Capture packets dialog box

Use the Capture Packets dialog box to configure a traffic capture on the NAM Server. It is available to users to whom the Packet Capture User role is assigned.

Tip

Use this capture method (Smart Packet Capture) to diagnose user-specific issues: you conduct some fault domain isolation (FDI) to focus on a specific user, locate that user on a NAM Server report, and start a capture from that NAM Server report.

You can access this screen only if you have been assigned the Packet Capture User role.

  • Task name
    The name of the task as it will appear in the list of tasks. Set this to a name that is useful for searching and sorting.
  • Description
    The description of the task as it will appear in the list of tasks.
  • Estimated task size
    The estimated total size of the capture, combining all data sources.
  • Free space
    The storage space available for the capture. If this is not larger than the estimated task size, there will not be enough space available to save the capture.
  • OK
    Click OK to schedule the task and display a list of tasks with the filter set to your user name.
  • Cancel
    Click Cancel to discard task submission.

Traffic filters tab

Use the Traffic Filters tab to narrow the range of your capture to traffic between two dates and times, limit the duration of the capture, and review the filter settings.

Time range

  • To capture traffic during a specific time range, select Fixed date and time and set the Start time and Stop time.

  • To capture traffic for a certain amount of time starting from when you click OK, select Period relative to the current date and set Duration to the number of seconds, minutes, or hours you want to capture data.

The date range is initially populated from the NAM Server report, but you can adjust it in the Capture Packets dialog box.

Related messages:

  • “The selected time range extends into the past. The NAM Probe does not support back-in-time captures, so all NAM Probe data sources will be ignored.”

To fix this, add data sources that do support back-in-time captures.

  • “The selected data sources do not support back-in-time captures. Change the time range or add data sources that support back-in-time captures.”

To fix this, either change the time range so that the capture does not require back-in-time data sources or add data sources that support back-in-time captures.

  • “Too many concurrent recordings for this time range.”

This occurs when the number of concurrent connections to one NAM Probe exceeds the maximum, which, by default is 10. This value is defined in userprop-nf.properties (SYSTEM.NF_AMD_MAX_NUMBER_OF_CONCURRENT_TASKS). You cannot schedule a new task when this condition's maximum is exceeded.

Assuming the default value (10), change the schedule so that you do not have more than 10 tasks scheduled to run at the same time. You can schedule the new task to run after one or more of the already scheduled tasks have finished, or you can reschedule or cancel one of the previously scheduled tasks so that there are no more than 10 scheduled to run after you create this task.

Note

In the case of a “Client from” dimension, the filter is generated for the most active client IP address (most total bytes), not for all client IP addresses.

TCPDUMP filter

The filters are initially populated from the NAM Server reports filters (converted to tcpdump filter format), but you can adjust them in the Capture Packets dialog box. If you edit this field, be sure to conform to the tcpdump filter format. If a filter setting is invalid, an error message is displayed and it is not possible to submit the task.

You can copy these filters into DNA and edit them to filter your trace during import.

Click Syntax warnings under the filter box to list all syntax warnings.

Note

If both the server and the client are aggregated, the real client IP address is present in the filter expression but the real server IP address is not. In such cases, you probably need to change the filter expression manually to use the real server IP address.

For servers that are not aggregated, the server IP address is present in the filter expression.

Data sources tab

Use the Data Sources tab to select the devices that will be used to gather data for this task. By default, network packets are gathered from all available data sources.

Note

In a farm deployment, you can have multiple slaves and NAM Probes connected to them in various configurations (for example, probe1 connected to slave 1, and probe2 connected to slave 2). If you are browsing DMI reports (on a master NAM Server), data is downloaded from slave servers and aggregated on the master. For packet capture, this screen displays all probes (NAM Probes and EndaceProbes) from the master and all slaves. It is not known which server in the farm holds a given porting of data. If data for a given tcpdump filter is not visible to a given probe, no data is captured on that probe.

  • Type
    Device type (such as NAM Probe or Endace)
  • IP
    Device address.
  • Port
    Port number.
  • File size
    Size of the trace.

Advanced options tab

Use the Advanced Options tab to set file-related parameters.

  • File Settings
    (NAM Probe only) Change Maximum file size (NAM Probe) to adjust the maximum file size for the capture. Default: 500 MB.
  • Secure file with password
    Select Secure file with password (and provide the password twice) to password-protect the file stored on the NAM Server. If you select this option, you will need to provide this password to open the trace in DNA or another application.