Use the Capture Trace

Packet capture is a utility that provides a live snapshot of network traffic passing the specified interface of a device based on a defined criteria. This process continues to capture the packets as long as it has not paused, or the allocated memory has not exhausted.

Packet capture data includes information from Snort and preprocessors about verdicts and actions the system takes while processing a packet. Multiple packet captures are possible at a time. You can configure the system to modify, delete, clear, and save captures.

Note

Capturing packet data requires packet copy. This operation may cause delays while processing packets and may also degrade the packet throughput. We recommend that you use packet filters to capture specific traffic data.

Before you begin

To use the packet capture tool on Secure Firewall Threat Defense devices, you must be an Admin or Maintenance user.

Procedure

Step 1

On the management center, choose Devices > Packet Capture.

Step 2

Select a device.

Step 3

Click Add Capture.

Step 4

Enter the Name for capturing the trace.

Step 5

Select the Interface for the capturing the trace.

Step 6

Specify Match Criteria details:

  1. Select the Protocol.

  2. Enter the IP address for the Source Host.

  3. Enter the IP address for the Destination Host.

  4. (Optional) Check SGT number check box, and enter a Security Group Tag (SGT).

Step 7

Specify Buffer details:

  1. (Optional) Enter a maximum Packet Size.

  2. (Optional) Enter a minimum Buffer Size.

  3. Select either Continuous Capture if you want the traffic captured without interruption, or Stop when full if you want the capture to stop when the maximum buffer size is reached.

    Note

    If Continues Capture is enabled, and when the allocated memory is full, the oldest captured packets in the memory is overwritten by the new captured packets.

  4. Check the check box of Trace, if you want to capture the details for each packet.

  5. Enter the value in Trace Count field. Default value is 128. You can enter values in the range of 1-1000.

Step 8

Click Save.

The packet capture screen displays the packet capture details and its status. To have the packet capture page auto refreshed, check the Enable Auto Refresh check box and enter the auto refresh interval in seconds.

You can do the following on the packet capture:

  • Edit (edit icon) to modify the capture criteria.

  • Delete (delete icon) to delete the packet capture and the captured packets.

  • Clear (clear packet capture) to erase all the captured packets from a Packet Capture. To erase the captured packets from all of the existing packet captures, click Clear All Packets.

  • Pause (pause icon) to temporarily halt capturing packets.

  • Save (download saved packet capture) to save a copy of captured packets on a local machine in ASCII or PCAP format. Choose the required format option, and click Save. The saved packet capture is downloaded to your local machine.

  • To view the details of the packets being captured, click the required capture row.