BLOG     |     FORUM
Welcome, Guest
Username: Password: Remember me
Issues related to installation, running, bugs, and features.
  • Page:
  • 1

TOPIC: Packet Capture settings

Packet Capture settings 10 years 11 months ago #1470

How do we change the setting on how long and how much trisul captures packets? It seems now that it will capture packets for the last 15 min in flow.

We want to capture all flows for the last hour (the first 10 MB) ?

OR at least ftp traffic for the day?
The administrator has disabled public write access.

Packet Capture settings 10 years 11 months ago #1471

  • admin [unleash]
  • admin [unleash]'s Avatar
Hello,

The default setting is : It will capture and store everything.

Here is how you'd change it. Make sure you restart Trisul after changing it.

To store the first 10 MB of all flows.

1. Change
<DefaultMode>FLOWCAP10M</DefaultMode>
 in trisulConfig.xml

For more see
trisul.org/docs/ug/caps/packetstorage.html

To save only FTP packets

1. Change DefaultMode to IGNORE
2. Set Rule Mode=FULL to
<Rule Mode=FULL>{C51B48D4-7876-479E-B0D9-BD9EFF03CE2E}=p-0014,p-0015</Rule>

The magic string is nothing but "counter guid"=port1,port2,.... You can use any filter this way. See Trisul Filter Format for more trisul.org/docs/ref/trisul_filter_format.html

To change retention (number of days or total GB/day)

You would need a license to expand the storage policy. You can however play with the above settings to tune and push the free version to its limits. For example you can only store the first 1MB of each flow, not store trusted flows like backups,etc etc.

If you run

We;d be delighted if you would pick up a license of course :-)

Thanks,

Unleash Networks
The administrator has disabled public write access.

Packet Capture settings 10 years 11 months ago #1476

So what is the retention policy? (3 days?) because when we pick "flow" that is even 1 hr old it give us an error that it does have it anymore? Is this because of disk space? how do we find out why we are getting this error?
The administrator has disabled public write access.

Packet Capture settings 10 years 11 months ago #1479

Hi,

Can you go to Admin > Start/Stop Tasks > System Statistics ?
What is the size of the "Raw packet slices" ?

Can you also tell me the Trisul version you are running, its on the login page.

The packets are capped at 10GB I believe. Let me get back to you if that is per-day or for all 3 days total.

Thanks,
Vivek R
Unleash Networks
Support : www.unleashnetworks.com/forums
The administrator has disabled public write access.

Packet Capture settings 10 years 11 months ago #1480

Version 2.6.1012, 2.6.1210 »

trisul-badfellas-2.6.481
trisul-urlfilter-2.6.480


I have attached a screenshot ... ( i tried but it wouldn't attach :-/ )

Is there a way to expand it ... or does that require a license (which I am working on try to get BTW :-) )



Disk usage statistics

Size of dat slices 2.57 GB

Size of raw packet slices 9.71 GB
Disk status output

Filesystem Size Used Avail Use% Mounted on
/dev/mapper/sec--onion--ubuntu--10-root 1.1T 911G 104G 90% /
udev 16G 4.0K 16G 1% /dev
tmpfs 6.3G 300K 6.3G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 16G 0 16G 0% /run/shm
/dev/cciss/c0d0p1 228M 163M 54M 76% /boot

CPU Usage Status

cpu 105916043 161288 27603988 884413997 10721231 4493 1686755 0 0 0
cpu0 10051529 18812 5307123 109827807 2075275 2124 630365 0 0 0
cpu1 10823675 17400 8938209 104551690 2085572 2257 983355 0 0 0
cpu2 12755397 19258 737586 115346615 553716 7 8050 0 0 0
cpu3 13583945 25051 862263 113466419 1364783 5 23142 0 0 0
cpu4 14742081 17700 3929237 109096570 1159037 8 4656 0 0 0

Process information

PID %CPU ELAPSED TIME USER COMMAND %MEM
20829 23.8 4-19:57:14 1-03:37:30 trisul trisul 1.2
Last Edit: 10 years 11 months ago by mmuser.
The administrator has disabled public write access.

Packet Capture settings 10 years 11 months ago #1483

  • admin [unleash]
  • admin [unleash]'s Avatar
Hi,

Can you type this command
sudo trisul --machineid 

and send the output to info at unleashnetworks dot com

We will send you a license upping the limit to 60G.

Thanks,
The administrator has disabled public write access.
  • Page:
  • 1
Moderators: vivek [unleash]
Time to create page: 0.035 seconds