Packet capture filters

Reply
Highlighted
L5 Sessionator

Packet capture filters

Hello.

Does anyone else have problems with defining filters for packet capture in WebUI?

If I understand correctly (there is no info about this in official documentation) all values in the same filter are logically connected with 'AND' operator. And logical operation between different filters is 'OR'.

So if I want to monitor all traffic between 2 hosts i need something like this:

1st filter ID 1: source IP1, destination IP2

2nd filter ID 2: source IP2, destination IP1.

I define files for all 4 stages of capture.

To avoid problems I then use "debug dataplane packet-diag clear filter-marked-session all"

And start capture.

However I don't get any PCAP files at all. And I know traffic is going through FW between these 2 hosts as I have an active session between those 2 IPs with increasing amount of bytes.

Any ideas if this is a bug or are my filters wrong?

how do you set filters for monitoring traffic between 2 IPs in both directions in all stages?

Best regards,

Simon

L3 Networker

Re: Packet capture filters

All sounds reasonable, except I've never used the command "debug dataplane packet-diag clear filter-marked-session all".

Can you dump out and share the output of "debug dataplane packet-diag show setting" ?

L3 Networker

Re: Packet capture filters

Oh, there is one issue I tend to find...

If you have one filter, and then just go and change the IP addresses I tend to find that doesn't take effect.  So when chaining the filter in the WebUI I laboriously delete all filter enteris, disable filter and then create new filter entries and re-enable filtering...  A bit of a pain in the ass :-/  I'm starting to use the CLI for this now to make this a little more efficient...

L6 Presenter

Re: Packet capture filters

Hi Santonic,

Try command "debug software restart vardata." let me know if that fix the issue.


You will have to reconfigure capture/filter after that.

Regards,

Hardik Shah

L7 Applicator

Re: Packet capture filters

Hello Santonic,

As Ajbool said before, could you please run the CLI command multiple  times ( with 5 seconds interval): > debug data-plane packet-diag show setting ----  and compare "captured byte" counts. If the byte count is increasing, it means the traffic is getting matched with the filter. In that situation, you need to restart the vardata-receiver process ( responsible to capture packet). CLI command: > debug software restart vardata-receiver.

For example:

packet-filter.jpg

Hope this helps.

Thanks

L5 Sessionator

Re: Packet capture filters

@ajbool

Yes, i've encountered same problem about captures containing unwanted traffic after changing filter settings. That's where the command I mentioned comes in handy: it unmarks all sessions which were marked by previous packet capture filter. So I use it between changing filters.

I found it here: Packet Capture Contains Traffic not Defined in Filter

Thank you about other tips too. I'll try that when I'm having issues again. 

L3 Networker

Re: Packet capture filters

Ar, OK, it seems that command will help me out.  Thanks!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!