Managing Smart Packet Captures

NAM Server ► Tools ► Packet data mining tasks

Tip

Use this capture method (Smart Packet Capture) to diagnose user-specific issues: you conduct some fault domain isolation (FDI) to focus on a specific user, locate that user on a NAM Server report, and start a capture from that NAM Server report.

Listing captures

Use the Smart packet capture screen to list the captures previously made, captures still in progress, and captures scheduled to run in the future. This list displays tasks from all users, not only the current user.

  1. On the NAM Server, select Tools ► Packet data mining tasks.
  2. Review the list of tasks.
  3. Use the action buttons to manage tasks.

Stopping a capture

You can stop a traffic capture before it finishes running.

  1. On the NAM Server, select Tools ► Packet data mining tasks.
  2. Find the row corresponding to the task or device whose data you want to stop.
  3. Click stop in that row.

The capture is stopped and any captured data up to this point is discarded.

The task is not discarded unless you delete it. You can restart (re-record) a stopped capture task from the beginning.

Editing and re-recording a capture

You can edit and rerun (overwrite) a previous capture by opening the configuration screen for it, adjusting the capture parameters as needed, and restarting it.

Caution:

This procedure overwrites any data you captured previously with the selected task, even if you change the task name before restarting the capture. If you need to preserve data captured during a previous run of this task, download the data to a safe location before continuing with this procedure.

  1. On the NAM Server, select Tools ► Packet data mining tasks.
  2. Find the row corresponding to the task or device whose data you want to re-record.
  3. Click edit in the corresponding row.
  4. Edit the capture configuration.
    All settings you used previously are preserved unless you change them now.
  5. Click OK.

Any previously captured data for this task is overwritten with the new capture.

Deleting a capture task

You can remove a task (and all related captured data) from the list.

  1. On the NAM Server, select Tools ► Packet data mining tasks.
  2. Find the row corresponding to the task or device whose data you want to delete.
  3. In that row, click delete.
    • If you delete a task, all associated trace files are deleted with it.
    • If you delete the last trace file associated with a task, the task is also deleted.
    • If this button is not available, that task is still running. You cannot delete an active task.

Downloading a capture

You can download a captured trace from the NAM Server to your local disk or open it directly in an application such as DNA.

  1. On the NAM Server, select Tools ► Packet data mining tasks.
  2. In the list of tasks, find the task that generated the trace file you want to download and click expand to expand the task.
  3. Click in that row.
  4. In the Download file window, select the file format you want can then click OK.
    You can select one of the following formats:
    • opcx
    • zip
    • pcap The file is downloaded in the selected format, at which point you can open it in another application.
    • If you select file format opcx and you have installed DNA on this machine, you can open the file to import the file directly into DNA. If the file is large, you may need to filter it with Trace Trimmer or a BPF Filter during import to reduce it to a manageable size for DNA.
    • If you select pcap and you have installed a protocol analyzer such as Wireshark, you can open it in that analyzer.

Opening a capture in Trace Trimmer

  1. On the NAM Server, select Tools ► Packet data mining tasks to list all capture tasks.
    If the list is empty, you need to capture a trace. For more information, see Starting a Packet Capture.
  2. Click expand in the task row.
  3. Click Trace Trimmer in the row corresponding to the trace file you want to open in Trace Trimmer.
  4. In Trace Trimmer page, browse the tabs and click to select what you want to see on the report.

Each tab is a different view of the same data.

  • Click a column heading to sort the current tab by that column.
  • Click active data displayed in any row of any tab and select it to show only data that matches your selection.
  • Use the Find function to search the data of any column on the current tab.
  • Click the Time range icon to narrow your view to a certain time range.

The best way to understand this screen is by example:

  1. Choose a tab.
    The default Connections tab may be the most commonly used, so we will start there, but you could use any of the other tabs to set filter conditions.

  2. On the Connections tab, select something you want to see in your output.
    For example, if you want to see all traffic where one end of every connection is a certain node, click that node in either the Node A graph or the Node A column of the table under the graphs, and select it. The view will immediately be narrowed to only those connections that involve the selected node.

  3. To further narrow your view of the traffic, click any other graph or corresponding table column.
    For example, you might want to see only connections between two specific nodes. You have already selected one end of the connection (Node A) and the graphs and the table currently show only the connections with one end at Node A. Now click a node in the Node B graph or Node B table column to specify the other end of the connection.

    Alternatively, you could have selected a certain port or a VLAN identifier or any of the other selectable parameters shown in the graphs and table columns.

  4. After you have edited the report down to the view you want, use the Actions menu to save or send your report.

Reloading a capture

You can reload a traffic capture by returning to the originating report.

  1. On the NAM Server, select Tools ► Packet data mining tasks.
  2. Find the row corresponding to the task or device whose data you want to stop.
  3. Click reload to reload the report.
  4. Start another report.

You are returned to the originating report, where you can go back to the Capture Packets screen to configure a capture with the latest data.