Packet Capture (PCAP)

GigaVUE-FM allows you to configure packet capture at the ingress port or egress port or both. The port type used for packet capture can be a network, tool, hybrid, inline tool, or inline network port. The port must be physical ports. Packet capture is not supported on GigaSMART ports or back plane ports.

Use the PCAP feature to analyze the network traffic and to troubleshoot any performance issues.

Note:  PCAP feature is enabled by default. To disable/re-enable PCAP, contact Gigamon customer support. Once disabled, the corresponding PCAP configurations will not work.

Supported Devices

Packet capture functionality is supported on the following devices:

  • GigaVUE-HC1
  • GigaVUE-HC2
  • GigaVUE-HC3
  • GigaVUE-TA10
  • GigaVUE-TA25
  • GigaVUE-TA40
  • GigaVUE-TA100
  • GigaVUE-TA200
  • GigaVUE-TA400

You can configure PCAP on both standalone nodes as well as on nodes that belong to a cluster. For non-leader ports PCAP can be configured only from the leader node.

To configure packet capture, you must define filters to capture specific traffic based on rules. You can specify the following criteria in the rules:

Criteria Description
Source IPv4 address The source and destination IPv4 address. You can also specify a wild card with an IP mask.
Destination IPv4 address
Layer 4 destination port number Layer 4 destination port number
Layer 4 source port number Layer 4 source port number
Internet protocol Valid Internet protocol
TCP flags TCP flags to indicate the state of connection

You can specify the criteria in any combination. Packets matching the defined criteria are captured and saved as pcap files.

Refer to the following sections for details:

Rules, Notes, and Limitations

Refer to the following rules and notes:

  • You can configure a maximum of 64 filters on a node.
  • The number of ports on which packets can be simultaneously captured is 4.
  • You can configure the same filter on multiple ports.
  • You can configure multiple filters on the same port.
  • When you configure multiple filters, the traffic matching each filter is stored in a separate PCAP file.
  • It is recommended that you configure a maximum of four PCAP sessions at a time. If you configure more than four PCAP sessions, the time taken to capture the packets in the PCAP file increases. For GigaVUE-TA400 devices, you can only configure one PCAP session at a time.

Configure PCAP Profile

To configure PCAP through GigaVUE-FM:

  1. From the device view, go to Ports > Ports > All Ports.
  2. Select the required port/ports for which you need to configure PCAP.

    3. Note:  You can configure PCAP only for a maximum of four ports at a time. If you select more than four ports, the Action button will be disabled.

  3. Click Action and select Configure PCAP.
  4. Select or enter the following details:

    5. Field

    Description
    Alias Name of the packet capture filter
    Direction

    The direction of traffic. Can be:

    • Rx
    • Tx
    • Both
    Channel Port

    The channel port identifier for the packet capture filter.

    The channel port is any unused port that does not have any map configuration. In addition, the channel port must be on the same node as the capture port. Finally, the channel port must be administratively enabled and must remain enabled while a packet capture filter is configured. You must specify one channel port for each transmitted or both direction. A channel port is not needed for received direction.
    Packet Limit

    The number of packets to capture. The valid range is from 1 to 20000. Use the packet limit to stop packet capture after a specified number of packets have been captured.

    Default value is 20000.
    PCAP Rules

    The rules based on which the traffic will be filtered. Select the required rule:

    • Source IPv4: The source IPv4 address and IP mask or a wildcard with an IP mask.
    • Destination IPv4: The destination IPv4 address and IP mask or a wildcard with an IP mask.
    • Port Source: The Layer 4 source port number, from 0 to 65535. A range of ports is not supported.
    • Port Destination: The Layer 4 destination port number, from 0 to 65535. A range of ports is not supported.
    • Protocol: The valid protocols and their hex values are as follows:
      • ipv6-hop (0x0
      • icmp-ipv4 (0x1)
      • igmp (0x2)
      • ipv4ov4 (0x4)
      • tcp (0x6)
      • udp (0x11)
      • ipv6 (0x29)
      • rsvp (0x2E)
      • gre (0x2F)
      • icmp-ipv6 (0x3A)
      • A custom-defined value can also be defined in 1 byte hex.
    • TCP Control: TCP control bits, such as SYN, FIN, ACK, URG, as 1 byte hex values.
  5. Click Save to save the configuration.

The captured packets are stored as pcap files. When multiple filters are configured, the traffic matching each filter is stored in separate pcap files under /var/log/tmp directory in device. Refer to View PCAP Files for details on viewing the PCAP files.

To configure PCAP from device CLI, refer to the GigaVUE-OS CLI Reference Guide.

View PCAP

To view the configured PCAPs:

  1. Click Action and select View PCAP.
  2. The configured PCAPs can be viewed.

Delete PCAP

To delete the configured PCAPs:

  1. Click Action and select Delete PCAP.
  2. Select the required PCAP configurations that you want to delete.

Refer to the GigaVUE-OS CLI Reference Guide for details on configuring PCAP from CLI.

View PCAP Files

You can view and download the PCAP files from GigaVUE-FM. To view the PCAP files:

  1. On the left navigation pane, click , and then select Physical > Nodes

  2. Select a cluster ID, and then from the left navigation pane, go to Support > Debug > PCAP.
  3. Select the required PCAP file(s):
    • Click Download to download the file. You can only download one file at a time.
    • Click Delete to delete the PCAP files.