Typically, the configuration of a capture probe is much simpler than the configuration of a stack probe. This is reflected in the configuration file formats as well. A stack probe is typically configured with a JSON-formatted configuration file, which allows a complex object structure and nested options.
Stack probe configuration is covered in VMX-Capture: Stack Probes, Aggregations, Statistics and Agent Events
By contrast, a capture probe is typically configured with a configuration file that simply lists the command-line parameters that are used when the probe is started. Capture probe configuration files have the .capture.config
filename suffix.
Note that, despite these different configuration file formats, the PMUX wrapper is actually generic. It is by convention that we configure them using these different file formats. However, you can install capture probes as a module within a stack probe. The reason that we do not do this is because if something goes wrong with a stack probe’s processing, it is useful to have a separate capture probe running to capture the details of the packet which caused the issue.
It is important to note that you can run as many capture probes as you wish. Some example strategies might be:
A separate capture probe per Napatech stream - see VMX-Capture Capture Card Configuration.
One capture probe for TCP traffic, and one capture probe for UDP traffic (per Visibility Point).
A separate capture probe for each different market.
A separate capture probe for each different visibility point.
Running multiple capture probes supports, for example, different retention periods or snaplengths for different types of traffic.
Example Capture Probe Configuration File
Here’s a sample packet capture probe configuration file called capVP.capture.config:
name=capVP
compression=noloadgz
capture_file_type=pcapns
output_dir=/data/capture
file_prefix=capVP
filter=vlan%
2010
rotate_period_seconds=
10
influxdb_dsn=influxdb:
//vmxadmin:grafstats@localhost:8086/capture
influxdb_measurement=pcap
For readability, this example lists each parameter on a new line. Usually they are just space-delimited on the same line of the capture.config file.
The configuration parameters that can be used in a capture.config file are as follows:
Parameter Name | Description | Mandatory? |
---|---|---|
Name | Name of Capture probe | No |
compression | Compression method that will be used on resulting PCAPs. | No |
capture_file_type | The file format for the capture file. | No |
output_dir | Location of PCAP storage. | Yes |
file_prefix | The prefix used for the capture files. | Yes |
filter | BPF filter to be used by the capture probe (this example filters on vlan 10 i.e., filtering only on traffic tagged with VLAN 10) | No |
rotate_period_seconds | Time elapsed before capture rolls over onto new PCAP file. | No |
rotate_period_bytes | The maximum size of each capture file in bytes before a new file is written. | No |
retention_policy | How long PCAPs should be retained for. This setting isn’t actually used by the capture probe, but is used by an Appliance cronjob ( | No |
snaplen | The snaplength (in bytes) for each packet written to the capture file. Snaplength should not be used with capture files which will be read by decoders. | No |
influxdb_dsn | The InfluxDB to which more granular statistics about the capture probe performance are written. | No |
influxdb_measurement | Should be set to PCAP. | No |
Configuring the Capture Probe for different Packet Brokers
Packet brokers (also known as packet aggregators) are often used to ‘fan in’ network information to Beeks Analytics. They often add a layer of packet metadata to provide extra information about each packet, for example, the timestamp that they received the packet or the port that they received the packet on.
Beeks Analytics has the advantage over other tools in that the capture probes and stack probes can be configured to read this packet metadata even if it is stacked within the packet, or if Beeks Analytics is receiving packets from multiple different packet brokers on the same physical appliance port.