Example 8

Goal
You are an administrator of a large Internet Service Provider (ISP). Your ISP has 10Mbit Internet Connection, about 200 users (say, they have IP addresses 192.168.0.0/24) and 5000-10000 active sessions. You want to record all packets transmitted between the Internet and the users. What is the best solution?

Solution
For this scenario, it will not be effective to use the strategy "one filter per one user" due to the complexity of managing the filterset with 200 filters. The simplest way is to create filter "Your users - WAN" and enable Packet Logging:

Filter 1. The total Internet traffic of the users
N
Rule
Type of IP 
protocol
Source
address
Source
port
Destination
address
Destination
port
Both
directions
Action
for
packet
Additional condition
1 Any 192.168.0.0/24   IP addresses of WAN   Yes Count  

 Note

Because Packet Collector has a size of 2000 positions, there is a probability that you'll get an overflow of Packet Collector for such filter. It means that not of all the captured packets will be recorded. To avoid this problem, you can decrease the frequency of Packet Collector flushing down to 10 seconds or apply a load balancing for Packet Collector. The idea of the load balancing is a logical dividing (not a physical dividing) of your network into several subnets and performing the recording of the captured packets for every subnet:

Filter 1. The total Internet traffic of the users 192.168.0.0/26
N
Rule
Type of IP 
protocol
Source
address
Source
port
Destination
address
Destination
port
Both
directions
Action
for
packet
Additional condition
1 Any 192.168.0.0/26   IP addresses of WAN   Yes Count  
Filter 2. The total Internet traffic of the users 192.168.0.64/26
N
Rule
Type of IP 
protocol
Source
address
Source
port
Destination
address
Destination
port
Both
directions
Action
for
packet
Additional condition
2 Any 192.168.0.64/26   IP addresses of WAN   Yes Count  
Filter 3. The total Internet traffic of the users 192.168.0.128/26
N
Rule
Type of IP 
protocol
Source
address
Source
port
Destination
address
Destination
port
Both
directions
Action
for
packet
Additional condition
3 Any 192.168.0.128/26   IP addresses of WAN   Yes Count  
Filter 4. The total Internet traffic of the users 192.168.0.192/26
N
Rule
Type of IP 
protocol
Source
address
Source
port
Destination
address
Destination
port
Both
directions
Action
for
packet
Additional condition
4 Any 192.168.0.192/26   IP addresses of WAN   Yes Count  

If you get a message "Packet Collector is full" for any filter with a network mask /26, you should consider dividing your network into more small subnets (for example, use a network mask /28).

Is it possible to create Packet Collector with an unlimited size?

Yes. But this will be not effective. To put the captured packet into Packet Collector, the proper position for the new packet must be found in Packet Collector. If Packet Collector is unlimited size, the searching will take many CPU cycles.