Packet Capture (PCAP)

Starting from software version 5.16.00, you can configure Packet Capture (PCAP) from GigaVUE-FM. Both GigaVUE-FM and the devices must be running software version 5.16.00 and greater. Use the PCAP feature to analyze the network traffic and to troubleshoot any performance issues.

GigaVUE-FM allows you to configure packet capture at the ingress port or egress port or both. The port must be a physical port. The port type used for packet capture can be network, tool, hybrid, inline tool, or inline network port. Packet capture is not supported on GigaSMART ports or back plane ports.

Note:  PCAP feature is enabled by default. To disable or re-enable PCAP, contact Gigamon customer support. Once disabled, the corresponding PCAP configurations will not work.

Supported Devices

Packet capture functionality is supported on the following devices:

  • GigaVUE‑HC1
  • GigaVUE‑HC1-Plus
  • GigaVUE-HCT
  • GigaVUE‑HC3
  • GigaVUE‑TA25
  • GigaVUE‑TA25E
  • GigaVUE-TA100
  • GigaVUE‑TA200
  • GigaVUE‑TA200E
  • GigaVUE‑TA400

You can configure PCAP on both standalone nodes as well as on nodes that belong to a cluster. For non-leader ports, PCAP can be configured only from the leader node.

To configure packet capture, you must define filters to capture specific traffic based on rules. You can specify the following criteria in the rules:

Criteria Description

Source MAC address

The source and destination MAC address.

Destination MAC address

VLAN ID

VLAN ID value

Inner-VLAN

Inner VLAN ID value

Layer 2 ethernet type

Layer 2 Ethernet type value

Source IPv4 address

The source and destination IPv4 address. You can also specify a wild card with an IP mask.

Destination IPv4 address

Internet protocol

Valid Internet protocol

IP version number

IP version for traffic, either IPv4 or IPv6

IP fragmentation bits

Match IP fragments

Time to Live (TTL) value

Time to Live (TTL—IPv4) or Hop Limit (IPv6) value in an IP packet.

DiffServ Code Point (DSCP) bits

Decimal DSCP value

Layer 4 destination port number

Layer 4 destination port number

Layer 4 source port number

Layer 4 source port number

TCP flags

TCP flags to indicate the state of connection

You can specify the criteria in any combination. Packets matching the defined criteria are captured and saved as pcap files.

Refer to the following sections for details:

Rules, Notes, and Limitations

Refer to the following rules and notes:

  • You can configure a maximum of 64 filters on a node.
  • The number of ports on which packets can be simultaneously captured is 4.
  • You can configure the same filter on multiple ports.
  • You can configure multiple filters on the same port.
  • When you configure multiple filters, the traffic matching each filter is stored in a separate PCAP file.
  • It is recommended that you configure a maximum of four PCAP sessions at a time. If you configure more than four PCAP sessions, the time taken to capture the packets in the PCAP file increases. For GigaVUE-TA400 devices, you can only configure one PCAP session at a time.
  • An additional VLAN tag added using the ingress-VLAN tag is not captured in the tool ports using the PCAP feature. To overcome this, redirect the traffic to another hybrid port along with other tool ports and capture the packets on the hybrid port ingress.
  • The PCAP feature will not function for GigaVUE-TA400 nodes configured with multiple pcap filters in the same port. However, it will work when a single pcap filter is configured in the port.
  • IPv6 addresses are not supported.
  • The Layer 4 source and destination ports can be specified as a port number only. A range of ports is not supported.
  • PCAP Alias must not exceed ten characters.
  • The port type of stack is not supported on the capture port or the channel port.
  • GigaSMART engine ports are not supported.
  • Inline network groups are not supported. Specify up to 4 individual ports for packet capturing.
  • Q-in-Q packets cannot be captured in the egress port.
  • Bursty traffic1 (size > 6 MB per second)2 cannot be captured in the PCAP file.
  • For the receive (Rx) or transmit (Tx) direction of traffic, a maximum of 64 filter rules can be configured. However, if you want to configure filter rules for both directions of traffic, a maximum of 32 filter rules can be configured.
  • The qualifiers 'vlan' and 'inner-vlan' are not supported when the pcap is configured on the tool or hybrid port in the 'tx' direction.
  • If the packet size is more than 1000 bytes, then all the incoming packets on the port might not be captured.
  • For the GigaVUE-HC1P, GigaVUE-HCT, GigaVUE-TA25, and GigaVUE-TA25E devices, captured packets contain a duplicate VLAN header.
  • You can delete the PCAP configurations after the packet capture is done.
  • The PCAP configuration profile in the device is deleted:
    • after device backup and restore
    • after device reboot and upgrade

Configure PCAP Profile

To configure PCAP through GigaVUE-FM:

  1. From the device view, go to Ports > Ports > All Ports.
  2. Select the required port/ports for which you need to configure PCAP.
  3. Note:  You can configure PCAP only for a maximum of four ports at a time.

  4. Click Action and select Configure PCAP.
  5. The Action button is disabled:

    • If you select more than four ports.
    • If you do not select any port.
    • If you select GigaSMART Engine ports or other unsupported port types.

    If the PCAP feature is disabled by the customer support team, a banner notification is displayed.

    The Action button is hidden:

    • For G-TAP devices.
    • For devices running software version less than 5.16.00 and managed by GigaVUE-FM.
  6. Select or enter the following details:
  7. Field

    Description

    Alias Name of the packet capture filter
    Direction

    The direction of traffic. Can be:

    • Rx
    • Tx
    • Both
    Channel Port

    The channel port identifier for the packet capture filter.

    The channel port is any unused port that does not have any map configuration. The channel port must be on the same node as the capture port. The channel port must be administratively enabled and must remain enabled while a packet capture filter is configured. You must specify one channel port for each transmitted or both direction. channel port is not needed for received direction.

    Note:  If a PCAP configuration is deleted, the channel ports configured in the PCAP will go down.

    Packet Limit

    The number of packets to capture. The valid range is 1 to 40000 for all the platforms. Use the packet limit to stop packet capture after a specified number of packets have been captured.

    The default value is 40000 for all the platforms.

    PCAP Rules

    The rules are based on which the traffic will be filtered. You can add multiple filters to the same PCAP. Select the required rule:

    • Source MAC: The source MAC address and MAC netmask.
    • Destination MAC: The destination MAC address and MAC netmask.
    • VLAN: The VLAN ID value as a number between 1 and 16777215.
    • Inner VLAN: The inner VLAN ID value as a number between 1 and 4094.
    • Ether type: The layer 2 ethernet type value.
    • Source IPv4: The source IPv4 address and IP mask or a wildcard with an IP mask.
    • Destination IPv4: The destination IPv4 address and IP mask or a wildcard with an IP mask.
    • Protocol: The valid protocols and their hex values are as follows:
      • ipv6-hop (0x0
      • icmp-ipv4 (0x1)
      • igmp (0x2)
      • ipv4ov4 (0x4)
      • tcp (0x6)
      • udp (0x11)
      • ipv6 (0x29)
      • rsvp (0x2E)
      • gre (0x2F)
      • icmp-ipv6 (0x3A)
      • A custom-defined value can also be defined in 1 byte hex.
    • IP version: The IP version for traffic, either IPv4 or IPv6.
    • IP4 Fragment: IP fragments, such as no-frag, all-frag, all-frag-no-first, first-frag, and first-or-no-frag.
    • TTL: The Time to Live (TTL—IPv4) or Hop Limit (IPv6) value in an IP packet, as a number between 0 and 255.
    • DSCP: The decimal DSCP value. Any value within the four Assured Forwarding (af) class ranges or (ef) for Expedited Forwarding. The valid DSCP values by Assured Forwarding Class are as follows:
      • Class 1—11, 12, 13
      • Class 2—21, 22, 23
      • Class 3—31, 32, 33
      • Class 4—41, 42, 43
      • Expedited Forwarding—ef
    • Port Source: The Layer 4 source port number, from 0 to 65535. A range of ports is not supported.
    • Port Destination: The Layer 4 destination port number, from 0 to 65535. A range of ports is not supported.
    • TCP Control: TCP control bits, such as SYN, FIN, ACK, URG, as 1 byte hex values.
  8. Click Save to save the configuration.

The captured packets are stored as pcap files. When multiple filters are configured, the traffic matching each filter is stored in a separate pcap file under /var/log/tmp directory in the device. Refer to View PCAP Files for details on viewing the PCAP files.

To configure PCAP from device CLI, refer to the GigaVUE-OS CLI Reference Guide.

View PCAP

To view the configured PCAPs:

  1. Click Action and select View PCAP.
  2. The configured PCAPs can be viewed.

Delete PCAP

To delete the configured PCAPs:

  1. Click Action and select Delete PCAP.
  2. Select the required PCAP configurations that you want to delete.

Refer to the GigaVUE-OS CLI Reference Guide for details on configuring PCAP from CLI.

View PCAP Files

You can view and download the PCAP files from GigaVUE-FM. To view the PCAP files:

  1. On the left navigation pane, click , and then select Physical > Nodes.

  2. Select a cluster ID, and then from the left navigation pane, go to Support > Debug > PCAP.
  3. Select the required PCAP file(s):
    • Click Download to download the file. You can download only one file at a time.
    • Click Delete to delete the PCAP files.