Starting a Smart Packet Capture

Use the Capture packets dialog box to configure a Smart Packet Capture on a NAM Server.

Tip

Use Smart Packet Capture to diagnose user-specific issues:

  1. Conduct fault domain isolation (FDI) to focus on a specific user.
  2. Locate that user on a NAM Server report.
  3. Start a capture from that NAM Server report.

You can access Smart Packet Capture only if you have been assigned the Packet capture user role. See User roles and groups for help on assigning user roles.

Selecting a starting point

On the NAM Server, open a standard report that displays the user data. For example, open Reports > Explore > Users from the NAM Server navigation menu to open the User details report.

In that report, in the User name column, click in a user row and select Capture packets from the pop-up menu.

Tip

If the default capture settings (60 seconds on all attached NAM Probes) are sufficient, you can take a shortcut here with the Capture packets / View in Trace Trimmer option on the same pop-up menu. A capture will start automatically and then the capture will be displayed automatically in Trace Trimmer. Then you can skip the rest of this procedure, though you might want to review Managing Smart Packet Captures after you finish examining your capture.

The Capture packets screen is displayed.

If you get an error message at this point, in the NAM Console open Deployment > Manage devices and verify the following:

  • You have added a NAM Server and a NAM Probe.
  • You have assigned the NAM Probe to the NAM Server.
  • The NAM Probe is active. Check device status.

Setting traffic filters

Use the Traffic Filters tab to narrow the range of your capture to traffic between two dates and times, limit the duration of the capture, and review the filter settings.

Review the Task name and Description, and edit them to suit your needs.

  • Task name is automatically derived from the date and time of the capture (Task yyyy_mm_dd__hh_mm_ss).
  • Description is automatically derived from the point at which you initiated the capture (such as Created from "report_name" for "user").

Adjust the Time range to focus the capture on the traffic you want to see and to reduce the potential size of the capture.

Time range

  • To capture traffic during a specific time range, select Fixed date and time and set the Start time and Stop time.
  • To capture traffic for a certain amount of time starting from when you click OK, select Period relative to the current date and set Duration to the number of seconds, minutes, or hours you want to capture data.

The date range is initially populated from the NAM Server report, but you can adjust it in the Capture packets dialog box.

Review the TCP filter settings and adjust the filters as needed.

The filters are initially populated from the NAM Server reports filters (converted to tcpdump filter format), but you can adjust them in the Capture packets dialog box. If you edit this field, be sure to conform to the tcpdump filter format. If a filter setting is invalid, an error message is displayed and it is not possible to submit the task.

Setting data sources

Use the Data Sources tab to select the devices that will be used to gather data for this task. By default, network packets are gathered from all available data sources.

  1. Click the Data Sources tab.
  2. Select or clear the check box for each source in the list of potential data sources.
    • By default, all NAM Probes available on the selected NAM Server are used, but you can clear the check boxes of probes you don't want to query for this task.
    • If your probe is not listed here, ensure that it has been configured and has been added to the NAM Console's list of devices.
    • Applies to NAM 2019 Service Pack 2+
      If you need to fine-tune your capture down to NAM Probe interfaces (not just NAM Probes), set interface filters on the Advanced options tab.

Setting advanced options

Use the Advanced Options tab to specify various advanced capture settings.

Note: all Advanced Options settings are independent of one another.

TCPDUMP filter settings

  • Remove encapsulation
    By default, Smart Packet Capture removes encapsulation from the trace. Clear this setting if you do not want to remove encapsulation from the trace.

  • Define filter for NAM Probe interfaces (optional)
    Applies to NAM 2019 Service Pack 2+
    By default, Smart Packet Capture captures traffic on all sniffing interfaces of all selected data sources. Starting with NAM 2019 Service Pack 2, you can set a filter on the Advanced Options tab if you want to capture packets only on selected interfaces of your data sources.

    Example interface filters:

    • ifc1 will capture traffic on any sniffing interface named ifc1 on all NAM Probes on which you are capturing traffic. If you are capturing on two NAM Probes, each of which has an interface named ifc1, you will capture traffic only on those two interfaces.
    • ifc1, ifc2 will capture traffic only on sniffing interfaces named ifc1 or ifc2 on any NAM Probe on which you are capturing traffic.
    • 1.2.3.4:ifc1 will capture traffic only on the sniffing interface named ifc1 on the NAM Probe with IP address 1.2.3.4.
    • 1.2.3.4:ifc1, ifc2 will capture traffic only 1.2.3.4:ifc1 (a certain interface on a certain NAM Probe) and on interface ifc2 on all selected NAM Probes.
    Important

    The filter for Define NAM Probe interface is not validated. If your filter definition is incorrect, it is ignored (with no notification in the interface) and traffic is captured on all sniffing interfaces on all selected NAM Probes (the equivalent of not defining this filter at all).

File settings

  • Maximum file size (NAM Probe)
    By default, the maximum Smart Packet Capture trace file size is 500 MB. Change the number and select MB or GB to set a different maximum capture file size.

  • Secure file with password
    By default, Smart Packet Capture does not password-protect your trace file. Select this (and provide the password twice) if you want to password-protect the trace file stored on the NAM Server. You will then need to provide this password to open the trace in DNA or another application.

Select View in trace trimmer to automatically display the completed capture in Trace Trimmer.

Reviewing the scheduled tasks

Use the Smart packet capture window to list previous captures, captures still in progress, and captures still waiting to run. This list displays tasks from all users, not only the current user.

Smart Packet Capture

  1. Verify that your task is listed and that the status is appropriate.
    • Scheduled. Task will start: {time}
      The task has been created but not yet submitted to a device. Hover your mouse pointer over the information icon to see when the task is schedule to start.
    • Capturing traffic
      The task has been submitted to a device and traffic is being captured.
    • Downloading
      Trace files are being downloaded to a NAM Server. Current task progress is shown (overall and per device).
    • Completed
      The task is complete and the trace archive is available for analysis.
  2. Verify that Disk usage is within safe bounds.

Next: Managing Smart Packet Captures