Starting a Smart Packet Capture

Use the Capture packets dialog box to configure a Smart Packet Capture on a NAM Server. Smart Packet Capture can help you diagnose user-specific issues: you conduct some fault domain isolation (FDI) to focus on a specific user, locate that user on a NAM Server report, and start a capture from that NAM Server report.

Selecting a starting point

On the NAM Server, open a standard report that displays the user data.
For example, choose Reports ► Explore ► Users to open the User details report.

In that report, in the User name column, click in a user row and select Capture packets from the pop-up menu.

Tip

If the default capture settings (60 seconds on all attached NAM Probes) are sufficient, you can take a shortcut here with the Capture packets / View in Trace Trimmer option on the same pop-up menu. A capture will start automatically and then the capture will be displayed automatically in Trace Trimmer. Then you can skip the rest of this procedure, though you might want to review Managing Smart Packet Captures after you finish examining your capture.

The Capture packets screen is displayed.

If you get an error message at this point, ensure that you have configured all of the components needed for packet capture.

  • In the NAM Console, you have added an EndaceProbe and a NAM Server.
  • You have assigned the EndaceProbe to the NAM Server.
  • The devices are active. Check device status.

Setting traffic filters

Use the Traffic Filters tab to narrow the range of your capture to traffic between two dates and times, limit the duration of the capture, and review the filter settings.
Capture packets, traffic filters tab

Adjust the Time range to focus the capture on the traffic you want to see and to reduce the potential size of the capture.

Time range

  • To capture traffic during a specific time range, select Fixed date and time and set the Start time and Stop time.
  • To capture traffic for a certain amount of time starting from when you click OK, select Period relative to the current date and set Duration to the number of seconds, minutes, or hours you want to capture data.

The date range is initially populated from the NAM Server report, but you can adjust it in the Capture packets dialog box.

Related messages:

  • “The selected time range extends into the past. The NAM Probe does not support back-in-time captures, so all NAM Probe data sources will be ignored.”
    To fix this, add data sources that do support back-in-time captures.

  • “The selected data sources do not support back-in-time captures. Change the time range or add data sources that support back-in-time captures.”
    To fix this, either change the time range so that the capture does not require back-in-time data sources or add data sources that support back-in-time captures.

  • “Too many concurrent recordings for this time range.”
    This occurs when the number of concurrent connections to one NAM Probe exceeds the maximum, which, by default is 10. This value is defined in userprop-nf.properties (SYSTEM.NF_AMD_MAX_NUMBER_OF_CONCURRENT_TASKS). You cannot schedule a new task when this condition's maximum is exceeded.

    Assuming the default value (10), change the schedule so that you do not have more than 10 tasks scheduled to run at the same time. You can schedule the new task to run after one or more of the already scheduled tasks have finished, or you can reschedule or cancel one of the previously scheduled tasks so that there are no more than 10 scheduled to run after you create this task.

Note

In the case of a “Client from” dimension, the filter is generated for the most active client IP address (most total bytes), not for all client IP addresses.

Review the TCP filter settings and adjust the filters as needed.

The filters are initially populated from the NAM Server reports filters (converted to tcpdump filter format), but you can adjust them in the Capture packets dialog box. If you edit this field, be sure to conform to the tcpdump filter format. If a filter setting is invalid, an error message is displayed and it is not possible to submit the task.

Setting data sources

Use the Data Sources tab to select the devices that will be used to gather data for this task. By default, network packets are gathered from all available data sources.
Capture packets, data sources tab

  1. Click the Data Sources tab.

  2. Select or clear the check box for each source in the list of potential data sources.

    By default, all EndaceProbes available on the selected NAM Server are used, but you can clear the check boxes of probes you don't want to query for this task.

    If your probe is not listed here, ensure that it has been configured and has been added to the NAM Console's list of devices.

Setting advanced options

Use the Advanced Options tab to set file-related parameters.
Capture packets, advanced options tab

  1. Click the Advanced Options tab.
  2. (NAM Probe only) Change Maximum file size (NAM Probe) to adjust the maximum file size for the capture. Default: 500 MB.
  3. Select Secure file with password (and provide the password twice) to password-protect the file stored on the NAM Server. If you select this option, you will need to provide this password to open the trace in DNA or another application.
  4. Click OK to submit the task to the scheduler and display the list of scheduled tasks.

Reviewing the scheduled tasks

Use the Smart packet capture dialog box to list the captures previously made, captures still in progress, and captures scheduled to run in the future. This list displays tasks from all users, not only the current user.

Smart Packet Capture, task schedule

  1. Verify that your task is listed and that the status is appropriate.
    • Scheduled. Task will start: {time}
      The task has been created but not yet submitted to a device. Hover your mouse pointer over the information icon to see when the task is schedule to start.
    • Capturing traffic
      The task has been submitted to a device and traffic is being captured.
    • Downloading
      Trace files are being downloaded to a NAM Server. Current task progress is shown (overall and per device).
    • Completed
      The task is complete and the trace archive is available for analysis.
  2. Verify that Disk usage is within safe bounds.

Next: Managing Smart Packet Captures