/maint/pktcap/data
Data Packet Capture Menu
The Data Packet Capture menu contains commands for capturing data packet flows.
This menu only appears in vADC, Standalone, and Alteon VA modes.
 
[Data Packet Capture Menu]
capture - Capture packets
stop - Stop capturing packets
dumpcap - Display captured packets
snaplen - Set the packet snap length
count - Set the max number of captured packets
putcap - Upload capture buffer via FTP/TFTP/SCP
clearcap - Clear capture buffer
cur - Display current packet capture options
 
Data Packet Capture Menu Options (/maint/pktcap/data) 
Command Syntax and Usage
capture cap [-l/-live] [-p/-i <port range>]* [-sp <number | empty for all sps>] [-t <from port>:<to port>]* [-v/vlan <vlan number>] [-s <len>] [-c <count>] [-inj (injected frames)] [-E (Extra Info)] [-e] [-d][-n] [-x] [-A] [-O] [-a] [-m] <pcap filter string> [dst/src host <host ip>] [dst/src port <port no.>] [port <port no.>] [tcp/udp/icmp/ip multicast/ip broadcast] [-M]
 
Starts the packet capture operation and sets the packet capture options parameters.
Note: The parameters are case sensitive.
*-l or -live — Sends the packet live to Telnet or SSH.
*-p or -I — Port or interface (enter port range). Range: 1-2
*-sp — SP processor number. Leave empty for all SPs. This allows minimal impact on management performance.
Note: The following flags are not supported when using the -sp flag: -l, -e, -n, -x, and -A.
*-t — Sets ports (from-to range) on which traffic is captured.
*-v or -vlan — Captures traffic on all ingress ports for a specific VLAN.
Range: 1-4090
*-s — Sets the length of the packets to capture (snap length) in bytes.
Range: 0-9100
Note: Defines the snap length for the current capture only and overrides the globally-defined snap length value defined using the snaplen parameter.
*-c — Sets the maximum number of captured packets (packet count).
Range: 0-1000000000
Note: Defines the packet count for the current capture only and overrides the globally-defined packet count value defined using the count parameter.
*-e — For live capture, prints link level header.
*-d — Debug
*-n — For live capture, no DNS lookups to translate IP addresses to names.
*-x — For live capture, prints a full hex dump, as well as packet header decode.
*-A — For live capture, prints a full ASCII dump.
*-O — Optimizes the filter.
*-a — Captures and processes SP<->AX packets (alters IP address and port).
*-m — Discards packets sent and received by the MP from the capture file.
Note: This is useful when there is a tunnel with an SSL (port 443) but the back-end flow is clear (port 80).
*-E — Shows extra information (to be sen in Wireshark), including the following:
Physical Port number - where packet came from or are going to.
Direction - in or out.
Source - whether this packet was:
*Initiated by MP (like health checks). Display: Source: MP --> SP OUT (2053)
*Going to MP (like health checks reply). Display: Source: IN SP --> MP (2052)
*Coming from AX. Display: Source: AX OUT (2055)
*Going to AX. Display: Source: AX IN (2054)
*Coming from SP (regular packet). Display: Source: SP EGRESS (2050)
*Going to SP (regular packet). Display: Source: SP INGRESS (2049)
SP Number -where this packet was processed.
Session ID -Session ID through session's life, FE and BE.
*-M — Includes a pre-master secret log file together with the capture file.
Import the pre-master secret file to Wireshark in order to decrypt the SSL session.
Note: Decryption of the SSL application data may expose sensitive information. Make sure to keep the security of this data.
*pcap filter string — Sets the capture filter parameters using the same filter criteria (syntax) as the tcpdump format.
The following filter parameters can be set with an "and/or" operator between them:
dst host <host> — Filters output on the specified destination host IP address.
src host <host> — Filters output on the specified source host IP address.
dst port <port> — Filters output on the specified destination port.
src port <port> — Filters output on the specified source port.
port — Filters output on the specified port.
tcp — Filters output for TCP traffic only.
udp — Filters output for UDP traffic only
icmp — Filters output for ICMP traffic only.
ip multicast — Filters output for multicast traffic only.
ip broadcast — Filters output for broadcast traffic only.
Note: The packet capture can include up to 21 filters.
stop
 
Stops the current packet capture process.
dumpcap {-s <number_of_packets from_start> | -c <number_of_packets[decrypt]}
 
Displays the original or decrypted captured packets in the CLI.
snaplen <length_of_packets>
 
Sets the length of packets to capture (snap length).
Note: This snap length command is a globally-defined parameter, and is overridden by the -s parameter in the capture command that defines the snap length for the current capture only.
count <number_of_packets>
 
Sets the maximum number of captured packets.
Note: This packet count command is a globally-defined parameter, and is overridden by the -c parameter in the capture command that defines the packet count for the current capture only.
putcap <hostname [-v4|-v6]|v4 or v6 IP address> <filename> <-tftp|username password> [-mgmt|-data] [-scp]
 
Uploads captured packets to a FTP/TFTP/SCP server.
If decrypted captures exist, both the original and decrypted capture files are uploaded. To distinguish between the original and decrypted files exported, the following extensions are added to the user-specified file name: .orig and *.dcrypt.
clearcap
 
Clears the packet capture buffer.
cur
 
Displays the current packet capture status.