If we start the software, the Log view is the default window.
The log level can be set through a drop-down list, the default value is defined in the INI file.
If no INI file exists, the default value is "Normal".
To search in the log entries, there is a text-field next to the drop-down list.
The next button applies the text search and shows the next match.
Each entry has a category, which is represented by the following icons:
Information about the operation
Warning: probably unplanned event occurred
Error: unplanned error during operation
The "INet view" window shows counters for the overall operations. There are four sections:
General
Result details
Runtime
Buffer
Counter in the "General" section
Current message time: The time stamp of the current message
Counters in the "Result details" section
Ethernet frames: Count of Ethernet frames
IPv4 messages: Count of IPv4 messages
IPv6 messages: Count of IPv6 messages
UDP messages: Count of UDP messages
TCP messages: Count of TCP messages
SCTP messages: Count of SCTP messages
Counters in the "Runtime" section
Input runtime: Percentage of IP processing runtime
Protocol selection runtime: Percentage of protocol selection runtime
Ethernet runtime: Percentage of Ethernet processing runtime
IP runtime: Percentage of IP processing runtime
UDP runtime: Percentage of UDP processing runtime
TCP messages: Percentage of TCP processing runtime
SCTP runtime: Percentage of SCTP processing runtime
Post-process/output runtime: Percentage of post-processing and outputting runtime
Counters in the "Buffer" section
Internal bufferload: Percentage of buffer load between IP and transport layer assemblers
The "IPv4 view" window shows counters about IPv4 message reassembly. There are three sections:
General
Traffic details
Result details
Counters in "General" section:
Current message time: Time stamp of the last processed message.
Effective traffic: Ratio of output messages and input IP packets data size
Fragmentation ratio: Ratio of assembled fragmented packets and all packets
Counters in "Traffic details" section:
Incoming bytes: Count of incoming IP layer bytes
Incoming messages: Count of incoming messages
Incoming payload: Count of incoming upper layer data bytes
Bytes under processing: Bytes of data under processing
Messages under processing: Count of messages under processing
Outgoing bytes: Count of outgoing bytes
Outgoing messages: Count of outgoing messages
Counters in "Result details" section:
Fragmented messages: Count of fragmented messages
Non-fragmented messages: Count of non-fragmented messages
Duplicated messages: Count of duplicated messages
Incomplete messages: Count of messages with fragments missing
Messages with checksum error: Count of messages whereat header checksum validation failed on
Non IP messages: Count of non IP messages
IP processing errors: Count of messages with invalid IP header
Lost messages: Count of messages lost due to insufficient memory
The "IPv6 view" window shows counters about IPv6 message reassembly. There are three sections:
General
Traffic details
Result details
Counters in "General" section:
Current message time: Time stamp of the last processed message.
Effective traffic: Ratio of output messages and input IP packets data size
Fragmentation ratio: Ratio of assembled fragmented packets and all packets
Counters in "Traffic details" section:
Incoming bytes: Count of incoming IP layer bytes
Incoming messages: Count of incoming messages
Incoming payload: Count of incoming upper layer data bytes
Bytes under processing: Bytes of data under processing
Messages under processing: Count of messages under processing
Outgoing bytes: Count of outgoing bytes
Outgoing messages: Count of outgoing messages
Counters in "Result details" section:
Fragmented messages: Count of fragmented messages
Non-fragmented messages: Count of non-fragmented messages
Duplicated messages: Count of duplicated messages
Incomplete messages: Count of messages with fragments missing
Messages with checksum error: Count of messages whereat header checksum validation failed on
Non IP messages: Count of non IP messages
IP processing errors: Count of messages with invalid IP header
Lost messages: Count of messages lost due to insufficient memory
The "UDP view" window shows counters about UDP message reassembly. There are three sections:
General
Traffic details
Result details
Counters in "General" section:
Current message time: Time stamp of the last processed message.
Effective traffic: Ratio of output messages and input UDP packets data size
Counters in "Traffic details" section:
Incoming bytes: Count of incoming transport layer bytes
Incoming messages: Count of incoming messages
Outgoing bytes: Count of outgoing bytes
Outgoing messages: Count of outgoing messages
Counters in "Result details" section:
Non UDP messages: Count of non UDP messages
UDP processing errors: Count of messages with invalid UDP header
Checksum errors: Count of messages with failed checksum
Lost messages: Count of messages lost due to insufficient memory
The "TCP view" window shows counters about TCP stream reassembly. There are three sections:
General
Traffic details
Result details
Counters in "General" section:
Current message time: Time stamp of the last processed message.
Effective traffic: Ratio of output stream and input packets data size
Active sessions: Count of sessions active
All sessions: Count of all existed sessions from start
Stream parts assembled: Count of separate stream part assembled
Counters in "Traffic details" section:
Incoming bytes: Count of incoming bytes
Incoming messages: Count of incoming messages
Bytes under processing: Bytes of data under processing
Messages under processing: Count of messages under processing
Outgoing bytes: Count of outgoing bytes
Outgoing messages: Count of outgoing messages
Counters in "Result details" section:
Non TCP messages: Count of non TCP messages
TCP control messages: Count of TCP flow traffic messages
TCP processing errors: Count of messages with invalid TCP header
Checksum errors: Count of messages with failed checksum
Lost messages: Count of messages lost due to insufficient memory
Out of sync messages: Count of messages with out of sync sequence number
Retransmitted messages: Count of retransmitted messages
Timed out messages: Count of messages timed out without acknowledge
Fragmented messages: Count of messages fragmented on lower layers
The "SCTP view" window shows counters about SCTP message reassembly. There are three sections:
General
Traffic details
Result details
Counters in "General" section:
Current message time: Time stamp of the last processed message.
Effective traffic: Ratio of output messages and input SCTP packets data size
Fragmentation ratio: Ratio of fragmented and non-fragmented messages.
Active associations: Count of active associations (data transfer between two end-points)
All associations: Count of all existed associations from start
Active logical streams: Count of active logical streams
All logical streams: Count of all existed logical streams from start
Counters in "Traffic details" section:
Incoming bytes: Count of incoming transport layer bytes
Incoming messages: Count of incoming messages
Incoming chunks: Count of incoming chunks
Incoming payload: Count of incoming upper layer data bytes
Bytes under processing: Bytes of data under processing
Messages under processing: Count of messages under processing
Outgoing bytes: Count of outgoing bytes
Outgoing messages: Count of outgoing messages
Counters in "Result details" section:
Control chunks: Count of control chunks
Fragmented data chunks: Count of fragmented data chunks
Non-fragmented data chunks: Count of non-fragmented data chunks
Duplicated data chunks: Count of duplicated data chunks
Out of order chunks: Count of chunks received after message delay time
Missing chunks: Count of chunks missing based on sequence number trackins
Incomplete messages: Count of messages with fragments missing
Non SCTP messages: Count of non SCTP messages
SCTP processing errors: Count of messages with invalid SCTP header
Checksum errors: Count of messages with failed checksum
Lost messages: Count of messages lost due to insufficient memory
This view shows the currently used inputs and outputs. Connections can be configured in the INI file, or in the "Connections" windows.
After closing the software, the opened connections are saved into the INI file.
Details of connections can be collapsed and expanded using the "expand" triangle button at the right up corner of the connections.
Parts of "Connections" view
"New" button (): opens the 'Create connection' dialogue window
"Recent" button (): opens the list of the recently used connections
"Clear history" button (): clears the recently used connections list
"Copy history" button (): copies history to clipboard
Connection list: contains defined connections
Connection state indicator
"Remove connection" button (): closes and drops the connection
(button is active when processing is disabled)
Details can be collapsed and expanded using the triangle button at the right of the connections.
Connection management
A new input or output connection can be added while processing state is inactive.
A connection:
can be a new one created by pressing the "New connection" button or
can be added a previously used one from the history list.
Connections can be removed using "Remove connection" button while processing is disabled.
To open an input connection, type one from possible connection's URI schemes in the text field, and left click to "Open" button.
Each connection has a statistic counter set.
Counters in an incoming connection: (outgoing connection counters are same)
Channel name: Name of the opened connection.
Channel state: State of the connection.
Opening (): Waiting for incoming connection, or waiting for the accept of the outgoing connection.
Opened (): Input/output connection is accepted, or SGA file is opened successfully.
Reading (): Input/poutput connection is being read/written continously.
Failed (): The connection failed due to some error. See log for details.
Channel resource: Path to the output module, or the incoming message path.
Incoming/Outgoing bytes: Summarized bytes, which are received/sent.
Incoming/Outgoing messages: Summarized number of received SGA items.
Lost bytes: Lost bytes during reception.
Lost messages: Lost messages during reception or processing.
Buffered messages: Count of messages in the sending buffer.
File position: Index position during SgaMUFI2 file processing.
Mufi file name: Name of the SgaMUFI2 file, in a case of SgaMUFI2 file processing.
I/O CPU load: The CPU usage of the IO operations.
Formatter CPU load: The CPU usage of the input format processing phase.
The "Terminal" provides direct access to the core logic using commands. Available commands are listed on the right. Typically used for debug purposes.
The Ethernet protocol assembler can process input Ethernet frames. Frames with VLAN 802.1Q headers are supported. It does not collect any detailed statistics about the link layer.
The assembler will leave the 4 bytes CRC sequence at the end of the frame if present because it can be missing in some input and there is no way to recognize if it is present or not at this point of the processing.
IPv4/IPv6
The IP protocol assemblers have multiple functions: defragmentation, checksum validation, extension header processing, and payload extraction.
Duplicated IP fragments are filtered out during processing.
The UDP protocol assembler simply extracts the upper-layer payload and validates the checksum if present and validation is configured.
TCP
The TCP protocol assembler follows the TCP connections and reassembles the pair of streams associated with the connections. It stores a message queue by streams and reorders the TCP segments by their sequence numbers. Fragment duplication, overlappings of sequence numbers and payloads are handled, every byte of the stream will be present in the output only once.
The assembler follows TCP ACKs and indicates if the reassembled segment was acknowledged.
TCP checksums can be validated if the function is configured.
SCTP
The SCTP protocol assembler follows the SCTP associations, defragments and reorders the embedded application-layer payloads.
The assembler follows SCTP ACKs and indicates if the reassembled segment was acknowledged.
SCTP checksums can be validated if the function is configured.
The logic ignores the posibility of multihoming and presumes that all SCTP association is established between two end point defined with their singular IP address and port.
The application expects captured Ethernet frames or IPv4/IPv6 packets on its input. Besides the normal input, transport layer packets with existing IP meta information (attached pseudo-header) can also be processed.
The application can process and assemble unordered input traffic if the time delay between messages are below the configured timeout interval of the affected protocol reassemblers.
Output
The application outputs reassembled packets or stream segments of the application layer. The output order for stream-based protocols based on the stream order instead of captured timestamp, however, the output message timestamp will be rewritten to have a monotone increasing timestamps.
UDP and TCP payloads get unknown payload protocol id, SCTP payloads can get the corresponding application protocol id if the SCTP packet contains the necessary meta-information.
The application appends meta-information about the IP address and port pair to every output message in the form of a pseudo IP header. Other TCP, SCTP transport-related meta info can also be added to the packet if configured.
If configured, the application can bypass and send out every input message without modification on its output and can track the position of the application layer packet in the original input messages. This information can be appended to output messages as additional meta-information if configured. In case of message duplication, the application is able to send duplicate message events on its output indicating which original messages are duplicates. These functions are useful if original messages are needed to be edited later on the processing chain based on the processed application layer protocol, for example, to redact sensitive information from application layer data in the original messages.
The output can be directed to different targets based on the resulted payload protocol using the output protocol filter (see protocol connection URI parameter).
Messages which cannot be processed successfully are getting dropped. These dropped messages can be directed to an output connection for debugging purposes (see dropped connection URI parameter). If configured, dropped packages appended with debug information containing the reason why the processing failed.
Internet and transport layer protocols are processed in two separate threads. The software provides some non-essential functionality that can be switched off to increase processing speed.
Configurable non-essential functions
Checksum validation by protocols.
SCTP: collecting statistic information by streams.
SCTP: tracking missing chunks for precise duplicated message calculation.
Processing of transport layers (UDP, TCP, SCTP) can be switched off. In this case, the application will output the transport layer packets unprocessed. These messages can be processed further by other INet reassembler instance(s) with enabled transport layer processing.
Memory consumption
Messages for IP, TCP, SCTP are stored in the memory during processing. The available storage space can be controlled via config to prevent memory overuse by setting maximum stored message count and timeout.
The INet ReAssembler module collects and calculates SCTP statistics when it is enabled by the [SCTPReassembler] / CollectStreamStats INI entry (True|False), and writes them into Sga-7001.NNN files (path definition: INI / [SCTPReassembler] / StatsSuperMonPath entry) for the SuperMon module which forwards them to the Sga-7N Poller. SCTP statistics written out in every 15 min and at exiting - accumulated by linkID.
Statistics:
StatID
Description
7000
Number of incoming SCTP messages without IP header
7001
Number of incoming SCTP message bytes without IP header
(f) SIP response header recognition fixed in packetizer. Line should match SIP/2.0 SP 3*DIGIT SP.
v0.3.25
(f) Protocol detection/packetizing enabled even if only one of packetizer and protocol detector can handle the requested protocol
v0.3.24
(n) GTP detection added with port and content checking. Previous packetizer versions dropped GTP, now configurable with INI parameter: [INetReassembler]/PacketizerDropGTP
(n) S1AP detection added with SCTP/PPId
(n) Diameter detection added with port, SCTP/PPId and content checking (optional complete AVP checking with INI parameter: [INetReassembler]/PacketizerDecodeDiam)
v0.3.23
(f) Fixed: multi protocol setting broke packetizer counters
v0.3.22
(f) Multi protocol setting for packetizer fixed
(f) Packetizer fixed again to not consider leading CRLF as part of the SIP message
v0.3.21
(f) Falsely dropped messages on SN overflow fixed
v0.3.20
(c) UDP, SCTP filtering use ProtDet lib instead of Packetizer lib
v0.3.19
(f) STCP memory usage optimization
v0.3.18
(f) Fixed TCP SN tracking fail on overlapping segments
v0.3.17
(n)[INetAssembler]/ProcessingState ini parameter added
(n)I/O statistics logged by channels beside summarized log
v0.3.16
(c) Log change written to log at any log level
v0.3.15
(f) Mufi start problem in case of no Mufi file on startup fixed
v0.3.14
(c) Boolean INI parameters made case insensitive
(f) Duplicated TCP segment with more payload handled correctly
v0.3.13
(f) Previous version fixed. TCP assembly works again
v0.3.12
(f) TCP: SYN packet flush any stored packet for actual stream and reinitialize sequence number tracking
(n) New INI parameters [SCTPReassembler]/StatsCsvPath and [SCTPReassembler]/StatsSuperMonPath
v0.3.11
(f) Packetizer interface: packet wo timestamp problem fixed
(f) Output sorter delay time overflown above 4.29 sec
v0.3.10
(f) Packetizer does not count leading CRLF to SIP message
(f) No error log message if packetizer not configured
v0.3.9
(f) Possible UI communication problem after state load prevented
v0.3.8
(f) Packetizer consideres not complete messages as unknown
(f) Input/Output sorter state save/load fixed
v0.3.7
(n) Packetizer timeout can be set using PacketizerTimeOutMSec INI parameter
(c) Packetizer outputs every byte even if not recognized. These can be filtered on output by protocol
v0.3.6
(f) Displaying actual message time fixed
(f) Packetizer does not process messages with GTP destination port
v0.3.5
(f) Sga format storage positions on output fixed
v0.3.4
(f) SEH exception on packetizers timeout fixed
v0.3.3
(f) Input/output sorter memory leak fixed
(f) Packetizer unknown data bytes recognizes as known after reset fixed
(f) Stream packetizers not used for more than 1 minutes cleaned up from memory to prevent accumulation of them
v0.3.2
(f) Fixed socket reconnection failure
v0.3.1
(f) Parsing of faulty IP header fixed
(f) Sporadic crash at exit fixed
v0.3.0
(n) Multi protocol setting for packetizer fixed
(n) Packetizer fixed again to not consider leading CRLF as part of the SIP message
(n) Datagrams sorted on output by time with a configurable window: [Output]/SortingQueueDelay,[Output]/SortingQueueLength
(n) Null messages bypassed on assembler logic and output filter than sent out always
(n) IP assemblers timestamp output datagrams with the highest capture time of the datagram fragments
(n) SCTP, TCP assembler and packetizer track time on output stream-wise and put monoton increasing timestamp on output datagrams
(n) Dropped messages can be sent out on connection for debug purposes using uri parameter 'dropped=true'
(n) Write debug info on output for dropped messages if [INetReassembler]/DebugInfo INI parameter set
(n) Processed SCTP sequence numbers stored for 60 sec to provide precise duplicated message counting
(n) Detailed SCTP statistics collected by SCTP streams, can be dumped to JSon file with command: 'INet.dump'
(n) SCTP statistics written out in every 15 min and at exiting - accumulated by linkID in SuperMon format if './stats-mufi' output directory exists. Can be triggered in arbitrary time with command: 'stat.write'.
(n) 'text' output formatter for debug purpose (with configurable indentation and supported formats: json, yaml, perldump)
(n) SCTP info output content extended with 'streamInit' flag and missing datachunk count before the message
(n) TCP info output content can be enabled/disabled via config parameter [TCPReassembler]/TcpInfoOnOutput added
(c) Ethernet parser does not cut checksum from end of packet, since it may not be there
(c) Does not drop disordered messages on input
(c) Only Sga input format supports 'storepos' parameter from now, storage positions handled as opaque UUIDs inside assembler logic
Information about the operation
Warning: probably unplanned event occurred
Error: unplanned error during operation
): opens the 'Create connection' dialogue window
): opens the list of the recently used connections
): clears the recently used connections list
): copies history to clipboard
): closes and drops the connection
(button is active when processing is disabled)
): Waiting for incoming connection, or waiting for the accept of the outgoing connection.
): Input/output connection is accepted, or SGA file is opened successfully.
): Input/poutput connection is being read/written continously.
): The connection failed due to some error. See log for details.
