Typically, the configuration of a capture probe is much simpler than the configuration of a stack probe. This is reflected in the configuration file formats as well. A stack probe is typically configured with a JSON-formatted configuration file, which allows a complex object structure and nested options.

By contrast, a capture probe is typically configured with a configuration file that simply lists the command-line parameters that are used when the probe is started. Capture probe configuration files have the .capture.config filename suffix.

Note that, despite these different configuration file formats, the PMUX wrapper is actually generic. It is by convention that we configure them using these different file formats. However, you can install capture probes as a module within a stack probe. The reason that we do not do this is because if something goes wrong with a stack probe’s processing, it is useful to have a separate capture probe running to capture the details of the packet which caused the issue.

It is important to note that you can run as many capture probes as you wish. Some example strategies might be:

  • A separate capture probe per Napatech stream - see VMX-Capture Capture Card Configuration.

  • One capture probe for TCP traffic, and one capture probe for UDP traffic (per Visibility Point).

  • A separate capture probe for each different market.

  • A separate capture probe for each different visibility point.

Running multiple capture probes supports, for example, different retention periods or snaplengths for different types of traffic.

Example Capture Probe Configuration File

Here’s a sample packet capture probe configuration file called capVP.capture.config:

name=capVP
compression=noloadgz
capture_file_type=pcapns
output_dir=/data/capture
file_prefix=capVP
filter=vlan%2010
rotate_period_seconds=10
influxdb_dsn=influxdb://vmxadmin:grafstats@localhost:8086/capture
influxdb_measurement=pcap

For readability, this example lists each parameter on a new line. Usually they are just space-delimited on the same line of the capture.config file.

The configuration parameters that can be used in a capture.config file are as follows:

Parameter Name

Description

Mandatory?

Name

Name of Capture probe

No

compression

Compression method that will be used on resulting PCAPs.
The standard method is gzip.
See VMX-Capture Compression Card Configuration

No

capture_file_type

The file format for the capture file.
PCAPNS is the standard.

No

output_dir

Location of PCAP storage.
Default is /data/capture.

Yes

file_prefix

The prefix used for the capture files.

Yes

filter

BPF filter to be used by the capture probe (this example filters on vlan 10 i.e., filtering only on traffic tagged with VLAN 10)

No

rotate_period_seconds

Time elapsed before capture rolls over onto new PCAP file.

No

rotate_period_bytes

The maximum size of each capture file in bytes before a new file is written.

No

retention_policy

How long PCAPs should be retained for. This setting isn’t actually used by the capture probe, but is used by an Appliance cronjob (capture_purge.py) which handles capture file tidy-up.

No

snaplen

The snaplength (in bytes) for each packet written to the capture file. Snaplength should not be used with capture files which will be read by decoders.

No

influxdb_dsn

The InfluxDB to which more granular statistics about the capture probe performance are written.

No

influxdb_measurement

Should be set to PCAP.

No

Configuring the Capture Probe for different Packet Brokers

Packet brokers (also known as packet aggregators) are often used to ‘fan in’ network information to Beeks Analytics. They often add a layer of packet metadata to provide extra information about each packet, for example, the timestamp that they received the packet or the port that they received the packet on.

Beeks Analytics has the advantage over other tools in that the capture probes and stack probes can be configured to read this packet metadata even if it is stacked within the packet, or if Beeks Analytics is receiving packets from multiple different packet brokers on the same physical appliance port.