Capture use cases | Packets captured |
Interceptor without inner channel capture (lan0_0) | • All responses from the server • All GRE messages between the Interceptor and the SteelHead |
Interceptor without inner channel capture (wan0_0) | • All probe messages |
Interceptor with inner channel capture (lan0_0) | • All requests from client • All responses from the server • All GRE messages between the Interceptor and the SteelHead • All heartbeat messages between the Interceptor and the SteelHead |
Interceptor with inner channel capture (wan0_0) | • All packets from client • All responses from the server • All probe messages |
SteelHead (local to the Interceptor) without inner channel capture (wan0_0) | • All requests from client • All responses from the server • All GRE messages between the Interceptor and the SteelHead |
SteelHead (local to the Interceptor) with inner channel capture (wan0_0) | • All requests from client • All responses from the server • All GRE messages between the Interceptor and the SteelHead • All heartbeat messages between the Interceptor and the SteelHead |
SteelHead not local to the Interceptor | No option to specify the location of the Interceptor (client/server). You can only capture traffic between SteelHead IP addresses in a comma separated list. |
Control | Description |
Add a New TCP Dump | Displays the controls for creating a TCP trace dump. |
Capture Name | Specify the name of the capture file. Use a unique filename to prevent overwriting an existing TCP dump. The default filename uses this format: <hostname>_<interface>_<time-stamp>.cap Where <hostname> is the hostname of the SCC, <interface> is the name of the interface selected for the trace (for example, lan0_0, wan0_0), and <time-stamp> is in the yyyy/mm/dd hh:mm:ss format. If this trace dump relates to an open Riverbed Support case, specify the capture filename case_<number> where <number> is your Riverbed Support case number: for example, case_12345. Note: The .cap file extension isn’t included with the filename when it appears in the capture queue. |
Appliances | Select an appliance from the list. The SCC displays Interceptors, SteelHeads, and SteelHeads that are local to the Interceptor. If you select an Interceptor appliance or a SteelHead that is local to the Interceptor, the Endpoints section displays the Select Interceptor Location: Client/Server option so that you can capture data based on the location of the Interceptor in your network. If you select an appliance that isn’t local to the Interceptor the page displays only the Endpoints option for SteelHead deployments for capturing packets between endpoints. |
Endpoints (SteelHead deployments) | Specify source and destination IP addresses and corresponding ports to capture packets between endpoints. For example, specify the client-side IP addresses and server-side addresses to capture packets between these endpoints. Capture traffic between: • IPs - Specify All to capture all IP addresses on one side of the network or specify particular IP addresses separated by commas. You can specify IPv4 or IPv6 addresses. The default setting is All. • Ports - Specify All to capture all corresponding ports or specify particular ports separated by commas. The default setting is All. —and— • IPs - Specify All to capture all IP addresses on the other side of the network or specify particular IP addresses separated by commas. You can specify IPv4 or IPv6 addresses. The default setting is All. • Ports - Specify All to capture all corresponding ports or specify particular ports separated by commas. The default setting is All. Note: To capture traffic flowing in only one direction or to enter a custom command, use the CLI tcpdump command. For details, see the Riverbed Command-Line Interface Reference Manual. |
Endpoints (Interceptor clusters) | Select Interceptor Location - Select either Client or Server from the drop-down list. Your choice determines the endpoints (that is, IP addresses) that you can specify. If you select Client: • IPs - Specify All to capture all the client-side endpoints or specify one or more IP addresses separated by commas. Specify client-side addresses only. You can specify IPv4 or IPv6 addresses. The default setting is All. • Ports - Specify All to capture all corresponding ports or specify one or more ports separated by commas. The default setting is All. If you select Server: • IPs - Either specify All to capture all server-side endpoints or specify one or more IP addresses separated by commas. Specify client-side addresses only. You can specify IPv4 or IPv6 addresses. The default setting is All. • Ports - Specify All to capture all corresponding ports or specify one or more ports separated by commas. The default setting is All. • Capture Inner Channel Data - Captures all inner channel requests between the endpoints. The default setting is off. • Appliance IP address - Specify the in-path IP address of the local SteelHead. • Service Port - Specify the service port of the in-path local SteelHead. The default service port number is 7800. |
Capture Interfaces | Captures packet traces on the selected interfaces. You can select all interfaces or a base or in-path interface. The default setting is none. You must specify a capture interface. If you select several interfaces at a time, the data is automatically placed into separate capture files. When path selection is enabled, we recommend that you collect packet traces on all LAN and WAN interfaces. |
Capture Parameters | These parameters let you capture information about dot1q VLAN traffic. You can match traffic based on VLAN-tagged or untagged packets, or both. You can also filter by port number or host IP address and include or exclude ARP packets. Select one of these parameters for capturing VLAN packets: • Capture Untagged Traffic Only - Select this option for these captures: – All untagged VLAN traffic. – Untagged 7850 traffic and ARP packets. You must also specify or arp in the custom flags field in this page. – Only untagged ARP packets. You must also specify and arp in the custom flags field in this page. • Capture VLAN-Tagged Traffic Only - Select this option for these captures: – Only VLAN-tagged traffic. – VLAN-tagged packets with host 10.11.0.6 traffic and ARP packets. You must also specify 10.11.0.6 in the IPs field, and specify or arp in the custom flags field in this page. – VLAN-tagged ARP packets only. You must also specify and arp in the custom flags field in this page. • Capture both VLAN and Untagged Traffic - Select this option for these captures: – All VLAN traffic. – Both tagged and untagged 7850 traffic and ARP packets. You must also specify these values in the custom flags field in this page: (port 7850 or arp) or (vlan and (port 7850 or arp)) – Both tagged and untagged 7850 traffic only. You must also specify 7850 in one of the port fields in this page. No custom flags are required. – Both tagged and untagged ARP packets. You must also specify these values in the custom flags field in this page: (arp) or (vlan and arp) |
Capture Duration (Seconds) | Specify a positive integer to set how long the capture runs, in seconds. The default value is 30. Specify 0 or continuous to initiate a continuous trace. For continuous capture, we recommend specifying a maximum capture size and a nonzero rotate file number to limit the size of the TCP dump. |
Maximum Capture Size | Specify the maximum capture file size in megabytes. The default value is 100. After the file reaches the maximum capture size, TCP dump starts writing capture data into the next file, limited by the Number of Files to Rotate field. We recommend a maximum capture file size of 1024 MB (1 GB). |
Buffer Size | Optionally, specify the maximum amount of data, in kilobytes, allowed to queue while awaiting processing by the capture file. The default value is 154 kilobytes. |
Snap Length (bytes) | Optionally, select the snap length value for the capture file or specify a custom value. The snap length equals the number of bytes the report captures for each packet. Having a snap length smaller than the maximum packet size on the network enables you to store more packets, but you might not be able to inspect the full packet content. Select 65535 for a full packet capture (recommended for CIFS, MAPI, and SSL captures). The default value is 1518 bytes. When using jumbo frames, we recommend selecting 9018. The default custom value is 16383 bytes. |
Number of Files to Rotate | Specify how many capture files to keep for each interface before overwriting the oldest file. To stop file rotation, you can specify 0; however, we recommend rotating files, because stopping the rotation can fill the disk partition. This control limits the number of files created to the specified number and begins overwriting files from the beginning, thus creating a rotating buffer. The default value is 5. The maximum value is 2147483647. |
Custom Flags | Specify custom flags as additional statements within the filter expression. Custom flags are added to the end of the expression created from the Endpoints fields and the Capture Parameters radio buttons (pertaining to VLANs). If you require an “and” statement between the expression created from other fields and the expression that you are entering in the custom flags field, you must include the “and” statement at the start of the custom flags field. Do not use host, src, or dst statements in the custom flags field. Although it is possible in trivial cases to get these statements to start without a syntax error, they don’t capture GRE-encapsulated packets that some modes of SteelHead communications use, such as WCCP deployments or Interceptor connection-setup traffic. We recommend using bidirectional filters by specifying endpoints. For complete control of your filter expression, use the CLI tcpdump command. For details, see the Riverbed Command-Line Interface Reference Manual. For examples, see Viewing appliance expiring certificates. |
Schedule Dump | Schedules the trace dump to run at a later date. • Start Date - Specify a date to initiate the trace dump in this format: yyyy/mm/dd • Start Time - Specify a time to initiate the trace dump in this format: hh:mm:ss |
Add | Adds the TCP trace dump to the capture queue. |
Remove Selected | Under Stored TCP Dumps, select the TCP Dump check box and click Remove Selected. |
Filter purpose | Custom flag |
To capture all traffic on VLAN 10 between two specified endpoints: 1.1.1.1 and 2.2.2.2 | and vlan 10 |
To capture any packet with a SYN or an ACK | tcp[tcpflags] & (tcp-syn|tcp-ack) != 0 |
To capture any packet with a SYN | tcp[tcpflags] & (tcp-syn) != 0 -or- tcp[13] & 2 == 2 |
To capture any SYN to or from host 1.1.1.1 | and (tcp[tcpflags] & (tcp-syn) != 0) -or- and (tcp[13] & 2 == 2) |
Filter purpose | Custom flag |
To capture all FIN packets to or from host 2001::2002 | and (ip6[53] & 1!=0) |
To capture all IPv6 SYN packets | ip6 or proto ipv6 and (ip6[53] & 2 == 2) |