Creating appliance TCP dumps
You can create, download, and upload TCP dump capture files for appliances in the TCP Dumps page.
Capture files contain summary information for every internet packet received or transmitted on the interface to help diagnose problems in the system.
RiOS provides an easy way to create and retrieve multiple capture files. You can create capture files from multiple interfaces at the same time, limit the size of the capture file, and schedule a specific date and time to create a capture file. Scheduling and limiting a capture file by time or size allows unattended captures.
The top of the TCP Dumps page displays a list of existing capture files and the bottom of the page displays controls to create a capture file. The bottom of the page also includes the capture files that are currently running, and controls to create a trigger that stops a capture when a specific event occurs. The Running Capture Name list includes captures running at a particular time. It includes captures started manually and also any captures that were scheduled previously and are now running.
The SCC automatically uploads the tcpdumps to itself and zips them once the capture is finished. You may want to ensure that the TCP dumps don’t saturate their WAN links by either minimizing the size of the captures or employing QoS to rate limit the transfers.
Capturing TCP dumps for Interceptor clusters
With RiOS 9.6, the SCC customizes the display in the TCP Dumps page to guide you to specify the correct endpoints (that is, IP addresses) so that you can capture all relevant packets to debug Interceptor cluster configurations. This feature reduces the number of TCP dumps taken for debugging and cluster set up.
Previously you would have to create multiple TCP dumps, such as Interceptor—>SteelHead, Server—>Client, and so forth to obtain all the data you need to debug cluster configuration. With RiOS 9.6, you can capture all relevant packets in a single TCP dump. TCP Dump capture supports IPv4 traffic with correct addressing and full-transparency mode. For IPv6 traffic, all relevant packets are captured as long as there are no IPv6 extended headers in the data packet originating on the client or server.
In the SCC you can select an Interceptor appliance or a SteelHead local to the Interceptor to capture flows for Client or Server endpoints. You can also specify whether you want to capture packets from the inner channel.
This table summarizes possible inner channel capture use cases.
Capture use cases | Packets captured |
|---|
Interceptor without inner channel capture (lan0_0) | • All responses from the server • All GRE messages between the Interceptor and the SteelHead |
Interceptor without inner channel capture (wan0_0) | • All probe messages |
Interceptor with inner channel capture (lan0_0) | • All requests from client • All responses from the server • All GRE messages between the Interceptor and the SteelHead • All heartbeat messages between the Interceptor and the SteelHead |
Interceptor with inner channel capture (wan0_0) | • All packets from client • All responses from the server • All probe messages |
SteelHead (local to the Interceptor) without inner channel capture (wan0_0) | • All requests from client • All responses from the server • All GRE messages between the Interceptor and the SteelHead |
SteelHead (local to the Interceptor) with inner channel capture (wan0_0) | • All requests from client • All responses from the server • All GRE messages between the Interceptor and the SteelHead • All heartbeat messages between the Interceptor and the SteelHead |
SteelHead not local to the Interceptor | No option to specify the location of the Interceptor (client/server). You can only capture traffic between SteelHead IP addresses in a comma separated list. |