Packet Capture (PCAP)

Starting from software version 5.16.00, you can configure Packet Capture (PCAP) from GigaVUE-FM. Both GigaVUE-FM and the devices must be running software version 5.16.00 and greater. Use the PCAP feature to analyze the network traffic and to troubleshoot any performance issues.

GigaVUE-FM allows you to configure packet capture at the ingress port or egress port or both. The port must be a physical port. The port type used for packet capture can be network, tool, hybrid, inline tool, or inline network port. Packet capture is not supported on GigaSMART ports or back plane ports.

Note:  PCAP feature is enabled by default. To disable/re-enable PCAP, contact Gigamon customer support. Once disabled, the corresponding PCAP configurations will not work.

Supported Devices

Packet capture functionality is supported on the following devices:

  • GigaVUE‑HC1
  • GigaVUE‑HC1-Plus
  • GigaVUE‑HC2
  • GigaVUE‑HC3
  • GigaVUE-TA10
  • GigaVUE‑TA25
  • GigaVUE‑TA25E
  • GigaVUE-TA40
  • GigaVUE-TA100
  • GigaVUE‑TA200
  • GigaVUE‑TA200E
  • GigaVUE‑TA400

You can configure PCAP on both standalone nodes as well as on nodes that belong to a cluster. For non-leader ports, PCAP can be configured only from the leader node.

To configure packet capture, you must define filters to capture specific traffic based on rules. You can specify the following criteria in the rules:

Criteria Description

Source IPv4 address

The source and destination IPv4 address. You can also specify a wild card with an IP mask.

Destination IPv4 address

Internet protocol

Valid Internet protocol

Layer 4 destination port number

Layer 4 destination port number

Layer 4 source port number

Layer 4 source port number

TCP flags

TCP flags to indicate the state of connection

You can specify the criteria in any combination. Packets matching the defined criteria are captured and saved as pcap files.

Refer to the following sections for details:

Rules, Notes, and Limitations

Refer to the following rules and notes:

  • You can configure a maximum of 64 filters on a node.
  • The number of ports on which packets can be simultaneously captured is 4.
  • You can configure the same filter on multiple ports.
  • You can configure multiple filters on the same port.
  • When you configure multiple filters, the traffic matching each filter is stored in a separate PCAP file.
  • It is recommended that you configure a maximum of four PCAP sessions at a time. If you configure more than four PCAP sessions, the time taken to capture the packets in the PCAP file increases. For GigaVUE-TA400 devices, you can only configure one PCAP session at a time.
  • IPv6 addresses are not supported.
  • The Layer 4 source and destination ports can be specified as a port number only. A range of ports is not supported.
  • PCAP Alias must not exceed ten characters.
  • The port type of stack is not supported on the capture port or the channel port.
  • GigaSMART engine ports are not supported.
  • Inline network groups are not supported. Specify up to 4 individual ports for packet capturing.
  • Q-in-Q packets cannot be captured in the egress port.
  • Bursty traffic1 (size > 6 MB per second)2 cannot be captured in the PCAP file.

  • In GigaVUE-HC2 GigaSMART module , the pcap files will be captured as per the configuration, but the packet hit count cannot be retrieved.

Configure PCAP Profile

To configure PCAP through GigaVUE-FM:

  1. From the device view, go to Ports > Ports > All Ports.
  2. Select the required port/ports for which you need to configure PCAP.

    3. Note:  You can configure PCAP only for a maximum of four ports at a time.

  3. Click Action and select Configure PCAP.

    4. The Action button is disabled:

    • If you select more than four ports.
    • If you do not select any port.
    • If you select GigaSMART Engine ports or other unsupported port types.

    If the PCAP feature is disabled by the customer support team, a banner notification is displayed.

    The Action button is hidden:

    • For G-TAP devices.
    • For devices running software version less than 5.16.00 and managed by GigaVUE-FM.
  4. Select or enter the following details:

    5. Field

    Description
    Alias Name of the packet capture filter
    Direction

    The direction of traffic. Can be:

    • Rx
    • Tx
    • Both
    Channel Port

    The channel port identifier for the packet capture filter.

    The channel port is any unused port that does not have any map configuration. In addition, the channel port must be on the same node as the capture port. Finally, the channel port must be administratively enabled and must remain enabled while a packet capture filter is configured. You must specify one channel port for each transmitted or both direction. A channel port is not needed for received direction.
    Packet Limit

    The number of packets to capture. The valid range is from 1 to 20000. . Use the packet limit to stop packet capture after a specified number of packets have been captured.

    Default value is 20000.

    PCAP Rules

    The rules are based on which the traffic will be filtered. Select the required rule:

    • Source IPv4: The source IPv4 address and IP mask or a wildcard with an IP mask.
    • Destination IPv4: The destination IPv4 address and IP mask or a wildcard with an IP mask.
    • Protocol: The valid protocols and their hex values are as follows:
      • ipv6-hop (0x0
      • icmp-ipv4 (0x1)
      • igmp (0x2)
      • ipv4ov4 (0x4)
      • tcp (0x6)
      • udp (0x11)
      • ipv6 (0x29)
      • rsvp (0x2E)
      • gre (0x2F)
      • icmp-ipv6 (0x3A)
      • A custom-defined value can also be defined in 1 byte hex.
    • Port Source: The Layer 4 source port number, from 0 to 65535. A range of ports is not supported.
    • Port Destination: The Layer 4 destination port number, from 0 to 65535. A range of ports is not supported.
    • TCP Control: TCP control bits, such as SYN, FIN, ACK, URG, as 1 byte hex values.
  5. Click Save to save the configuration.

The captured packets are stored as pcap files. When multiple filters are configured, the traffic matching each filter is stored in separate pcap files under /var/log/tmp directory in device. Refer to View PCAP Files for details on viewing the PCAP files.

To configure PCAP from device CLI, refer to the GigaVUE-OS CLI Reference Guide.

View PCAP

To view the configured PCAPs:

  1. Click Action and select View PCAP.
  2. The configured PCAPs can be viewed.

Delete PCAP

To delete the configured PCAPs:

  1. Click Action and select Delete PCAP.
  2. Select the required PCAP configurations that you want to delete.

Refer to the GigaVUE-OS CLI Reference Guide for details on configuring PCAP from CLI.

View PCAP Files

You can view and download the PCAP files from GigaVUE-FM. To view the PCAP files:

  1. On the left navigation pane, click , and then select Physical > Nodes

  2. Select a cluster ID, and then from the left navigation pane, go to Support > Debug > PCAP.
  3. Select the required PCAP file(s):
    • Click Download to download the file. You can download only one file at a time.
    • Click Delete to delete the PCAP files.