Viewing Diagnostic Reports and Logs : Viewing SCC TCP Dumps Files
  
Viewing SCC TCP Dumps Files
You can capture, download, and upload TCP dumps in the TCP Dumps page.
Capture files contain summary information for every Internet packet received or transmitted on the interface to help diagnose problems in the system.
RiOS provides an easy way to create and retrieve multiple capture files from the SCC. You can create capture files from multiple interfaces at the same time, limit the size of the capture file, and schedule a specific date and time to create a capture file. Scheduling and limiting a capture file by time or size allows unattended captures.
RiOS 7.0 and later supports remote capture analysis using the SteelCentral Packet Analyzer on capture files created and stored on the SteelHead without transferring the entire packet capture across the network. You do not need to transfer full packets until you need them.
Note: You cannot upload a capture file to the SteelHead using Packet Analyzer.
The top of the TCP Dumps page displays a list of existing capture files and the bottom of the page displays controls to create a capture file. The bottom of the page also includes the capture files that are currently running, and controls to create a trigger that stops a capture when a specific event occurs. The Running Capture Name list includes captures running at a particular time. It includes captures started manually and also any captures that were scheduled previously and are now running.
You can view the following TCP dump list reports:
•  To view TCP dump files
•  To view TCP trace dump files
•  To stop a running TCP trace dump
•  To upload the trace to Riverbed Support
To view TCP dump files
1. Choose Diagnostics > SCC Dumps: TCP Dumps to display the TCP Dumps page.
2. Complete the configuration as described in this table.
Control
Description
Add a New TCP Dump
Displays the controls for creating a TCP trace dump.
Capture Name
Specify the name of the capture file. Use a unique filename to prevent overwriting an existing TCP dump. The default filename uses this format:
<hostname>_<interface>_<time-stamp>.cap
Where <hostname> is the hostname of the SCC, <interface> is the name of the interface selected for the trace (for example, lan0_0, wan0_0), and <time-stamp> is in the YYYY-MM-DD-HH-MM-SS format.
If this trace dump relates to an open Riverbed Support case, specify the capture filename case_<number> where <number> is your Riverbed Support case number: for example, case_12345.
Note: The .cap file extension is not included with the filename when it appears in the capture queue.
Capture Traffic Between
IPs - Specify the source IP addresses. Separate multiple IP addresses with a comma to include all addresses bidirectionally. The default setting is all IP addresses.
Ports - Specify the source ports. Separate multiple ports with a comma. The default setting is all ports.
and:
IPs - Specify the destination IP addresses. Separate multiple IP addresses with a comma to include all addresses bidirectionally. The default setting is all IP addresses.
Ports - Specify the destination ports. Separate multiple ports with a comma. The default setting is all ports.
Capture Interfaces
Captures the TCP trace dump on the selected interface(s). You can select all interfaces or a base, in-path, or RSP interface. The default setting is none. You must specify a capture interface.
If you select several interfaces at a time, the data is automatically placed into separate capture files.
Capture Parameters
Specify the parameters:
•  Capture Untagged Traffic Only - Captures only traffic without a VLAN tag. Enabling this setting filters the trace dump by capturing all untagged packets.
•  Capture VLAN-Tagged Traffic Only - Captures only VLAN-tagged packets within a trace dump for a trunk port (802.1Q). Enabling this setting filters the trace dump by capturing only VLAN-tagged packets. This setting applies to physical interfaces only because logical interfaces (inpath0_0, mgmt0_0) do not recognize VLAN headers.
•  Capture both VLAN and Untagged Traffic - Captures VLAN-tagged and untagged packets within a trace dump.
•  Capture Duration - Specify how long the capture runs, in seconds. The default value is 30. Specify 0 or continuous to initiate a continuous trace. When a continuous trace reaches the maximum space allocation of 100 MB, the oldest file is overwritten.
•  Maximum Capture Size (MB) - Specify the maximum capture file size, in megabytes. The default value is 100. Riverbed recommends a maximum capture file size of 1024 MB (1 GB).
•  Buffer Size - Optionally, specify the maximum amount of data, in kilobytes, allowed to queue up while awaiting processing by the TCP trace dump. The default value is
154 KB.
•  Snap Length - Optionally, specify the snap length value for the trace dump. Specify 0 for a full packet capture (recommended for CIFS, MAPI, and SSL traces). The default value is 1518.
•  Number of Files to Rotate - Specify how many TCP trace dump files to rotate. The default value is 5.
•  Custom Flags - Specify custom flags to capture unidirectional traces. Examples:
To capture all traffic to or from a single host
host x.x.x.x
To capture all traffic between a pair of hosts
host x.x.x.x and host y.y.y.y
To capture traffic between two hosts and two SteelHead inner channels:
(host x.x.x.x and host y.y.y.y) or (host a.a.a.a and host b.b.b.b)
Schedule Dump
Schedules the trace dump to run at a later date and time.
•  Start Date - Specify a date to initiate the trace dump in this format: YYYY/MM/DD.
•  Start Time - Specify a time to initiate the trace dump in this format: HH:MM:SS.
Add
Adds the TCP trace dump to the capture queue.
Tip: To remove an entry, select the check box next to the name and click Remove Selected.
To view TCP trace dump files
1. Choose Diagnostics > SCC Dumps: TCP Dumps to display the TCP Dumps page.
2. Under Stored TCP Dumps, click the trace dump name to open the file.
Tip: To print the TCP dump, select the trace dump filename under Download Link. When the file opens, choose File > Print in your web browser to open the Print dialog box.
Tip: To remove an entry, check the box next to the name in the TCP dump list and click Remove Selected.
To stop a running TCP trace dump
1. Choose Diagnostics > SCC Dumps: TCP Dumps to display the TCP Dumps page.
2. Click the trace dump filename in the Running Capture Name list.
3. Click Stop Selected Captures.
To upload the trace to Riverbed Support
In continuous mode, after you complete the capture, perform the following steps:
(For timed TCP dumps, start with step 2.)
1. On the TCP Dumps page, select the running TCP Dump and click Stop Selected Captures.
The trace appears as a download link in the list of TCP Dumps stored on the SteelHead.
2. Click the top file in the TCP Dumps list and save it locally.
This file should contain the current date.
3. Compress (zip) the file and follow the upload instructions to share it with Riverbed Support:
Attach the file(s) to your case at
https://support.riverbed.com/cases/viewcases.htm
or
Upload the file(s) to FTP://ftp.riverbed.com/incoming
(for FTP, be sure the file is prefixed with case_number).
ftp ftp.riverbed.com
User: anonymous
Password: your_email@address
ftp> cd /incoming
ftp> bi
ftp> put case_12345-tcpdump.zip