Packet Capture (PCAP)
Starting from software version 5.16.00, you can configure Packet Capture (PCAP) from GigaVUE-FM. Both GigaVUE-FM and the devices must be running software version 5.16.00 and greater. Use the PCAP feature to analyze the network traffic and to troubleshoot any performance issues.
GigaVUE-FM allows you to configure packet capture at the ingress port or egress port or both. The port must be a physical port. The port type used for packet capture can be network, tool, hybrid, inline tool, or inline network port. Packet capture is not supported on GigaSMART ports or back plane ports.
Note: PCAP feature is enabled by default. To disable or re-enable PCAP, contact Gigamon customer support. Once disabled, the corresponding PCAP configurations will not work.
Supported Devices
Packet capture functionality is supported on the following devices:
- GigaVUE‑HC1
- GigaVUE‑HC1-Plus
- GigaVUE-HCT
- GigaVUE‑HC3
- GigaVUE‑TA25
- GigaVUE‑TA25E
- GigaVUE-TA100
- GigaVUE‑TA200
- GigaVUE‑TA200E
- GigaVUE‑TA400
You can configure PCAP on both standalone nodes as well as on nodes that belong to a cluster. For non-leader ports, PCAP can be configured only from the leader node.
To configure packet capture, you must define filters to capture specific traffic based on rules. You can specify the following criteria in the rules:
Criteria | Description |
---|---|
Source MAC address |
The source and destination MAC address. |
Destination MAC address |
|
VLAN ID |
VLAN ID value |
Inner-VLAN |
Inner VLAN ID value |
Layer 2 ethernet type |
Layer 2 Ethernet type value |
Source IPv4 address |
The source and destination IPv4 address. You can also specify a wild card with an IP mask. |
Destination IPv4 address |
|
Internet protocol |
Valid Internet protocol |
IP version number |
IP version for traffic, either IPv4 or IPv6 |
IP fragmentation bits |
Match IP fragments |
Time to Live (TTL) value |
Time to Live (TTL—IPv4) or Hop Limit (IPv6) value in an IP packet. |
DiffServ Code Point (DSCP) bits |
Decimal DSCP value |
Layer 4 destination port number |
Layer 4 destination port number |
Layer 4 source port number |
Layer 4 source port number |
TCP flags |
TCP flags to indicate the state of connection |
You can specify the criteria in any combination. Packets matching the defined criteria are captured and saved as pcap files.
Refer to the following sections for details:
Rules, Notes, and Limitations
Refer to the following rules and notes:
-
The PCAP feature supports up to 16 capture files per device. Each capture file can have up to 40000 packets. A capture file is maintained per PCAP session. Each session can have up to 64 filter rules per direction. Each capture file can be viewed, deleted, or uploaded out of the device for offline use.
-
The PCAP feature supports up to 16 active capture sessions at a time per port on all GigaVUE platforms except GigaVUE‑TA400. The GigaVUE‑TA400 platform currently supports one active PCAP session per port at a time.
-
The PCAP configuration doesn’t persist across node reboots or upgrades.
-
The PCAP feature is not supported on stack ports in legacy stacking mode.
-
The PCAP feature is not supported on ports associated with the IP interface.
-
The PCAP feature does not support 'vlan' and 'inner-vlan' filter rules on a tool or hybrid port in the 'tx' direction.
-
The PCAP feature on tool ports does not capture the vlan tag specified with the ingress-vlan-tag feature. To overcome this, redirect the traffic to another hybrid port along with other tool ports and capture the packets on the hybrid port ingress.
-
The PCAP feature on GigaVUE‑HC1-Plus, GigaVUE‑HC1, GigaVUE‑TA25, GigaVUE‑TA25E, and GigaVUE‑TA400 platforms contain extra VLAN header added in capture files. Untagged packet captures contain vlan-tag 1 header added and tagged packet captures contain an outer tag duplicated.
-
The PCAP feature on port discovery protocols (LLDP/CDP/GDP) enabled ports will not capture the discovery protocol control packet in the PCAP file.
-
The PCAP feature may miss some packets in the capture file depending on the rate of traffic being captured.
Configure PCAP Profile
To configure PCAP through GigaVUE-FM:
- From the device view, go to Ports > Ports > All Ports.
- Select the required port/ports for which you need to configure PCAP.
- Click Action and select Configure PCAP.
- If you select more than four ports.
- If you do not select any port.
- If you select GigaSMART Engine ports or other unsupported port types.
- For G-TAP devices.
- For devices running software version less than 5.16.00 and managed by GigaVUE-FM.
- Select or enter the following details:
- Rx
- Tx
- Both
- Source MAC: The source MAC address and MAC netmask.
- Destination MAC: The destination MAC address and MAC netmask.
- VLAN: The VLAN ID value as a number between 1 and 4094.
- Inner VLAN: The inner VLAN ID value as a number between 1 and 4094.
- Ether type: The layer 2 ethernet type value.
- Source IPv4: The source IPv4 address and IP mask or a wildcard with an IP mask.
- Destination IPv4: The destination IPv4 address and IP mask or a wildcard with an IP mask.
- Protocol: The valid protocols and their hex values are as follows:
- ipv6-hop (0x0
- icmp-ipv4 (0x1)
- igmp (0x2)
- ipv4ov4 (0x4)
- tcp (0x6)
- udp (0x11)
- ipv6 (0x29)
- rsvp (0x2E)
- gre (0x2F)
- icmp-ipv6 (0x3A)
- A custom-defined value can also be defined in 1 byte hex.
- IP version: The IP version for traffic, either IPv4 or IPv6.
- IP4 Fragment: IP fragments, such as no-frag, all-frag, all-frag-no-first, first-frag, and first-or-no-frag.
- TTL: The Time to Live (TTL—IPv4) or Hop Limit (IPv6) value in an IP packet, as a number between 0 and 255.
- DSCP: The decimal DSCP value. Any value within the four Assured Forwarding (af) class ranges or (ef) for Expedited Forwarding. The valid DSCP values by Assured Forwarding Class are as follows:
- Class 1—11, 12, 13
- Class 2—21, 22, 23
- Class 3—31, 32, 33
- Class 4—41, 42, 43
- Expedited Forwarding—ef
- Port Source: The Layer 4 source port number, from 0 to 65535. A range of ports is not supported.
- Port Destination: The Layer 4 destination port number, from 0 to 65535. A range of ports is not supported.
- TCP Control: TCP control bits, such as SYN, FIN, ACK, URG, as 1 byte hex values.
- Click Save to save the configuration.
Note: You can configure PCAP only for a maximum of four ports at a time.
The Action button is disabled:
If the PCAP feature is disabled by the customer support team, a banner notification is displayed.
The Action button is hidden:
Field |
Description |
Alias | Name of the packet capture filter |
Direction |
The direction of traffic. Can be: |
Channel Port |
The channel port identifier for the packet capture filter. The channel port is any unused port that does not have any map configuration. The channel port must be on the same node as the capture port. The channel port must be administratively enabled and must remain enabled while a packet capture filter is configured. You must specify one channel port for each transmitted or both direction. channel port is not needed for received direction. Note: If a PCAP configuration is deleted, the channel ports configured in the PCAP will go down. |
Packet Limit |
The number of packets to capture. The valid range is 1 to 40000 for all the platforms. Use the packet limit to stop packet capture after a specified number of packets have been captured. The default value is 40000 for all the platforms. |
PCAP Rules |
The rules are based on which the traffic will be filtered. You can add multiple filters to the same PCAP. Select the required rule: |
The captured packets are stored as pcap files. When multiple filters are configured, the traffic matching each filter is stored in a pcap file for each session under /var/log/tmp directory in the device. Refer to View PCAP Files for details on viewing the PCAP files.
To configure PCAP from device CLI, refer to the GigaVUE-OS CLI Reference Guide.
View PCAP
To view the configured PCAPs:
- Click Action and select View PCAP.
- The configured PCAPs can be viewed.
Delete PCAP
To delete the configured PCAPs:
- Click Action and select Delete PCAP.
- Select the required PCAP configurations that you want to delete.
Refer to the GigaVUE-OS CLI Reference Guide for details on configuring PCAP from CLI.
View PCAP Files
You can view and download the PCAP files from GigaVUE-FM. To view the PCAP files:
-
On the left navigation pane, click , and then select Physical > Nodes.
- Select a cluster ID, and then from the left navigation pane, go to Support > Debug > PCAP.
- Select the required PCAP file(s):
- Click Download to download the file. You can download only one file at a time.
- Click Delete to delete the PCAP files.