topic Re: Packet capture filters in General Topics

Packet capture filters

santonic — Fri, 25 Jul 2014 08:07:14 GMT

Hello.

Does anyone else have problems with defining filters for packet capture in WebUI?

If I understand correctly (there is no info about this in official documentation) all values in the same filter are logically connected with 'AND' operator. And logical operation between different filters is 'OR'.

So if I want to monitor all traffic between 2 hosts i need something like this:

1st filter ID 1: source IP1, destination IP2

2nd filter ID 2: source IP2, destination IP1.

I define files for all 4 stages of capture.

To avoid problems I then use "debug dataplane packet-diag clear filter-marked-session all"

And start capture.

However I don't get any PCAP files at all. And I know traffic is going through FW between these 2 hosts as I have an active session between those 2 IPs with increasing amount of bytes.

Any ideas if this is a bug or are my filters wrong?

how do you set filters for monitoring traffic between 2 IPs in both directions in all stages?

Best regards,

Simon

Re: Packet capture filters

ajbool — Fri, 25 Jul 2014 13:11:05 GMT

All sounds reasonable, except I've never used the command "debug dataplane packet-diag clear filter-marked-session all".

Can you dump out and share the output of "debug dataplane packet-diag show setting" ?

Re: Packet capture filters

ajbool — Fri, 25 Jul 2014 13:16:45 GMT

Oh, there is one issue I tend to find...

If you have one filter, and then just go and change the IP addresses I tend to find that doesn't take effect. So when chaining the filter in the WebUI I laboriously delete all filter enteris, disable filter and then create new filter entries and re-enable filtering... A bit of a pain in the ass 😕 I'm starting to use the CLI for this now to make this a little more efficient...

Re: Packet capture filters

hshah — Fri, 25 Jul 2014 14:39:10 GMT

Hi Santonic,

Try command "debug software restart vardata." let me know if that fix the issue.

You will have to reconfigure capture/filter after that.

Regards,

Hardik Shah

Re: Packet capture filters

HULK — Fri, 25 Jul 2014 15:10:45 GMT

Hello Santonic,

As Ajbool said before, could you please run the CLI command multiple times ( with 5 seconds interval): > debug data-plane packet-diag show setting ---- and compare "captured byte" counts. If the byte count is increasing, it means the traffic is getting matched with the filter. In that situation, you need to restart the vardata-receiver process ( responsible to capture packet). CLI command: > debug software restart vardata-receiver.

For example:

Hope this helps.

Thanks

Re: Packet capture filters

santonic — Mon, 28 Jul 2014 08:16:23 GMT

@ajbool

Yes, i've encountered same problem about captures containing unwanted traffic after changing filter settings. That's where the command I mentioned comes in handy: it unmarks all sessions which were marked by previous packet capture filter. So I use it between changing filters.

I found it here: Packet Capture Contains Traffic not Defined in Filter

Thank you about other tips too. I'll try that when I'm having issues again.

Re: Packet capture filters

ajbool — Mon, 28 Jul 2014 10:19:01 GMT

Ar, OK, it seems that command will help me out. Thanks!