(GbE Packet Capture, Filter & Aggregation Tap)
GL's PacketShark™ is a portable product that can tap packet networks, capture Ethernet packets at wire speed, i.e., in optical or electrical interfaces up to 1 Gb/s and selectively filter the captured traffic based on specified criteria. Packets are transmitted through two ports and the packets that are traffic compliant with one of the filters is sent to a packet analyzer, such as Wireshark® or GL's PacketScan™ for detail packet analysis. Alternatively, the traffic can be even sent to a memory card (SD) and later analyzed offline.
PacketShark™ is an invaluable tool for on-field simultaneous capturing from two interfaces, analyzing 100% streams without any delays, and filtering/aggregating required packet streams at wire speed. PacketShark™ overcomes most of the limtations of the protocol analyzers running on Laptops or PCs that are too slow to capture live Full Duplex traffic at wire speed. It is generally preferred over "mirror" ports and traditional taps in providing aggregated traffic output and mobility.
It supports all the features of high-end taps in a small, battery operated instrument, weighing less than 1.2kg, and providing mobility and storage capacity to reach any point in the network. It provides INSTANT ON features - no PC required.
- Ability to capture packets at any point of the Network
- Wirespeed filtering with zero loss and zero delay - Equipped with a unique Zero Delay technology that ensures every packet goes through without delay (even if power is lost)
- Capture in the field and analyze in the office - Field storage of captured data using an external storage device (SD memory card) in PCAP format.
- Copy and forward matching packets to the drop LAN.
- Traffic and Signal Regeneration
- Sixteen (16) simultaneous filters can be applied to the traffic.
- Firmware filters to identify traffic MAC, IP, UDP or TCP flow.
- Centralized or distributed deployment
- Jitter-less time stamps
- Invisible when connected (Undetectable): no IP no MAC
- Improves efficiency and the performance of the protocol analyzer by adding mobility, capture filters and local storage
- Erred frames, fundamental feature for troubleshooting: FCS, runts, fragments, etc
- Remote access via VNC
- Proactive monitor of IP services
- Monitor complex, distributed networks supporting the voice and data services
- Useful for Lawful Interception by Government Agencies or Intelligence Agencies as PacketShark™ does not have a physical or logical address
- Intrusion Detection System (IDS) - Monitor network and/or system activities for malicious activities
- Ideal for experts working in ISP, VoIP, IPTV,IDS, Sniff, R&D, Lawful, Security Services
Front Panel and Back Panel - PacketShark™
- SPAN Ports (2): Dual SFPs based 1 Gb/s ports, or span interfaces A and B, are generally connected in pass through mode to the link or network to be analyzed.
- DROP Ports (2): Dual RJ-45 port for electrical connection 10/100/1000BASE-T. DROP Ports interfaces are used to forward captured packets to an external storage device or protocol analyzer.
PacketShark™ works as an Ethernet tap or it simply selects some traffic with specific properties. The tap and the filter modes constitute two separate configuration modes in the equipment.
- Tap & Filter: Traffic is forwarded between the span ports A and B without any modification or delay. Filtered traffic is forwarded towards the drop ports or an storage device.
- Filter: Traffic from the span ports is filtered and forwarded towards the drop ports or an storage device. No traffic is forwarded between span port A and span port B.
- All frames coming to PacketShark™ are forwarded to destination without delay or lost
- Frames compliant with filtering conditions and copied to packet analyzer device
- Alternatively captured frames are saved in SD card
- Operation is based on 16 filters per SFP port
Capture Mode and Drop Mode
Selective Capturing using Filters
PacketShark™ is capable of processing and computing statistics over fractions of the Ethernet traffic meeting specific conditions. The process of selecting a fraction of traffic is called filtering. PacketShark™ is equipped with 16 filter types to capture traffic in real-time.
- The filters are executed sequentially and customizable by Ethernet, IP, UDP, and TCP
- When a packet satisfies a filter is sent to the Drop Port and immediately forwarded to the output. No more filters are processed
- Each packet may modify only the statistics of one filter
- The result of the filtering process is one or several traffic streams
- Filtered frames can be aggregated in one drop port
- Agnostics filters defined by 16 bits masks and user defined offset
- Lawful filter: 64 byte pattern match at any place in the frame payload
- Each filter has a priority number - If one frame is selected by an specific filter it will not be processed by any lower priority filters
Traffic Aggregation and Storage
The PacketShark™ can break out Full-Duplex (FDX) traffic into separate streams to be dropped or can also aggregate different filtered traffic to one DROP port into a single output stream.
PacketShark™ can be configured to aggregate traffic from the forward and backward transmission directions and present them as a single stream. This kind of stream aggregation is useful to check interactions between the communication ends like for example requests and replies in a web application.
Extensive Analysis and Statistics
The hardware provides basic traffic statistics about Ethernet networks such as frame counts (IEEE 802.3, IEEE 802.1Q, unicast, multicast, and broadcast) and error counts (FCS errors, undersized frames, oversized frames, fragments, jabbers, collisions). The counters and statistics are updated per filter (up to 16) and all traffic counters follow RFC 2819.
Formats and Protocols
- 10, 100, 1000 Mbit/s Ethernet
- Ethernet frame: IEEE 802.3, IEEE 802.1Q
- IP, TCP, UDP support
- IP packet: IPv4 (IETF RFC 791)
- Jumbo frames: up to 10 kB MTU (Maximum Transmission Unit)
- Configurable MTU size
- Throughput between measurement SPAN ports: 2x1 Gbit/s or 2x1,500,000 frames/s
- Autonegotiation parameters including bit rate (10, 100, and 1000 Mbit/s) and duplex mode
- Autonegotiation Full Setup by user
- Autonegotiation Disabled by user
Ports and Interfaces
- SPAN Ports: Dual SFPs based 1 Gb/s
- DROP Ports: Dual RJ-45 ports for electrical connection
- RJ-45 ports support 10/100/1000BASE-T, 100BASE-TX
- SFP interfaces support 10BASE-T, 100BASE-TX, 100BASE-FX, 1000BASE-T, 1000BASE-SX, 1000BASE-LX
- Local Storage: SD storage in PCAP format
- Ethernet Selection
- By source and destination MAC addresses. Selection of MAC address sets with masks
- By Ethertype value with selection mask.
- By VLAN-VID with selection mask
- By VLAN-CoS value with selection mask
- IPv4 address: source, destination, and source-and-destination
- IP address group: subset of addresses filtered by masks
- Protocol encapsulated in the IP packet (TCP, UDP, Telnet, FTP, etc.)
- DSCP field, single value and range
- TCP/UDP port, single value and range
- Autonegotiation results including current bit rate, duplex mode, Ethernet interface
- SFP presence, vendor, and part number
- Traffic statistics per each of the four ports
- Statistics for both transmit and receive directions
- Frame counts: Ethernet, and IEEE 802.1Q
- Frame counts: unicast, multicast and broadcast
- Basic error analysis: FCS errors, undersized frames, oversized frames, fragments, jabbers, collisions
- Frame size counts: 64, 65-127, 128-255, 256-511, 512-1023, and 1024-1518 bytes
- Four byte counts: Port A (Tx / Rx) and Port B (Tx / Rx)
- All traffic counters follow RFC 2819
- Counters and statistics per filter (up to 16)
- Full Duplex operation at 1 Gbit/s or 1,5 Mframes/s
- Accuracy better than 10-6 secs. at 1 Gbit/s
- Performance and accuracy 100% independent of the line bit rate
- Jitter-less captures in SD card
- Up to 1 Mbit/s
- Direct configuration and management in graphical mode using the keyboard and display of the instrument
- Configuration and management on web browser
- Remote access with command line (CLI) using of either Telnet or SSH offering for configuration, management and task automation
- Remote access for configuration and management in graphical mode from remote IP site thought the Ethernet interface of the control panel
- Remote access via SNMP for configuration, management and integration
- VNC based remote control for any client supporting standard versions such as PC, iPad, iPhone, etc
- Remote connection with Password using public / private Ethernet, IP network including Internet
- Display 480 x 272 TFT full color screen
- Dimensions: 223 mm x 144 mm x 65 mm
- Weight: 1.2 kg (with rubber boot, one battery pack)
- USB and Ethernet ports
- Serial Port RS-232C
- Rechargeable Batteries continuous working for 5 hours. Fast recharging time
- AC Power Adapter Input: 100 ~ 240 V AC, 50/60 Hz,
- Operating Temperature 0ºC ~ 50º C Storage Temperature -20ºC ~ 70ºC Humidity 5% ~ 95%
- Soft LEDS All events at a glance