Adding a New Capture Job
To create a new capture job:
1. Go to the Administration > General Traffic Settings: Capture Jobs/Interfaces page, and click the Capture Jobs tab.
2. Choose the Add button to open the New Capture Jobs Definition dialog.
3. Enter a name for the capture job (required). The name must be unique. A maximum of 128 Unicode characters can be used (required).
4. Select a VIFG with the traffic to be captured (required). By default, All VIFGs are selected. Uncheck All to manually select one or more VIFGs from the list.
5. Specify a filter (optional). SteelFilter is the default filter type and the recommended filter type; see
SteelFilter Identifiers Supported For NPM Capture for the list of SteelFilter identifiers supported for capture jobs. No filter is used if the text box is empty.
Any BPF filter can be used without complication when indexing is not checked. If BPF and indexing are both selected, a message is displayed about potential issues that could occur. BPF filters using IP addresses, ports, or IP protocols will work as expected. However, BPF filters that create a subset of a flow could result in an incorrect microflow index and an incorrect view in Packet Analyzer Plus. If you have a capture job with a microflow index and a BPF filter, the packets stored on disk and the associated microflow index might not be identical, because the index might not reflect the actual packets stored on disk. This can happen because the index stores data per flow or per connection, while a BPF filter can filter out any packet within a given flow or connection. One possible example of this: Consider a filter that causes only packets with even sequence numbers to be stored to disk. The microflow index would include all the packets in the flow, but only half of those packets would be stored. A workaround, if packets are available, is to force Packet Analyzer Plus to create the view from the packets, not from the microflow index, by holding down the Shift key when you apply a view.
6. Enter a maximum packet size (snaplen) for capture (optional). Values from 1 to 65535 bytes are valid. The default, 65535 bytes, captures the entire packet.
7. Packet data retention is set based on the size of the storage used by the captured packets and the timespan that the captured packets are kept. Time retention rules are calculated from the current time. For running capture jobs the following rules apply:
– Minimum specifications are targets and may not be met for some or all jobs. Storage space is shared equally among jobs whose target has not been met, yet.
– If a maximum retention size is set, a job cannot store more data than the specified limit.
– If a maximum retention time is set, a job cannot contain a longer timespan than the specified limit.
– If the total size of all capture jobs reaches the size of the packet storage, data is pruned using the minimum parameters to set priority. Jobs that have not reached their minimum parameters have a low pruning priority; jobs that have reached their minimum parameters have a high pruning priority. Pruning reduces the size and time of each job.
Option | Notes |
Min Retention Size | Specify a target minimum amount of packet storage for captured packets. Enter the number of bytes and select a unit of measure from the drop-down list. |
Max Retention Size | Specify the maximum amount of packet storage for captured packets. Enter the number of bytes and select a unit of measure from the drop-down list. |
Min Retention Time | Specify the minimum timespan to retain captured packets. Enter a number and select a unit of time from the drop-down list. |
Max Retention Time | Specify the maximum timespan to retain captured packets. Enter a number and select a unit of time from the drop-down list. |
8. Select Optimize For Download Speed (optional) if you want to enable
Packet Capture Download Optimization. If Optimize For Download Speed is selected, packet data from the capture will be accessible more rapidly when you want to examine it.
9. Enable Indexing (optional). If the box is checked (default), a microflow index is created for the capture job. Packet Analyzer Plus uses the microflow index by default to speed the presentation of views.
10. Microflow Index retention is set based on the size of the index and the timespan that the index is kept. Time retention rules are calculated from the time of the last entry stored, not the current time. For running capture jobs the following rules apply:
– Minimum specifications are targets and may not be met for some or all jobs. Storage space is shared equally among jobs whose target has not yet been met.
– The minimum retention size is 50 MB for a Microflow Index.
– If a maximum retention size is set, an index cannot store more data than the specified limit.
– If a maximum retention time is set, an index cannot contain a longer timespan than the specified limit.
– If the total size of all capture job indexes reaches the size of the index storage, data is pruned using the minimum parameters to set priority. Jobs that have not reached their minimum parameters have a low pruning priority; jobs that have reached their minimum parameters have a high pruning priority. Pruning reduces the size and time of each job.
Option | Notes |
Min Retention Size | Specify a target minimum amount of microflow index data to store. Enter the number of bytes and select a unit of measure from the drop-down list. |
Max Retention Size | Specify the maximum amount of microflow index data to store. Once this size is reached the oldest data is overwritten as new data is received.Enter the number of bytes and select a unit of measure from the drop-down list. |
Min Retention Time | Specify the minimum timespan for an index to be stored. Enter a number and select a unit of time from the drop-down list. |
Max Retention Time | Specify the maximum timespan for an index to be stored. Enter a number and select a unit of time from the drop-down list. |
11. Click Save to save your settings.
SteelFilter Identifiers Supported For NPM Capture
The following SteelFilter identifiers are supported for use with capture jobs, as well as with VIFGs and with exporting to NetProfiler:
◼ ip.src—Source IP address
◼ ip.dst—Destination IP address
◼ ip.addr—Any IP address
◼ ip.proto—Any protocol in use
◼ tcp.port—Any TCP port
◼ tcp.src_port—Source TCP port
◼ tcp.dst_port—Destination TCP port
◼ udp.port—Any UDP port
◼ udp.src_port—Source UDP port
◼ udp.dst_port—Destination UDP port
◼ transport.port—Any transport port
◼ transport.src_port—Source transport port
◼ transport.dst_port—Destination transport port
Refer to the SteelCentral Packet Analyzer Plus User’s Guide, Appendix A: SteelFilter Identifiers for a complete list of SteelFilter identifiers.