Displaying and Customizing Reports : Generating Dumps : Capturing and Uploading TCP Dumps
  
Capturing and Uploading TCP Dumps
You can capture, download, and upload TCP dumps in the Reports > Dumps: TCP Dumps page. TCP trace dump files contain summary information for every Internet packet received or transmitted on the interface. TCP trace dump files can help diagnose problems in the system.
You can easily capture and retrieve multiple TCP trace dumps from the Management Console. You can generate trace dumps from multiple interfaces at the same time, limit the size of the trace dump, and schedule a specific date and time to generate a trace dump. Scheduling and limiting a trace dump by time or size allows unattended captures.
The top of the TCP Dumps page displays a list of existing TCP trace dumps and the bottom of the page displays controls to create a new trace dump. The bottom of the page also includes the trace dumps that are currently running. The Running Capture Name list includes TCP trace dumps running at a particular time. It includes TCP trace dumps started manually and also any dumps that were scheduled previously and are now running.
To capture TCP trace dumps
1. Choose Reports > Dumps: TCP Dumps to display the TCP Dumps page.
2. Configure the dump using the controls described in this table.
Control
Description
Add a New TCP Dump
Displays the controls for creating a TCP trace dump.
Name
Specify the name of the capture file in the Capture Name field. The default filename uses the following format:
<hostname>_<interface>_<timestamp>.cap
where <hostname> is the hostname of the Core, <interface> is the name of the interface selected for the trace (for example, lan0_0, wan0_0), and <timestamp> is in the yyyy/mm/dd hh:mm:ss format.
If this trace dump relates to an open Riverbed Support case, specify the capture filename case_<number>, where <number> is your Riverbed Support case number: for example, case_12345.
The .cap file extension is not included with the filename when it appears in the capture queue.
Endpoints
Specify the source and destination endpoints for the dump:
•  IPs - Specify the source IP addresses. Separate multiple IP addresses with a comma to include all addresses bidirectionally. The default setting is all IP addresses.
•  Ports - Specify the source ports. Separate multiple ports with a comma. The default setting is all ports.
•  IPs - Specify the destination IP addresses. Separate multiple IP addresses with a comma to include all addresses bidirectionally. The default setting is all IP addresses.
•  Ports - Specify the destination ports. Separate multiple ports with a comma. The default setting is all ports.
Capture Interfaces
Captures the TCP trace dump on the selected interface. You can select a physical, MIP, or RSP interface. Click only one interface per trace dump. The default setting is none. You must specify a capture interface.
Capture Parameters
These parameters let you capture information about dot1q VLAN traffic. You can match traffic based on VLAN-tagged or untagged packets, or both. You can also filter by port number or host IP address and include or exclude ARP packets. Select one of these parameters for capturing VLAN packets:
•  Capture Untagged Traffic Only - Select this option for the following captures:
–  All untagged VLAN traffic.
–  Untagged 7850 traffic and ARP packets. You must also specify or arp in the custom flags field in this page.
–  Only untagged ARP packets. You must also specify and arp in the custom flags field in this page.
•  Capture VLAN-Tagged Traffic Only - Select this option for the following captures:
–  Only VLAN-tagged traffic.
–  VLAN-tagged packets with host 10.11.0.6 traffic and ARP packets. You must also specify 10.11.0.6 in the IPs field, and specify or arp in the custom flags field in this page.
–  VLAN-tagged ARP packets only. You must also specify and arp in the custom flags field in this page.
•  Capture both VLAN and Untagged Traffic - Select this option for the following captures:
–  All VLAN traffic.
–  Both tagged and untagged 7850 traffic and ARP packets. You must also specify the following parameters in the custom flags field in this page:
(port 7850 or arp) or (vlan and (port 7850 or arp))
–  Both tagged and untagged 7850 traffic only. You must also specify 7850 in one of the port fields in this page. No custom flags are required.
–  Both tagged and untagged ARP packets. You must also specify the following parameters in the custom flags field in this page:
(arp) or (vlan and arp)
Capture Parameters
Complete the following settings:
•  Capture Duration (Seconds) - Specify how long the capture runs, in seconds. The default value is 30. Leave this value blank to initiate a continuous trace. When a continuous trace reaches the maximum space allocation of 100 MB, the oldest file is overwritten.
•  Maximum Capture Size (MB) - Specify the maximum capture file size, in megabytes. The default value is 100. The recommended maximum capture file size is 1024 MB (1 GB).
•  Buffer Size - Optionally, specify the maximum number of packets allowed to queue while awaiting processing by the TCP trace dump. The default value is 154.
•  Snap Length - Optionally, select the snap length value for the capture file or specify a custom value. The snap length equals the number of bytes the report captures for each packet. Having a snap length smaller than the maximum packet size on the network enables you to store more packets, but you might not be able to inspect the full packet content. The default value is 1518 bytes.
Select 0 for a full packet capture (recommended for CIFS, MAPI, and SSL captures).
When using jumbo frames, Riverbed recommends selecting 9018. The default custom value is 16383 bytes.
•  Number of Files to Rotate - Specify how many TCP trace dump files to rotate. The default value is 5.
•  Custom Flags - Specify custom flags as additional statements within the filter expression. Custom flags are added to the end of the expression created from the Endpoints fields and the Capture Parameters radio buttons (pertaining to VLANs).
If you require an “and” statement between the expression created from other fields and the expression that you are entering in the custom flags field, you must include the “and” statement at the start of the custom flags field.
For complete control of your filter expression, use the CLI tcpdump command. For details, see the Riverbed Command-Line Interface Reference Manual.
Schedule
Schedules a trace dump to run at a later date and time.
•  Schedule Dump - Enables the scheduling feature.
•  Start Date - Specifies the start date for the scheduled trace dump.
Add
Adds the TCP trace dump to the capture queue.
Stopping a TCP Dump After an Event Occurs
Capture files offer visibility into intermittent network issues, but the amount of traffic they capture can be overwhelming. Also, because rotating logs is common, after a capture logs an event, the Core log rotation can overwrite debugging information specific to the event.
The Core makes troubleshooting easier because it provides a trigger that can stop a continuous capture after a specific log event occurs. The result is a smaller file to help pinpoint what makes the event happen.
The stop trigger continuously scans the system logs for a search pattern. When it finds a match, it stops all running captures.
To stop a capture after a specific log event
1. Choose Reports > Dumps: TCP Dumps to display the TCP Dumps page.
2. Schedule a capture.
3. In the Pattern text box, enter a Perl regular expression (regex) to find in a log. The Core compares the Perl regex against each new line in the system logs and the trigger stops if it finds a match.
The simplest regex is a word or a string of characters. For example, if you set the pattern to Limit, the trigger matches the line Connection Limit Reached.
Notes:
•  Perl regular expressions are case sensitive.
•  Perl treats the space character like any other character in a regex.
•  Perl reserves some characters, called metacharacters, for use in regex notation. The metacharacters are:
{ } [ ] ( ) ^ $ . | * + ? \
You can match a metacharacter by putting a backslash before it. For example, to search for a backslash in the logs, you must enter two backslashes (\\) as the pattern.
•  The pattern follows Perl regular expression syntax. For details, go to:
http://perldoc.perl.org/perlre.html
•  You cannot change the pattern while a scan is running. You must stop the scan before changing a pattern.
•  You do not need to wrap the pattern with the metacharacters to match the beginning or end of a line (^ $) or with the wildcard character (*).
4. Specify the amount of time to pause before stopping all running captures when the Core finds a match. This gives the system some time to log more data without abruptly cutting off the capture. The default is 30 seconds. Specify 0 for no delay; the capture stops immediately.
After a trigger has fired, the capture can stop by itself before the delay expires; for example, the capture duration can expire.
5. Click Start Scan.
When the scan stops, the Core sends an email to all email addresses on the Settings > System Settings: Email page appearing under Report Events via Email. The email notifies users that the trigger has fired.
The page indicates Last Triggered: Never if a TCP Dump stop trigger has never triggered on the Core. After the delay duration of the stop trigger, the Core displays the last triggered time.
Before changing the Perl regular expression or amount of delay, you must first stop the process.
To stop a running scan
•  Click Stop Scan to halt the background process that monitors the system logs. The Core dims this button when the stop trigger is idling.
Stop Trigger Limitations
These limitations apply to the trigger:
•  You cannot create a trigger to stop a specific capture; the trigger affects all running captures.
•  If the search pattern contains a typo, the trigger might never find a match.
•  Only one instance of a trigger can run at one time.