Packet Capture Software for Sga-Gplanar and Sga-10GED cards
("GyTapperG")

• Features
• Connections of the GyTapperG module
• User interface
• Logging
• The web-interface
• Distribution filtering rules
• Stats and events
• IP address names
• Capture filters
• Configuration (INI)
• Version history

• Captures Ethernet frames from SGA interface cards (GPlanar, 10GED)
• Handles capture filters (done by cards' firmware)
• Uses ClockCard to provide NTP based time stamping or uses the cards internal clock
• Can connect to the Sga-7N Monitor Poller module
• Distributes captured packets amongst monitors based on distribution rules
• Provides a web-interface to access the log file, the INI file, the status window, IP address names, and collected IP address pairs remotely

The main menu

Menu	Menuitem	Shortcut(s)	Meaning
[Log]
	Find line containing...	(Ctrl-F)	Finds text in log window
	Find next matching line	(F3)	Finds next occurrence of text in log window
	Details		Detail level of logging (Off, Normal, Detailed, or Debug)
	Flush status line counters now!		The status line counters can be flushed
	Flush and zero status line counters now!		The status line counters can be flushed and cleared
[Capture]
	Start/Stop capturing	(Ctrl-S or )	Capturing can be enabled or disabled
	Zero counter of capture devices		Capture card counters can be cleared
	Reload input device list	(Ctrl-I)	Input device list can be reloaded
[Monitors]
	Zero all Rx counters		Rx counters can be cleared
	Syntax-check list		Monitor list can be syntax-checked
	Reload list		Monitor list can be reloaded
	Allow auto-connect	(Ctrl-A or )	Enables automatic connection to the monitors
	Terminate all connections gracefully		Closes connections properly
	Abort all connections immediately(!!!BRUTAL!!!)		Tears down connections immediately by breaking low layer sockets
[Options]
	Auto scroll	( )	Allow automatic scrolling of the log screen
	Show log	(Ctrl-Tab)	Shows log screen
	Show Monitors	(Ctrl-Tab)	Shows Monitors screen
	Save settings		Saves actual settings into the configuration (INI) file

Buttons

Button	Action
	Disables/enables capturing ([Capture] / Start/Stop capturing menu item)
	Disables/enables automatic connection to the monitors ([Monitors] / Allow auto-connect menu item)
	Opens the status page of the web-interface in the deafult web browser
	Disables/enables automatic scrolling of the log screen ([Options] / Auto scroll menu item)

The bottom status-line

• Sga-7N Poller: Status of the connection to the Poller module (its colour is red if not connected, grey if connected, purple if not defined)
• Poller connection counters:
  • Not yet connected: Indicates that the Poller connection is defined but not yet established.
  • Counters in case of established Poller connection:
    • Connected: Indicates the number of (re-)connections
    • Tx OK/fail: Number of messages transmitted correctly or with failure
    • Rx OK/fail: Number of messages received correctly or with failure
   
• Monitors:
  • M out of N connected: Number of monitors currently connected
  • List last loaded: Date and time when monitor list was loaded last
   
• Input devices:
  • Rx: Amount of bytes / number of packets received
  • Overflown/Mismatched: Number of packets overflown / mismatched
• #0..3: Status of monitored interfaces (INI/[Capture]/sInputDevice#0..4)
  • Status of input device:
    • green: If there is a configured interface and the capturing is working properly
    • red: If there is a configured interface but the state of the interface is down (e.g., the Ethernet cable is disconnected or the interface is disabled)
    • white: If there is no configured interface
     
  • X Mb/s|Y Mb/s|Z Mb/s|W Mb/s: Indicates the volume of the traffic.
    • X for the 0th interface
    • Y for the 1th interface
    • Z for the 2th interface
    • W for the 3th interface
     
  • Received frame counters (0thIF/1stIF):
    • #BadF: Number of frames with CheckSum error
    • #CapturedF: Number of frames with good CheckSum
    • #AcceptedF: Number of frames after filtering
    • #LostF: Number of frames lost between card and host application
    • #SignLost: Number of sign lost events
    • #ProcessedF: Number of frames which the application got
    • #DMAQueuE: Number of discontinuity of DMA packet orders
    • #MagicCodeE: Number of Magic Code errors
    • #DMAChksumE: Number of DMA CheckSum errors
    • #Signal[µW]: Signal level
   
• Uptime: Time elapsed since module has been started up

Details of "Monitors" window

• Con. Status: Identifier of the monitor and the status of the connection
• IPaddress : TCPport: IP adress and TCP port of the monitor
• Last rx'ed at (UTC): Timestamp of last received packet
• Rx [bytes]: Number of received bytes
• Rx [packets]: Number of received packets
• O.f. [packets]: Number of packets dropped due to network problem
• Buff'ed [bytes]: Status of the transmission buffer (max size: 1,000,000byte)
• Will terminate: Terminated monitor connection (value during normal operation: "no")

The popup menu of the "Monitors" window

Logging

The following parameters can be filtered:

• Source IP address (IPaddrSrc) – Defines the source IP address value for which filtering will be done. Exact vules or ranges can be specified.
  Examples:
  • 'IPaddrSrc=(10.123.133.143..10.123.133.143)' – Messages from the given IP address are allowed
  • 'IPaddrSrc=(10.123.133.100..10.123.133.120)' – Defines an IP address range
• Destination IP address (IPaddrDst) – Definition is similar to IPaddrSrc.
• IP address (IPaddr) – Definition is similar to IPaddrSrc.

• Source IPv6 address (IPv6addrSrc) – Defines the source IPv6 address value for which filtering will be done. Exact vules or ranges can be specified.
  Examples:
  • 'IPv6addrSrc=(2001.4c48.102.16f.0.7.bff2.bd01/128)' – Messages from the given IPv6 address are allowed
  • 'IPv6addrSrc=(ffa8..0/13)' – Defines an IPv6 address range
• Destination IPv6 address (IPv6addrDst) – Definition is similar to IPv6addrSrc.
• IPv6 address (IPv6addr) – Definition is similar to IPv6addrSrc.

• Source port (PortSrc) – Defines the source port value for which filtering will be done
  Examples:
  • 'PortSrc=2123' – Messages from port=2123 (typical setting for GTP-C messages) are allowed
  • 'PortSrc=2905' – Messages from port=2905 (typical setting for Sigtran messages) are allowed
• Destination port (PortDst) – Definition is similar to PortSrc
• Port (Port) – Defines a port value for both source and destination sources.
  Example:
  • 'Port=23' – Messages from port=23 are allowed

• Protocol (IPproto) – IP protocol to be filtered (numerical values are expected)
  Examples:
  • 'IPproto=6' – Only TCP packets will be forwarded
  • 'IPproto=132' – Only SCTP packets will be forwarded

• Truncation (Trunc) – Long packets can be truncated to a predefined value when the remaining part is not necessary for the further processing, this truncation is done by the NIC hardware on the whole layer2 packet, before the layer 2 headers are removed by the software. So the captured size is not equal to the truncate parameter, the captured size will be n bytes shorter, where n is the length of the MAC+VLAN headers. Due to technical constraints the minimum truncate length is 64 bytes, smaller than 64 values are accepted by the software, but the truncation will be done to a 64 byte size.
  Examples:
  • 'Trunc=248' – Messages longer than 248 bytes will be truncated to 248 byte
  • 'Trunc=30' – Messages longer than 64 bytes will be truncated to 64 byte

• VLAN ID (Vlan) – If the packet contains VLAN tag then it is possible to filter for its value
  Examples:
  • 'Vlan=(200..200)' – Packets with VLAN ID=200 will be forwarded
  • 'Vlan=(200..299)' – Packets whose VLAN ID is between 200 and 299 will be forwarded

Filter definition rules

• A filter must have PASS or DROP type at the beginning of the filter.
  • PASS – Packets match the filters will be passed for distribution.
  • DROP – Packets match the filters will be dropped.
• A filter can have any combination of the above mentioned parameters. They are applied with logical AND relation.
• When there is no any filter defined then all packets is treated according to the type (passed or dropped).
• PASS type filters can be named to be referred in the Distribution filtering rules under the Monitor sections. Filter names must be placed at the end of the filter with a beginning '#'. More filters can have the same name.

Filter groups

Syntax:

	[CaptureFilters Input#N/M]

• CaptureFilters – Defines a filter group section.
• Input#N – Specifies the card.
  • N – Value of N from [Capture]/Input#N above.
  • * – Specifies all defined cards.
• M – Specifies the interface of the card.
  • 0 – Specifies the 0th interface.
  • 1 – Specifies the 1st interface.
  • * – Specifies both interfaces. The same filters are applied for both ones.
  • x – Specifies both interfaces. The filters are applied for the 0th interface and applied for the 1st interface with a source–destionation swap.

Examples

Version history

v1.37
• (n) IP fragment handling introduced
• (n) New filter parameter: FRAGMENTS

v3.36
• (c) Can send ID not only to the Monitor machines, but also to the 7N-Poller (optionally)
• (n) INI/[Sga-7N Poller]/sSendThisTapperName

v3.35
• (c) More effective timing strategy for data sending on monitor unit connections
• (c) Limit for the number of named machines (listed in INI/[Advanced]/sIPaddrNames2file) increased from 3200 to 5200
• (c) "?Gy" query on the WebInterface now works with IPv6 addresses, as well
• (c) The INI/[Monitor 'xxx']/sSendThisTapperName field ID is displayed on the WebInterface
• (c) Limit for the monitor units increased 50 from 25.
• (n) Dynamic buffer allocation for monitor connections: 50*10MB memory is allocated for buffers and this amount of memory is shared amongst the maximum count of monitors (INI/[Monitors]/dwMonitorMaxCount < 50) (the default buffer size is still 10MB for each monitor)
• (n) Buffer memory allocated for the monitor connections is logged
• (n) INI/[Monitors]/dwMonitorMaxCount; default: 50
• (n) Tricky cut of RTP media packets + header compression applied
• (n) Sharing of RTP traffic based on UDP ports (using XOR of lower second bits of source and destination UDP port numbers)
• (n) INI/[[Monitor 'xxx']/iTrickyTruncateRTP for RTP trancation and header compression
• (c) Size of status line counters increased to 8 byte from 4 byte to avoid overflow
• (c) Modification of temperature display for 10GED cards
• (n) Checks whether log path exists (INI/[Advanced]/sLogFilesPath)

v3.30
• (n) IPv6addr, IPv6addrSrc and IPv6addrDst are introduced for capture filters
• (n) 10GEQ card support

v3.23
• (f) Fixes a bug with named capture filters.
• (n) Logs ClockCard settings.
• (f) Web interface used to list capture filters for not-used interfaces as well.

v3.22
• (n) Capture filters introduced.

v3.21
• (n) Number of IP address names was increased from the previous maximum of 2000 to a new maximum of 3200.
• (n) Web interface "GET /?IPAddrNames" displays the number of result rows (IP address names) as well.
• (f) Link statistics might have been sent about obsolete links, i.e., after the definition of the signaling link was removed.

v3.11
• First official release.