TSP Lab	GyTapper – Common features	GyTapper

GyTapper – Common features)

Logging
The web-interface - Common part
Distribution filtering rules
Stats and events
IP address names

Logging

The module creates daily logfiles about its operation. The name of the logfile is "modulename_YYYYMMDD.log", reflecting the day when it is created.
The module can write information into the logfile and onto the screen at various detail levels, set by the [Log]/Details menu item. The logging level can be:

Off (0) – warnings/errors are only reported (minimal logfile size and CPU usage)
Normal (1) – information about normal operation are also written into the logfile/screen
Detailed (2) – every received and sent signaling messages are logged
Debug (3) – hexadecimal information of messages is recorded (largest logfile and CPU usage)

Status line counters are logged in every fifteen minutes irrespectively of logging level actually set.

The color coding of the log lines have the following meaning:

Code Color Usage
0 Black Compact data record
1 Red Errors
2 Green Open/close output file/stream
3 Blue Open/close input file/stream
4 Yellow Warnings
5 Light Grey Detailed data (debug info)
6 Dark Grey Detailed data (user info)
7 Purple Operator intervention;
Errors with emphasis

Code	Color	Usage
0	Black	Compact data record
1	Red	Errors
2	Green	Open/close output file/stream
3	Blue	Open/close input file/stream
4	Yellow	Warnings
5	Light Grey	Detailed data (debug info)
6	Dark Grey	Detailed data (user info)
7	Purple	Operator intervention; Errors with emphasis

The web-interface

Common part

The GyTapper modules provide a useful web-interface to follow its operation remotely in an easy way. Views of the web-interface:

status window: it shows a summary about the current operational state of the GyTapper module
INI file: the current configuration can be accessed
IP address pairs: collected IP address pairs list can be seen here
IP address names: IP addresses and their names can be seen here
log files: log files can be downloaded (the link redirects the request to Windows' built-in FTP server; INI/[Web Interface]/sURLForLogs setting defines the TCP port of the FTP server and the folder of the log files)

Views can be accessed by typing the following addresses into the address bar of a web browser or directly from the GUI pressing the WIF button:

status window: http://ip_address:tcpport/?status

INI files:
- http://ip_address:tcpport/GyTapper.ini
  OR
- http://ip_address:tcpport/GyTapperC.ini
  OR
- http://ip_address:tcpport/GyTapperG.ini

IP address pairs: http://ip_address:tcpport/IP

IP-address names: http://ip_address:tcpport/?IPAddrNames
where:
- the ip_address is the address of the machine
- the tcpport is from INI/[Web Interface]/wLocalTCPPort

log files: http://ip_address:tcpport/log_file_folder
where:
- the ip_address is the address of the machine
- the tcpport and log_file_folder are from INI/[Web Interface]/sURLForLogs

Views can also be accessed from any of the other views by clicking on the proper link at the top of the view page.

The status of GyTapper modules

GyTapper module

User interface

Eth0 Eth1 Eth2 Eth3 Eth4 Eth5 Eth6 Eth7 Eth8 Eth9
Input signal: OK OK OK
Last 3 s interval: 75567 75567 75567 [kbps]
8033 8033 8033 [pps]
Previous 300 s period: 43016 43016 43016 [kbps]
5098 5098 5098 [pps]
WinPcap statistics first:
(i.f. drop / driver drop) 0
0 0
0 0
0 [frames]
WinPcap statistics actual:
(i.f. drop / driver drop) 0
0 0
0 0
0 [frames]

The lower table shows the status of monitors' conncetions. It also shows amount of bytes currently buffered and number of packets sent to the monitors or overflown. The traffic towards each monitor is also indicated in kilobit-per-second and packet-per-second for the last 3 and 300 seconds.

MN5
IPaddress|TCPport: 10.0.0.110|8030
Named Tapper: "TAP"
Connection: OK
TCP KeepAlive: YES
Traffic encryption: no
Tricky truncate RTP: no
Buffered: 0 [bytes]
Total sent: 20744025567 [packets]
... overflown: 0
Last 3 s interval: 11218 [kbps]
6773 [pps]
Previous 300 s period: 36114 [kbps]
10227 [pps]

	MN5
IPaddress\|TCPport:	10.0.0.110\|8030
Named Tapper:	"TAP"
Connection:	OK
TCP KeepAlive:	YES
Traffic encryption:	no
Tricky truncate RTP:	no
Buffered:	0	[bytes]
Total sent:	20744025567	[packets]
... overflown:	0
Last 3 s interval:	11218	[kbps]
6773	[pps]
Previous 300 s period:	36114	[kbps]
10227	[pps]

GyTapperC module

User interface

Input ports #0 #1 #2 #3 #4 #5 #6 #7 #8 #9
Local TCP port: 3000 3001 3002
Input signal: multiple OK OK
Last 3 s interval: 75567 75567 75567 [kbps]
8033 8033 8033 [pps]
Previous 300 s period: 43016 43016 43016 [kbps]
5098 5098 5098 [pps]

MNX
IPaddress|TCPport: 10.0.0.110|8030
Connection: OK
TCP KeepAlive: YES
Traffic encryption: no
Buffered: 0 [bytes]
Total sent: 20744025567 [packets]
... overflown: 0
Last 3 s interval: 11218 [kbps]
6773 [pps]
Previous 300 s period: 36114 [kbps]
10227 [pps]

	MNX
IPaddress\|TCPport:	10.0.0.110\|8030
Connection:	OK
TCP KeepAlive:	YES
Traffic encryption:	no
Buffered:	0	[bytes]
Total sent:	20744025567	[packets]
... overflown:	0
Last 3 s interval:	11218	[kbps]
6773	[pps]
Previous 300 s period:	36114	[kbps]
10227	[pps]

GyTapperG module

User interface

The first table indicates the status of each monitored interface card and provides the traffic in kilobit-per-second and packet-per-second for the last 3 and 300 seconds for each interface. Also provides hardware and firmware level statistics about captured and processed frames.

Input#0 Input#1 Input#2 Input#3
SGA-Card: sga10gd0 sga10gd1
Card FSN: #87 #86
Firmware: 2018.05.15.
0x106D0022 2018.05.15.
0x106D0022
Driver: 2016.12.01.
v0.38 2016.12.01.
v0.38
Time sync: ClockCard/Master ClockCard/Slave
Capture filters: 11 | 11 11 | 11 11 | 11 11 | 11
Link name in statistics: "x40" "x41"
Input signal: OK OK
155 | 88 114 | 101 [μW]
-8.097 | -10.56 -9.431 | -9.957 [dBm]
Last 3 s interval: 28012 3755 [kbps]
7895 1267 [pps]
Previous 300 s period: 22568 3146 [kbps]
6229 1006 [pps]
and some more statistics...
#BadFrames: 0 | 0 0 | 0 - | - - | - on MAC
#CapturedFrames: 86170632372 | 62037515662 20899810490 | 31897039149 - | - - | -
#AcceptedFrames: 7628529277 | 3646910872 585040697 | 5088105123 - | - - | - on HW
#LostFrames: 0 | 0 0 | 0 - | - - | -
#SignalLost: 0 | 0 0 | 0 - | - - | -
#ProcessedFrames: 7628471398 | 3646844765 585030225 | 5088095261 - | - - | - in driver
#DMAQueErrors: 259 | 426 13 | 13 - | - - | -
#MagicCodeErrors: 13 | 0 13 | 0 - | - - | -
#DMAChecksumErrors: 0 | 0 0 | 0 - | - - | -

	Input#0	Input#1	Input#2	Input#3
SGA-Card:	sga10gd0	sga10gd1
Card FSN:	#87	#86
Firmware:	2018.05.15. 0x106D0022	2018.05.15. 0x106D0022
Driver:	2016.12.01. v0.38	2016.12.01. v0.38
Time sync:	ClockCard/Master	ClockCard/Slave
Capture filters:	11 \| 11	11 \| 11	11 \| 11	11 \| 11
Link name in statistics:	"x40"	"x41"
Input signal:	OK	OK
155 \| 88	114 \| 101			[μW]
-8.097 \| -10.56	-9.431 \| -9.957			[dBm]
Last 3 s interval:	28012	3755			[kbps]
7895	1267			[pps]
Previous 300 s period:	22568	3146			[kbps]
6229	1006			[pps]
*and some more statistics...*
#BadFrames:	0 \| 0	0 \| 0	- \| -	- \| -	on MAC
#CapturedFrames:	86170632372 \| 62037515662	20899810490 \| 31897039149	- \| -	- \| -
#AcceptedFrames:	7628529277 \| 3646910872	585040697 \| 5088105123	- \| -	- \| -	on HW
#LostFrames:	0 \| 0	0 \| 0	- \| -	- \| -
#SignalLost:	0 \| 0	0 \| 0	- \| -	- \| -
#ProcessedFrames:	7628471398 \| 3646844765	585030225 \| 5088095261	- \| -	- \| -	in driver
#DMAQueErrors:	259 \| 426	13 \| 13	- \| -	- \| -
#MagicCodeErrors:	13 \| 0	13 \| 0	- \| -	- \| -
#DMAChecksumErrors:	0 \| 0	0 \| 0	- \| -	- \| -

The middle table shows the status of monitors' conncetions. It also shows amount of bytes currently buffered and number of packets sent to the monitors or overflown. The traffic towards each monitor is also indicated in kilobit-per-second and packet-per-second for the last 3 and 300 seconds.

NUL TPC wif lif Sh3 X25 X07
IPaddress|TCPport: 0.0.0.0|1 172.0.241.130|6000 172.0.241.16|1000 172.0.241.179|7900 172.0.241.103|1000 172.0.241.25|1000 172.0.241.7|1000
Named Tapper: "G01" "G02" "G03" "G04" "G05" "G06" "G07"
Connection: OK OK OK OK OK OK OK
TCP KeepAlive: no YES YES YES YES YES YES
Traffic encryption: no no no no no no no
Tricky truncate RTP: no no no no no no no
Buffered: 0 0 480 480 3780 42520 168 [bytes]
Total sent: 3794985001 1303678 13193768 13193768 468964721 775029378 1500742076 [packets]
... overflown: 0 0 0 0 0 0 0
Last 3 s interval: 25381 1 57 57 3076 3540 2 [kbps]
8063 2 28 28 855 1065 4 [pps]
Previous 300 s period: 19547 2 43 43 3357 3919 3 [kbps]
6070 2 21 21 899 1137 5 [pps]

	NUL	TPC	wif	lif	Sh3	X25	X07
IPaddress\|TCPport:	0.0.0.0\|1	172.0.241.130\|6000	172.0.241.16\|1000	172.0.241.179\|7900	172.0.241.103\|1000	172.0.241.25\|1000	172.0.241.7\|1000
Named Tapper:	"G01"	"G02"	"G03"	"G04"	"G05"	"G06"	"G07"
Connection:	OK	OK	OK	OK	OK	OK	OK
TCP KeepAlive:	no	YES	YES	YES	YES	YES	YES
Traffic encryption:	no	no	no	no	no	no	no
Tricky truncate RTP:	no	no	no	no	no	no	no
Buffered:	0	0	480	480	3780	42520	168	[bytes]
Total sent:	3794985001	1303678	13193768	13193768	468964721	775029378	1500742076	[packets]
... overflown:	0	0	0	0	0	0	0
Last 3 s interval:	25381	1	57	57	3076	3540	2	[kbps]
8063	2	28	28	855	1065	4	[pps]
Previous 300 s period:	19547	2	43	43	3357	3919	3	[kbps]
6070	2	21	21	899	1137	5	[pps]

The third table shows the configuration settings of the clock card.

SGA-ClockCard settings (read from INI)
RefreshIntervalSec: 16 [s]
ClockCardIPaddress: 172.31.241.17 (local)
NtpServerIPaddress: 172.28.18.2 (remote)
GatewayIPaddress: 172.31.83.254
SubnetMask: 255.255.255.0

SGA-ClockCard settings (read from INI)
RefreshIntervalSec:	16	[s]
ClockCardIPaddress:	172.31.241.17	(local)
NtpServerIPaddress:	172.28.18.2	(remote)
GatewayIPaddress:	172.31.83.254
SubnetMask:	255.255.255.0

GyTapperU module

The first table indicates the status of each monitored interface and provides the traffic in kilobit-per-second and packet-per-second for the last 3 and 300 seconds.

Eth0 Eth1 Eth2 Eth3 Eth4 Eth5 Eth6 Eth7 Eth8 Eth9
Input signal: OK OK OK
Last 3 s interval: 75567 75567 75567 [kbps]
8033 8033 8033 [pps]
Previous 300 s period: 43016 43016 43016 [kbps]
5098 5098 5098 [pps]
Pcap statistics first:
(i.f. drop / driver drop) 0
0 0
0 0
0 [frames]
Pcap statistics actual:
(i.f. drop / driver drop) 0
0 0
0 0
0 [frames]

TapperC
IPaddress|TCPport: 10.0.0.110|8030
Connection: OK
TCP KeepAlive: YES
Traffic encryption: no
Buffered: 0 [bytes]
Total sent: 20744025567 [packets]
... overflown: 0
Last 3 s interval: 11218 [kbps]
6773 [pps]
Previous 300 s period: 36114 [kbps]
10227 [pps]

	TapperC
IPaddress\|TCPport:	10.0.0.110\|8030
Connection:	OK
TCP KeepAlive:	YES
Traffic encryption:	no
Buffered:	0	[bytes]
Total sent:	20744025567	[packets]
... overflown:	0
Last 3 s interval:	11218	[kbps]
6773	[pps]
Previous 300 s period:	36114	[kbps]
10227	[pps]

Distribution filtering rules

The GyTapper modules receive the packets from capture cards or other capture modules and forwards them to the monitors with the proper three-character LinkID applying various distribution filtering rules.

The following rules can be specified:

"Source IP --- Destination IP" − Defines the source and destination IP address values for which filtering will be done

Filtering rule	Meaning
`L52 = * --- *`	Packets with any IP address are allowed
`L52 = * -+- *`	Packets with any IP address are allowed, signalling with duplex LinkID
`L52 = 10.123.133.143 --- *`	Packets with the given source IP address are allowed
`L52 = * --- 10.123.133.120`	Packets with the given destination IP address are allowed
`L52 = 10.123.133.143 --- 10.123.133.120`	Packets with the given source and destination IP addresses are allowed
`L52 = 10.123.133.143,10.123.133.144 - *`	Packets with the given two source IP addresses are allowed (Definition of the destination IP addresses is similar to source)

"Source IP --- Destination IP : Source Port --- Destination Port" − Defines not only the IP address values but also the port values (TCP or UDP or SCTP) as well for which filtering will be done

Filtering rule	Meaning
`L52 = 10.123.133.143 --- 10.123.133.120 : 9876 --- 1234`	Packets with source IP address "10.123.133.143" and source TCP or UDP or SCTP port "9876" and destination IP address "10.123.133.120" and destination TCP or UDP or SCTP port "1234" are forwarded to "L52" link
`L53 = 10.123.133.144 --- 10.123.133.120 : 9876 --- *`	Packets with source IP address "10.123.133.143" and source TCP or UDP or SCTP port "9876" and destination IP address "10.123.133.120" and any destination TCP or UDP or SCTP port are forwarded to "L53" link

"+L52" − Filtered packets fitting in this rule are check against further filter rules for other links (without this feature one packet is sent to only one link)

Filtering rule	Meaning
`L52 = 10.123.133.143 --- 10.123.133.120`	Packets going between IP addresses "10.123.133.143" and "10.123.133.120" are sent to link "L52".
`L53 = 10.123.133.143 --- *`	Packets from/to IP address "10.123.133.143" are sent to link "L53", excluding packets going between IP addresses "10.123.133.143" and "10.123.133.120", since they are already sent to "L52".

Filtering rule	Meaning
`+L52 = 10.123.133.143 --- 10.123.133.120`	Packets going between IP addresses "10.123.133.143" and "10.123.133.120" are sent to link "L52".
`L53 = 10.123.133.143 --- *`	Packets from/to IP address "10.123.133.143" are sent to link "L53", including packets going between IP addresses "10.123.133.143" and "10.123.133.120".

Source IP --- Destination IP / #sInputDeviceID − Packets through the given IP addresses are allowed only from the given InputDevice

Filtering rule	Meaning
`L52 = 10.123.133.143 --- 10.123.133.120 / #0, #6`	Packets going between IP addresses "10.123.133.143" and "10.123.133.120" captured from input device #0 or #6 are sent to link "L52".

Source IP --- Destination IP [N%0] − Packets are distributed based on modulo division of IP header checksum value.

Filtering rule	Meaning
`L52 = 10.123.133.143 --- 10.123.133.120 [3%0]`	One third of the traffic is allowed in this link based on the modulo 3 division with a remainder of 0.
`L53 = 10.123.133.143 --- 10.123.133.120`	The remaining traffic (two thirds of the original traffic) is sent to "L53".

Source IP Address Name --- Destination IP Address Name − Defines the source and destination IP address names for which filtering will be done. The IPAddrNames2.csv file contains the IP address names for the IP addresses and logical ports.

Filtering rule	Meaning
`L52 = @MSAN --- *`	Packets with the given source IP address name are allowed.
`L53 = @MSS1B --- @CSCF_F`	Packets with the given source and destination IP address name are allowed.

"Source IP --- Destination IP [2%0] $BVCI" − Packets are distributed based on NS/BVCI value they contain.

Filtering rule	Meaning
`L52 = 10.123.133.143 --- 10.123.133.120 [2%0] $BVCI`	Defines NS/BVCI based distribution.

"Source IP --> Destination IP" − Unidirectional link definition

Filtering rule	Meaning
`L52 = * <-- *`	One of the directions with any IP address are allowed.
`L52 = * -+-> *`	One of the directions with any IP address are allowed, signalling with duplex LinkID.
`L52 = 10.123.133.143 --> 10.123.133.120`	Packets from the given source and to the destination IP addresses are allowed, the opposite direction is dropped.

"IPv6 address : * --- *" − IPv6 filtering

Filtering rule	Meaning
`IP6 = IPv6 2001.4c48.400.100..30 : * --> *`	Packets from an IPv6 address are allowed.

"Source IP --- Destination IP : FRAGMENTS" − IP fragment filtering (applicable for Tapper and TapperG modules!)

Filtering rule	Meaning
`L21 = 212.51.95.69 --- 212.51.95.4 : FRAGMENTS`	Fragmented IP packets (except first fagments) between defined IP addresses are sent to the link L21.
`L22 = 212.51.95.69 --- 212.51.95.4`	Every IP packets between the defined IP addresses are sent to the link L22 (even fragmented or not).
`L23 = 212.51.95.69 --- 212.51.95.4 : 2905 --- 2905`	IP packets between defined IP addresses and are not fragmented or first fragments and the transport protocol is UDP or TCP or SCTP and port numbers are match are sent to the link L23.

The evaluation of the rules follows the "top-to-bottom" and "first-match" principles. The packet evaluation process is the following:

If "FRAGMENTS" keyword is given then the following packets will be sent to the link:
- IP addresses are matching
- AND fragmented
- AND not the first fragments.

If "FRAGMENTS" keyword and port numbers are not defined then the following packets will be sent to the link:
- IP addresses are matching (whether it's Fragmented or not)

If "FRAGMENTS" keyword is not given and there is defined some port number then the following packets will be sent to the link:
- IP addresses are matching
- AND not fragmented OR first fragment
- AND the carried protocol is UDP or SCTP or TCP
- AND the port number is matching

The packet evaluation process described above is the same if IP address names are given instead of IP addresses, and if the IP address name definition (e.g.: "IPAddrNames2.csv") contains port definition, as well.

Statistics and events sent by the GyTapper modules to the Poller

Statistics:

StatID	Description
9000	Number of bytes received on a PCAP interface identified with the LinkID.
9001	Number of packets received on a PCAP interface identified with the LinkID.

Events:

EventID	Description	Type of event	Meaning
9000	Event queue is full.	ERROR	This event is generated when the number of events waiting in the sending queue is 99.
9001	Connection is up.	MESSAGE	Status of the interface has changed to 'up'. The interface is identified by the LinkID.
9002	Connection is down.	ERROR	Status of the interface has changed to 'down'. The interface is identified by the LinkID.
9003	300s-statistics is up.	MESSAGE	Sent when there was any traffic on the interface identified by the LinkID after a period without traffic. (Ceases a preceding '9004' event.)
9004	300s-statistics is down.	ERROR	Sent when there was no traffic in the last 300s period on the interface identified by the LinkID.

IP address names

The IPAddrNames2.csv file contains the IP address names for the IP addresses and logical ports.

Each row contains the IP address or range, LogicalPort, EP/Node and DisplayName. This file can be seen in the web-interface, too.

Some example for IP address name list:

		10.133.128.2,	*,	MSS0A,	MSS0A_a
		10.133.192.2,	1092,	MSS0A,	MSS0A_b
		145.236.52.1-145.236.52.3, 	*,	MSAN,	MSAN 
		145.236.55.0/26, 	*,	MSAN,	MSAN

Checking IP address names list

The Check_IPAddrNames2 can check the integrity and consistency of the IP address names list. This is a command line utility with the list file to be checked as the input argument.

Usage of the utility:

		Check_IPAddrNames2.exe IPAddrNames2.csv

It checks the input file whether it contains valid entries (follows the structure) and whether the IP addresses contains duplications or colliding ranges.
Warnings generated during the file checking can be suppressed for one or more ranges of the list by putting a comment line before the first entry of the range with a leading "-W". Warning suppression is switched off by putting a comment line after the last entry of the range with a leading "+W".

Example for warning suppression:

		;-W Warnings possibly generated by entries below would be suppressed.
		10.133.128.2,	*,	MSS0A,	MSS0A_a
		10.133.192.2,	1092,	MSS0A,	MSS0A_b
		145.236.52.1-145.236.52.3, 	*,	MSAN,	MSAN 
		145.236.55.0/26, 	*,	MSAN,	MSAN 
		;+W Warning suppression is off.

	Eth0	Eth1	Eth2
Input signal:	OK	OK	OK
Last 3 s interval:	75567	75567	75567	[kbps]
Last 3 s interval:	8033	8033	8033	[pps]
Previous 300 s period:	43016	43016	43016	[kbps]
Previous 300 s period:	5098	5098	5098	[pps]
WinPcap statistics first: (i.f. drop / driver drop)	0 0	0 0	0 0	[frames]
WinPcap statistics actual: (i.f. drop / driver drop)	0 0	0 0	0 0	[frames]

Input ports	#0	#1	#2
Local TCP port:	3000	3001	3002
Input signal:	multiple	OK	OK
Last 3 s interval:	75567	75567	75567	[kbps]
Last 3 s interval:	8033	8033	8033	[pps]
Previous 300 s period:	43016	43016	43016	[kbps]
Previous 300 s period:	5098	5098	5098	[pps]

GyTapper – Common features)

Table of Contents

Logging

The web-interface

Common part

The status of GyTapper modules

GyTapper module

GyTapperC module

GyTapperG module

GyTapperU module

Distribution filtering rules

Statistics and events sent by the GyTapper modules to the Poller

Statistics:

Events:

IP address names

Checking IP address names list