[. . . ] User Manual THE SHARK DISTRIBUTED MONITORING SYSTEM PUBLISHED BY CACE Technologies, Inc. 1949 5th Street, Suite 103 Davis, CA 95616 Copyright © 2010 CACE Technologies, Inc. No part of the contents of this manuscript may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Wireshark and the Wireshark icon are registered trademarks of Wireshark Foundation, Inc. [. . . ] This storage system is optimized to provide high-speed writing to disk and fast read access to arbitrary time intervals within a Job Trace. Shark Appliance User Manual Page 12 Capture Jobs (Shark Appliance Packet Recorder) Figure 10: Shark Appliance Packet Recorder ­ No Capture Jobs The Capture Jobs menu item takes you to the screen shown above. The sections on Packet Storage Info and OS File System Info are displayed before the section of this page that describes the currently running capture jobs. The Packet Storage Info section provides total space and available space on the Packet Storage system used by the Shark Packet Recorder. This panel shows the block size used by the Shark Packet Recorder and offers the Format Storage button which can be used to reformat the Packet Storage System. Needless to say, you should be very careful if you choose to exercise this option. Figure 11: Storage Format Options The Reserved space field makes it possible to prevent access to the sectors at the very end of each of the disk drives in the packet storage system. The inner tracks of hard drives (at the "end" of the hard drive) have slower data transfer rates than the outermost tracks. This field can be used to get a more uniform write-to-disk speed by restricting access to some percentage of the disk drives. Shark Appliance User Manual Page 13 Add/Edit Capture Jobs In this section we show how to create a Capture Job and subsequently manage it. Clicking on "Add New Job" brings up a new Capture Job form on the Capture Job page. The form has two tabs: Packet Recording Parameters and Trending/Indexing Parameters. We will consider the Packet Recording Parameters in this section and the Trending/Indexing Parameters in the following section. Figure 12: Adding a Capture Job There are a number of configuration parameters that need to be set when creating a Capture Job: Job Description. This will help in identifying the Capture Job since this name will appear in both the Pilot Console's Devices and Files source panels. The Capture Job takes traffic from a live interface and records it to disk. Start Blink is used to quickly identify the hardware capture port on the Shark Appliance BPF Filter. A BPF filter can be provided to select a subset of the traffic for capturing. For example, the BPF filter "src host 172. 18. 5. 4" will only capture the packets with source IP address 172. 18. 5. 4 Packet Portion to Capture (snaplen) is used to put an upper bound on the amount of bytes saved for each packet ­ at most the first (snaplen) bytes from each packet are saved. The first check box can be used to specify absolute start time for the Capture Job and the second check box can be used to specify an absolute stopping time for the Capture Job Shark Appliance User Manual Page 14 Stop Capturing after. These check boxes can be used to specify stopping conditions based on size of the Capture Job in terms of megabytes or number of packets. These parameters are used to limit the maximum amount of storage used by the Capture Job. Once a limit is reached, then the oldest packets are discarded so as to not exceed the limit. If more than one condition is chosen, then the most stringent condition is applied. o Note: When multiple conditions have been selected the most stringent condition is the controlling condition. For example, if an absolute time stopping condition and a stopping condition based on the number of captured packets are selected, then the first condition to be satisfied will stop the capture job. Trending/Indexing Parameters In this section we describe the use of Trending/Indexing Parameters. Figure 13: Trending/Indexing Parameters Before we describe the Trending/Indexing Parameters, we present a simplified version of the underlying computation performed by the Pilot Probe when the Trending/Indexing is enabled. For each packet, the Conversation Identifier consists of the 5-tuple: 1. [. . . ] Administrators see all the resources in the system, including views, files and folders that have been created by other users. CanApplyViewsOnFiles: if set to true, allows the user or the group to apply views to files residing on the Shark Appliance. CanApplyViewsOnInterfaces: if set to true, allows the user or the group to apply views to the network interfaces on the Shark Appliance. CanCreateFiles: if set to true, the user or the group can create files on the Shark Appliance, by selecting the "send to file" buttons in the Pilot Console. [. . . ]