07-25-2014 01:07 AM
Does anyone else have problems with defining filters for packet capture in WebUI?
If I understand correctly (there is no info about this in official documentation) all values in the same filter are logically connected with 'AND' operator. And logical operation between different filters is 'OR'.
So if I want to monitor all traffic between 2 hosts i need something like this:
1st filter ID 1: source IP1, destination IP2
2nd filter ID 2: source IP2, destination IP1.
I define files for all 4 stages of capture.
To avoid problems I then use "debug dataplane packet-diag clear filter-marked-session all"
And start capture.
However I don't get any PCAP files at all. And I know traffic is going through FW between these 2 hosts as I have an active session between those 2 IPs with increasing amount of bytes.
Any ideas if this is a bug or are my filters wrong?
how do you set filters for monitoring traffic between 2 IPs in both directions in all stages?
07-25-2014 06:11 AM
All sounds reasonable, except I've never used the command "debug dataplane packet-diag clear filter-marked-session all".
Can you dump out and share the output of "debug dataplane packet-diag show setting" ?
07-25-2014 06:16 AM
Oh, there is one issue I tend to find...
If you have one filter, and then just go and change the IP addresses I tend to find that doesn't take effect. So when chaining the filter in the WebUI I laboriously delete all filter enteris, disable filter and then create new filter entries and re-enable filtering... A bit of a pain in the ass 😕 I'm starting to use the CLI for this now to make this a little more efficient...
07-25-2014 07:39 AM
Try command "debug software restart vardata." let me know if that fix the issue.
You will have to reconfigure capture/filter after that.
07-25-2014 08:10 AM
As Ajbool said before, could you please run the CLI command multiple times ( with 5 seconds interval): > debug data-plane packet-diag show setting ---- and compare "captured byte" counts. If the byte count is increasing, it means the traffic is getting matched with the filter. In that situation, you need to restart the vardata-receiver process ( responsible to capture packet). CLI command: > debug software restart vardata-receiver.
Hope this helps.
07-28-2014 01:16 AM
Yes, i've encountered same problem about captures containing unwanted traffic after changing filter settings. That's where the command I mentioned comes in handy: it unmarks all sessions which were marked by previous packet capture filter. So I use it between changing filters.
I found it here: Packet Capture Contains Traffic not Defined in Filter
Thank you about other tips too. I'll try that when I'm having issues again.
07-28-2014 03:19 AM
Ar, OK, it seems that command will help me out. Thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!