Packet capture filters

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Packet capture filters

L6 Presenter

Hello.

Does anyone else have problems with defining filters for packet capture in WebUI?

If I understand correctly (there is no info about this in official documentation) all values in the same filter are logically connected with 'AND' operator. And logical operation between different filters is 'OR'.

So if I want to monitor all traffic between 2 hosts i need something like this:

1st filter ID 1: source IP1, destination IP2

2nd filter ID 2: source IP2, destination IP1.

I define files for all 4 stages of capture.

To avoid problems I then use "debug dataplane packet-diag clear filter-marked-session all"

And start capture.

However I don't get any PCAP files at all. And I know traffic is going through FW between these 2 hosts as I have an active session between those 2 IPs with increasing amount of bytes.

Any ideas if this is a bug or are my filters wrong?

how do you set filters for monitoring traffic between 2 IPs in both directions in all stages?

Best regards,

Simon

6 REPLIES 6

L3 Networker

All sounds reasonable, except I've never used the command "debug dataplane packet-diag clear filter-marked-session all".

Can you dump out and share the output of "debug dataplane packet-diag show setting" ?

L3 Networker

Oh, there is one issue I tend to find...

If you have one filter, and then just go and change the IP addresses I tend to find that doesn't take effect.  So when chaining the filter in the WebUI I laboriously delete all filter enteris, disable filter and then create new filter entries and re-enable filtering...  A bit of a pain in the ass 😕  I'm starting to use the CLI for this now to make this a little more efficient...

L6 Presenter

Hi Santonic,

Try command "debug software restart vardata." let me know if that fix the issue.


You will have to reconfigure capture/filter after that.

Regards,

Hardik Shah

L7 Applicator

Hello Santonic,

As Ajbool said before, could you please run the CLI command multiple  times ( with 5 seconds interval): > debug data-plane packet-diag show setting ----  and compare "captured byte" counts. If the byte count is increasing, it means the traffic is getting matched with the filter. In that situation, you need to restart the vardata-receiver process ( responsible to capture packet). CLI command: > debug software restart vardata-receiver.

For example:

packet-filter.jpg

Hope this helps.

Thanks

@ajbool

Yes, i've encountered same problem about captures containing unwanted traffic after changing filter settings. That's where the command I mentioned comes in handy: it unmarks all sessions which were marked by previous packet capture filter. So I use it between changing filters.

I found it here: Packet Capture Contains Traffic not Defined in Filter

Thank you about other tips too. I'll try that when I'm having issues again. 

Ar, OK, it seems that command will help me out.  Thanks!

  • 5327 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!