I have
discovered a new way to load trace files so that as they are loaded they are
filtered. This is really useful when the filter is an advanced plug-in
filter -especially, if the plug-in filters out packets from the file and
generates its own packets that are inserted instead. In my case, I
was looking for a way to load a NetFlow file, and have the NetFlow plug-in
generate fake packets, instead of loading the NetFlow packets. However,
this technique will work for any filter or filter plug-in.
The key to
this technique is the SQLFilter
plug-in, which can be downloaded from the MyPeek Community Portal (current
maintenance required). It loads packets from a file into a real-time
capture window through the SQLFilter Plug-in, instead of directly into a file
window. By using a real-time capture window, there is a user
defined ring buffer, instead of a static file buffer. This
makes it possible for the NetFlow
Analyzer adapter (current maintenance required) to process and filter out NetFlow
packets, and create and insert fake packets into the capture instead.
Here are
the steps necessary to use this technique:
First,
create a real-time capture using an adapter that won't actually provide packets
when the capture is started. The Microsoft Loopback Adapter is a good
example, but there are others. This is important
because certain features, like the PeerMap, won't do anything unless the
capture has been started. Choosing a "NULL" type adapter allows the
capture to be started, but not actually capture any packets.
It is also
important to create a capture buffer large enough to hold the generated
packets. Typically, there will be many more packets generated by
the NetFlow Analyzer adapter than there are in the NetFlow trace file. The
alternative is to enable capture to disk, so that the generated packets are
saved to a file.
Once the
capture window opens, create a new advanced filter on the filter or filter plug-in
of your choice. In the example below, the NetFlow Analyzer is
selected.
Next,
create a new SQLFilter database and add one or more files to it.
This will add the files to the database. The database file is a single
sqlite database that will now contain all the packets for all the files you
load into it. This has many advantages, but in this case, we are only
doing it in order to load the trace file into the real-time capture
window. In the example below, a NetFlow file is loaded into the database.
Now start the capture.
VRoom! Do you hear the roar of the engine? If so, you may have a problem. You should probably clean out the fan on your computer, or call support. ;-)
Finally, double click on the packet file. As the packets are being loaded from the database, a progress dialog will appear. This dialog has a Cancel button, so you can cancel the load at any time. On large files, this is a very nice feature.
And that's
it. I found this to be very useful, and thought I would share.
Leave a comment