Packet Capture Software for NIC
("GyTapper")

• Features
• Connections of the GyTapper module
• User interface
• Logging
• The web-interface
• Distribution filtering rules
• Stats and events
• IP address names
• Capture filters
• Configuration
• Version history

• Captures IP packets (carried by Ethernet frames) from Network Interface Cards via PCAP driver
• Input can be PCAP file, as well
• Handles protocol filtering (using PCAP capture filters)
• Optionally connects to the Gy69 module providing NTP based time stamping
• Can connect to the Sga-7N Monitor Poller module
• Distributes captured packets amongst monitors based on IP address and port
• Provides a web-interface to access the log file, the INI file, the status window, IP address names, and collected IP address pairs remotely
• Requires modified WinPCAP drivers for Gy69-based timestamping

The main menu

Menu	Menuitem	Shortcut(s)	Meaning
[Log]
	Find line containing...	(Ctrl-F)	Finds text in log window
	Find next matching line	(F3)	Finds next occurrence of text in log window
	Details		Detail level of logging (Off, Normal, Detailed, or Debug)
	Flush status line counters now!		The status line counters can be flushed
	Flush and zero status line counters now!		The status line counters can be flushed and cleared
[Capture]
	Start/Stop capturing	(Ctrl-S or )	Capturing can be enabled or disabled
	Reload input device list	(Ctrl-I)	Input device list can be reloaded
[Monitors]
	Zero all Rx counters		Rx counters can be cleared
	Syntax-check list		Monitor list can be syntax-checked
	Reload list		Monitor list can be reloaded
	Allow auto-connect	(Ctrl-A or )	Enables automatic connection to the monitors
	Terminate all connections gracefully		Closes connections properly
	Abort all connections immediately(!!!BRUTAL!!!)		Tears down connections immediately by breaking low layer sockets
[Options]
	Auto scroll	( )	Allow automatic scrolling of the log screen
	Show log	(Ctrl-Tab)	Shows log screen
	Show monitors	(Ctrl-Tab)	Shows monitor screen
	Save settings		Saves actual settings into the configuration (INI) file

Buttons

Button	Action
	Disables/enables capturing ([Capture] / Start/Stop capturing menu item)
	Disables/enables automatic connection to the monitors ([Monitors] / Allow auto-connect menu item)
	Opens the status page of the web-interface in the deafult web browser
	Disables/enables automatic scrolling of the log screen ([Options] / Auto scroll menu item)

Hotkeys

The bottom status-line

• Sga-7N Poller: Status of the connection to the Poller module (its colour is red if not connected, grey if connected, purple if not defined)
• Poller connection counters:
  • Not yet connected: Indicates that the Poller connection is defined but not yet established.
  • Counters in case of established Poller connection:
    • Connected: Indicates the number of (re-)connections
    • Tx OK/fail: Number of messages transmitted correctly or with failure
    • Rx OK/fail: Number of messages received correctly or with failure
• Uptime: Time elapsed since module has been started up
• Monitors: Number of monitors currently connected
• #0..4, #5..9: Status of monitored interfaces (INI/[Capture]/sInputDevice#0..9)
  • green: If there is a configured interface and the capturing is working properly
  • red: If there is a configured interface but the state of the interface is down (e.g., the Ethernet cable is disconnected or the interface is disabled)
  • white: If there is no configured interface
• Rx: Number of bytes and packets received
• Overflown: Number of packets overflown due to network problem
• Mismatched: Number of packets that do not fit in any distribution rule

Details of "Monitors" window

• Con. Status: Identifier of the monitor and the status of the connection
• IPaddress : TCPport: IP adress and TCP port of the monitor
• Last rx'ed at (UTC): Timestamp of last received packet
• Rx [bytes]: Number of received bytes
• Rx [packets]: Number of received packets
• O.f. [packets]: Number of packets dropped due to network problem
• Buff'ed [bytes]: Status of the transmission buffer (max size: 1,000,000byte)
• Will terminate: Terminated monitor connection (value during normal operation: "no")

The popup menu of the "Monitors" window

Logging

The following parameters can be filtered:

Examples:
• sInputFilter=ip
• sInputFilter=vlan and ip
• sInputFilter=udp port 2123
• sInputFilter=ip and udp

Version history

v1.77
• (n) IP fragment handling introduced
• (n) New filter parameter: FRAGMENTS
• (c) Disconnection of any monitor is indicated by red background within the status bar
• (f) Calculation of counters for the previous 300 s period is fixed

v1.76
• (c) Can send ID not only to the Monitor machines, but also to the 7N-Poller (optionally)
• (n) INI/[Sga-7N Poller]/sSendThisTapperName

v1.75
• (n) At every single card initialization, the module reads the following again, and if the given configuration field is not set to default (0), it tries to set it in this order:
  • (n) INI / [Capture] / dwPCAPsettingKernelBufferSize; default value: 10000000 (10 MB) // Set the size of the kernel buffer associated with an adapter.
  • (n) INI / [Capture] / dwPCAPsettingMinToCopy; default value: 32000 (32 kB) // Set the minimum amount of data forwarded from the circular kernel buffer to the linear user buffer in a single call.
  • (n) INI / [Capture] / dwPCAPsettingUserBufferSize; default value: 1000000 (1 MB) // Set the size of the user buffer dispatching packets for the ULP.
• (n) Enable/disable of the processing steps of receiver loop: Menu / "&Capture" / "&Start/Stop capturing ^S"
• (n) Temporary: counts the time spent in the receiver loop and the event
• (n) Temporary: lists the accumulated time spent in the receiver loop/events.
• (n) Display the reason of the exit from the loop
• (n) In case of error indicates it textually, as well

v1.74
• (c) More effective timing strategy for data sending on monitor unit connections
• (c) Limit for the number of named machines (listed in INI/[Advanced]/sIPaddrNames2file) increased from 3200 to 5200
• (c) "?Gy" query on the WebInterface now works with IPv6 addresses, as well
• (c) The INI/[Monitor 'xxx']/sSendThisTapperName field ID is displayed on the WebInterface
• (c) Limit for the monitor units increased 50 from 25.
• (n) Dynamic buffer allocation for monitor connections: 50*10MB memory is allocated for buffers and this amount of memory is shared amongst the maximum count of monitors (INI/[Monitors]/dwMonitorMaxCount < 50) (the default buffer size is still 10MB for each monitor)
• (n) Buffer memory allocated for the monitor connections is logged
• (n) INI/[Monitors]/dwMonitorMaxCount; default: 50
• (n) Tricky cut of RTP media packets + header compression applied
• (n) Sharing of RTP traffic based on UDP ports (using XOR of lower second bits of source and destination UDP port numbers)
• (n) INI/[[Monitor 'xxx']/iTrickyTruncateRTP for RTP trancation and header compression
• (c) Size of status line counters increased to 8 byte from 4 byte to avoid overflow

v1.73 [TEST1]
• (n) Optionally sends a 3-character ID when connecting to a Monitor (or TapperPoller)
• (n) INI/[Monitor 'xxx']/sSendThisTapperName (default is empty, which means not to send an ID)

v1.72
• (c) Limit for the number of named machines increased to 3200 from the former 2000
• (c) Limit for the number of defined signaling links decreased to 1999 from the former 2999

v1.71
• (c) Limit for the number of defined signaling links increased to 2999 from the former 1999

v1.70
• (n) Capturing with packet truncation
• (n) INI/[Capture]/iTruncatePacketBytes (default is -1, which means "off")

v1.69
• (n) "Gy5.dll" is finally and completely removed; use the superior "Gy69.exe" and the new "NPF.sys" instead

v1.62
• (f) Some statistics were sent even if a signaling link had already been removed

v1.61
• (c) Limit for the length of [Capture]/sInputFilter increased to 255 characters from the former 127

v1.60
• (n) IPv6 handling within the signaling link definitions
• (n) Per Monitor packet overflow in the 15-minute log.
• (n) WebIF's "GET /?status" includes WinPcap statistics, both the actual readout values as well as the values from the start-up time
• (n) Slightly faster logging on the screen
• (c) IPnames.csv: name field (3rd column) increased to 20 characters from the former 10
• (f) IPnames.csv: optional port filtering didn't work properly
• (f) WebIF's "GET /IP" might occasionally be corrupted

v1.43
• (n) Unidirectional link definitions: "<--", "-->", "<+-", "-+>" besides the existing "---" and "-+-".

v1.42
• (n) Optionally get time info from the operating system ([Capture]/bRequireGy5TimeSync=False) instead of Gy5 (if the latter does not work properly, for any reason)

v1.41
• (n) Hotkey F12 for Log level = Off
• (c) Limit for the number of named machines increased to 2000 from the former 1000
• (c) WebIF's "GET /?IPAddrNames" can now answer a (maximum) of 2000 entries instead of the former 1000
• (c) The fact that a Monitor connection is encrypted is also logged

v1.40
• (n) Encryption (256-bit key AES in CBC mode) in the directions of the connected Monitors (optional)
• (n) INI/[Monitor 'xxx']/bEncryptAllTraffic (default is False)
• (n) TCP KeepAlive feature in the directions of the connected Monitors (optional)
• (n) INI/[Monitor 'xxx']/bTCPKeepAlive (default is True)
• (n) WebIF (WIF) button on the user interface
• (n) Signaling link traffic distribution based on the BVCI value
• (n) "-+-" (instead of "---") is also valid in the signaling link definitions
• (f) 300 sec counters might overflow in case of high traffic

v1.39
• (n) Displays time of reloading monitor config.

v1.38
• (n) Allows remarks after link definition.
• (c) Local IP address changing with reloading monitor list.

v1.37
• (n) The IP address and TCP port of the monitors are visible in the "Monitors" window.

v1.36
• (n) The filtering IP addresses and ports are replaceable with names in configuration (INI) file.
• (n) INI/[Advanced]/sIPAddrNames2file: The IPAddrNames2.csv file contains the IP adress names for the IP addresses and logical ports.

v1.35
• (c) Handling 1999 signalling link.

v1.34
• (n) Traffic division N parts instead of 2.

v1.33
• (n) More 'NUL' monitors.
• (n) The current version is sent to the Poller instead of "v62.20".
• (c) INI/[Monitor]: "sRemoteIPAddress" and "wRemoteTCPPort" instead of "sIPAddress" és "wTCPPort".
• (n) INI/[Monitor]/sLocalIPAddress: Local IP address assignment to the monitors. This feature is optional.

v1.31
• (n) Port handling: "*" feature in one direction.

v1.29
• (n) INI/[Advanced]/sCaption: Alternative caption text for easy distinguishing.

v1.27
• (c) 999 IP address pairs are visible via web-interface.
• (c) 16384 characters are visible from INI file via web-interface.

v1.26
• (c) 998 IP address pairs are visible via web-interface.

v1.25
• (f) The number of connected monitors was not decreased by a disconnected monitor.
• (n) 'NUL' monitor feature.
• (n) The burst interval is 100 ms instead of 500 ms at data sending to monitors.

v1.24
• (c) 16 kbytes of data are visible instead of 8 kbytes from INI file via web-interface.

v1.23
• (c) 999 IP address pairs are visible via web-interface.

v1.22
• (n) Handling 500 signalling link.

v1.21
• (n) INI/[Sga-7N Poller]/sLocalIPAddress: One CPU is able to be both Monitor and GyTapper.

v1.20e
• (f) At the expiry of delay SW don't start capturing with "Start capturing" function.
• (n) Statistics for each Monitor.
• (n) Duplex IP address definition.
• (n) UDP, TCP or SCTP port filtering.

v1.20c
• (n) Web-interface.
• (n) Handling of 10 Ethernet interfaces.
• (n) Dynamic collection of seen IP address pair.

v1.18
• (n) INI/[Capture]/dwAutoStartWithDelay: Start of capturing is delayed with this value

v1.17
• (f) Failed when stopped without being started.

v1.16
• (n) Handling VLAN packets over IP.

v1.15
• Initial release