This may impact analysis performance.
• RTP Performance Analysis: When enabled, the analysis engine will generate RTP performance metrics. This may impact analysis performance.

The Hostnames, Host Groups and Custom Applications sections allow you to define custom resolutions to be displayed in the analysis dashboards.

• Hostnames: Resolves singular IP addresses to a hostname.
• Host Groups: Tags any IP address within a subnet with the specified group name.
• Custom Applications: Tags flows matching a destination IP, protocol and port number with the specified application name.

Note: Hostnames and Host Groups are resolved at query time (i.e. when using the analysis dashboards), while Custom Applications are resolved at analysis time (i.e. when the traffic is first analyzed).

The Data Storage tab provides controls for the filtering and storage of captured traffic.

The Storage Management section allows you to define the allocation of storage for Metadata (extracted from observed traffic and used in the analysis dashboards) and Packet Capture (raw captured data), and to control the cleanup of stored data.

Click and drag the slider to change the storage allocation. The used and total allocated storage for metadata and for packet capture are displayed below the slider, on the left and right respectively. Further below, a time estimation of the available storage when capturing is displayed when available.

The cleanup of previously captured data is done by defining a start time and end time for the data to delete, then clicking the Delete Metadata button to remove metadata extracted from captured traffic, the Delete Packet Capture button to remove raw captured data, or the Delete All Data button to remove both.

The Packet Capture Statistics section provides statistics about the packet capture, with Stored Packets referring to packets allowed to be captured by the defined filters, Removed Packets to packets filtered out, and Dropped Packets packets dropped by the capture interfaces. The Reset Statistics button resets these statistics.

The Packet Capture Filters section allows you to define filters for traffic capture. This only affects the capture of raw data and has no effect on the metadata used for the analysis dashboards.

The Default Policy can be set to Allow, Drop, or Slice:

• Allow will capture all traffic by default, in which case Drop filters can be used to filter out specific traffic.
• Drop will not capture any traffic by default, in which case Allow filters should be defined to capture specific traffic.
• Slice will capture packets truncated to the size specified in the Preserved Bytes field.

Each filter has its own policy, and can be set as an Allow, Drop, or Slice filter, to capture, filter out, or packet slice traffic matching that filter.

Filter priority can be defined on the filter window, or by clicking the up and down arrows in the list of filters, with a lower number corresponding to a higher priority. This can be used to create exception cases within drop or allow filters.

The possible filtering options are as follows:

• Ethernet Layer
  Only frames matching MAC details configured in this section will be targeted (Source/Destination MAC Address, Source/Destination MAC Mask), with the possibility to select the Packet Type (ARP, IPv4, IPv6, TCP (IPv4/6), UDP (IPv4/6), SCTP (IPv4/6), Custom Protocol (IPv4/6), or any).
• IPv4/IPv6 Layer
  When IPv4/IPv6 is selected, the system will filter for any packet of those types. In order to filter for the IPv4/IPv6 details, the user needs to fill in the related fields (Source/Destination IP Address, Source/Destination IP Mask). The Protocol setting is only configurable for IPv4/IPv6, allowing the user to restrict the traffic to a specific type of L4 header (TCP, UDP, SCTP, ICMP, IGMP). Any allows entering a custom protocol value or setting no filter for L3 headers.
• TCP/UDP/SCTP Layer
  When TCP/UDP/SCTP is selected in Packet Type or Protocol, a range of source and destination ports can be defined in this section.
• VLAN Tags
  Can be used for filtering on outer/inner VLAN by defining a range of inner and outer VLAN IDs. Both ranges cannot overlap.