Packet Capture (PCAP)
Starting from software version 5.16.00, you can configure Packet Capture (PCAP) from GigaVUE-FM. Both GigaVUE-FM and the devices must be running software version 5.16.00 and greater. Use the PCAP feature to analyze the network traffic and to troubleshoot any performance issues.
GigaVUE-FM allows you to configure packet capture at the ingress port or egress port or both. The port must be a physical port. The port type used for packet capture can be network, tool, hybrid, inline tool, or inline network port. Packet capture is not supported on GigaSMART ports or back plane ports.
Note: PCAP feature is enabled by default. To disable or re-enable PCAP, contact Gigamon customer support. Once disabled, the corresponding PCAP configurations will not work.
Supported Devices
Packet capture functionality is supported on the following devices:
- GigaVUE‑HC1
- GigaVUE‑HC1-Plus
- GigaVUE-HCT
- GigaVUE‑HC3
- GigaVUE‑TA25
- GigaVUE‑TA25E
- GigaVUE-TA100
- GigaVUE‑TA200
- GigaVUE‑TA200E
- GigaVUE‑TA400
You can configure PCAP on both standalone nodes as well as on nodes that belong to a cluster. For non-leader ports, PCAP can be configured only from the leader node.
To configure packet capture, you must define filters to capture specific traffic based on rules. You can specify the following criteria in the rules:
Criteria | Description |
---|---|
Source MAC address |
The source and destination MAC address. |
Destination MAC address |
|
VLAN ID |
VLAN ID value |
Inner-VLAN |
Inner VLAN ID value |
Layer 2 ethernet type |
Layer 2 Ethernet type value |
Source IPv4 address |
The source and destination IPv4 address. You can also specify a wild card with an IP mask. |
Destination IPv4 address |
|
Internet protocol |
Valid Internet protocol |
IP version number |
IP version for traffic, either IPv4 or IPv6 |
IP fragmentation bits |
Match IP fragments |
Time to Live (TTL) value |
Time to Live (TTL—IPv4) or Hop Limit (IPv6) value in an IP packet. |
DiffServ Code Point (DSCP) bits |
Decimal DSCP value |
Layer 4 destination port number |
Layer 4 destination port number |
Layer 4 source port number |
Layer 4 source port number |
TCP flags |
TCP flags to indicate the state of connection |
You can specify the criteria in any combination. Packets matching the defined criteria are captured and saved as pcap files.
Refer to the following sections for details:
Rules, Notes, and Limitations
Refer to the following rules and notes:
- You can configure a maximum of 64 filters on a node.
- The number of ports on which packets can be simultaneously captured is 4.
- You can configure the same filter on multiple ports.
- You can configure multiple filters on the same port.
- When you configure multiple filters, the traffic matching each filter is stored in a separate PCAP file.
- It is recommended that you configure a maximum of four PCAP sessions at a time. If you configure more than four PCAP sessions, the time taken to capture the packets in the PCAP file increases. For GigaVUE-TA400 devices, you can only configure one PCAP session at a time.
- An additional VLAN tag added using the ingress-VLAN tag is not captured in the tool ports using the PCAP feature. To overcome this, redirect the traffic to another hybrid port along with other tool ports and capture the packets on the hybrid port ingress.
- The PCAP feature will not function for GigaVUE-TA400 nodes configured with multiple pcap filters in the same port. However, it will work when a single pcap filter is configured in the port.
- IPv6 addresses are not supported.
- The Layer 4 source and destination ports can be specified as a port number only. A range of ports is not supported.
- PCAP Alias must not exceed ten characters.
- The port type of stack is not supported on the capture port or the channel port.
- GigaSMART engine ports are not supported.
- Inline network groups are not supported. Specify up to 4 individual ports for packet capturing.
- Q-in-Q packets cannot be captured in the egress port.
- Bursty traffic1 (size > 6 MB per second)2 cannot be captured in the PCAP file.
- For the receive (Rx) or transmit (Tx) direction of traffic, a maximum of 64 filter rules can be configured. However, if you want to configure filter rules for both directions of traffic, a maximum of 32 filter rules can be configured.
- The qualifiers 'vlan' and 'inner-vlan' are not supported when the pcap is configured on the tool or hybrid port in the 'tx' direction.
- If the packet size is more than 1000 bytes, then all the incoming packets on the port might not be captured.
- For the GigaVUE-HC1P, GigaVUE-HCT, GigaVUE-TA25, and GigaVUE-TA25E devices, captured packets contain a duplicate VLAN header.
- You can delete the PCAP configurations after the packet capture is done.
- The PCAP configuration profile in the device is deleted:
- after device backup and restore
- after device reboot and upgrade
Configure PCAP Profile
To configure PCAP through GigaVUE-FM:
- From the device view, go to Ports > Ports > All Ports.
- Select the required port/ports for which you need to configure PCAP.
- Click Action and select Configure PCAP.
- If you select more than four ports.
- If you do not select any port.
- If you select GigaSMART Engine ports or other unsupported port types.
- For G-TAP devices.
- For devices running software version less than 5.16.00 and managed by GigaVUE-FM.
- Select or enter the following details:
- Rx
- Tx
- Both
- Source MAC: The source MAC address and MAC netmask.
- Destination MAC: The destination MAC address and MAC netmask.
- VLAN: The VLAN ID value as a number between 1 and 16777215.
- Inner VLAN: The inner VLAN ID value as a number between 1 and 4094.
- Ether type: The layer 2 ethernet type value.
- Source IPv4: The source IPv4 address and IP mask or a wildcard with an IP mask.
- Destination IPv4: The destination IPv4 address and IP mask or a wildcard with an IP mask.
- Protocol: The valid protocols and their hex values are as follows:
- ipv6-hop (0x0
- icmp-ipv4 (0x1)
- igmp (0x2)
- ipv4ov4 (0x4)
- tcp (0x6)
- udp (0x11)
- ipv6 (0x29)
- rsvp (0x2E)
- gre (0x2F)
- icmp-ipv6 (0x3A)
- A custom-defined value can also be defined in 1 byte hex.
- IP version: The IP version for traffic, either IPv4 or IPv6.
- IP4 Fragment: IP fragments, such as no-frag, all-frag, all-frag-no-first, first-frag, and first-or-no-frag.
- TTL: The Time to Live (TTL—IPv4) or Hop Limit (IPv6) value in an IP packet, as a number between 0 and 255.
- DSCP: The decimal DSCP value. Any value within the four Assured Forwarding (af) class ranges or (ef) for Expedited Forwarding. The valid DSCP values by Assured Forwarding Class are as follows:
- Class 1—11, 12, 13
- Class 2—21, 22, 23
- Class 3—31, 32, 33
- Class 4—41, 42, 43
- Expedited Forwarding—ef
- Port Source: The Layer 4 source port number, from 0 to 65535. A range of ports is not supported.
- Port Destination: The Layer 4 destination port number, from 0 to 65535. A range of ports is not supported.
- TCP Control: TCP control bits, such as SYN, FIN, ACK, URG, as 1 byte hex values.
- Click Save to save the configuration.
Note: You can configure PCAP only for a maximum of four ports at a time.
The Action button is disabled:
If the PCAP feature is disabled by the customer support team, a banner notification is displayed.
The Action button is hidden:
Field |
Description |
Alias | Name of the packet capture filter |
Direction |
The direction of traffic. Can be: |
Channel Port |
The channel port identifier for the packet capture filter. The channel port is any unused port that does not have any map configuration. The channel port must be on the same node as the capture port. The channel port must be administratively enabled and must remain enabled while a packet capture filter is configured. You must specify one channel port for each transmitted or both direction. channel port is not needed for received direction. Note: If a PCAP configuration is deleted, the channel ports configured in the PCAP will go down. |
Packet Limit |
The number of packets to capture. The valid range is 1 to 40000 for all the platforms. Use the packet limit to stop packet capture after a specified number of packets have been captured. The default value is 40000 for all the platforms. |
PCAP Rules |
The rules are based on which the traffic will be filtered. You can add multiple filters to the same PCAP. Select the required rule: |
The captured packets are stored as pcap files. When multiple filters are configured, the traffic matching each filter is stored in a separate pcap file under /var/log/tmp directory in the device. Refer to View PCAP Files for details on viewing the PCAP files.
To configure PCAP from device CLI, refer to the GigaVUE-OS CLI Reference Guide.
View PCAP
To view the configured PCAPs:
- Click Action and select View PCAP.
- The configured PCAPs can be viewed.
Delete PCAP
To delete the configured PCAPs:
- Click Action and select Delete PCAP.
- Select the required PCAP configurations that you want to delete.
Refer to the GigaVUE-OS CLI Reference Guide for details on configuring PCAP from CLI.
View PCAP Files
You can view and download the PCAP files from GigaVUE-FM. To view the PCAP files:
-
On the left navigation pane, click , and then select Physical > Nodes.
- Select a cluster ID, and then from the left navigation pane, go to Support > Debug > PCAP.
- Select the required PCAP file(s):
- Click Download to download the file. You can download only one file at a time.
- Click Delete to delete the PCAP files.