If your STRM Log Manager Console is configured to integrate with the Juniper JunOS Platform DSM, STRM Log Manager can receive, process, and store Packet Capture (PCAP) data from a Juniper SRX-Series Services Gateway log source.
For more information on the Juniper JunOS Platform DSM, see the Configuring DSMs guide.
Before you can display PCAP data on the Log Activity tab, the Juniper SRX-Series Services Gateway log source must be configured with the PCAP Syslog Combination protocol. For more information on configuring log source protocols, see the Log Sources Users Guide.
This section includes the following information:
• Displaying the PCAP Data Column
• Viewing PCAP Information
• Downloading the PCAP File to Your Desktop System
Displaying the PCAP Data Column
The PCAP Data column is not displayed on the Log Activity tab by default. When you create search criteria, you must select the PCAP Data column in the Column Definition pane. You can also group your event search results by the PCAP Data column.
To display the PCAP data column in event search results:
Step 1 Click the Log Activity tab.
Step 2 From the Search list box, select New Search.
The new event search page is displayed.
Step 3 Optional. Configure your specific search criteria:
NOTE
If you perform this step, the search results display only events that have PCAP data available.
a From the first list box, select PCAP data.
b From the second list box, select Equals.
c From the third list box, select True.
d Click Add Filter.
Step 4 Configure your column definitions:
a From the Available Columns list in the Column Definition pane, click PCAP Data.
b Click the Add icon in the bottom set of Add and Remove icons to move the PCAP Data column to the Columns list.
c Optional. Click the Add icon in the top set of Add and Remove icons to move the PCAP Data column to the Group By list.
Step 5 Click Filter.
NOTE You can configure your event search using additional parameters, however, this procedure only demonstrates the required search criteria to display the PCAP data column.
The event search results are displayed, providing the PCAP Data column. If PCAP data is available for an event, an icon is displayed in the PCAP Data column.
Using the PCAP icon, you can view the PCAP data or download the PCAP file to your desktop system.
Step 6 Double-click the event you want to investigate.
Managing PCAP Data 71
NOTE
If you are viewing events in streaming mode, you must pause streaming before you double-click an event.
The events details page is displayed.
From the PCAP Data toolbar option, you can view the PCAP information or download the PCAP file to your desktop system.
For more information on viewing and downloading PCAP data, see the following sections:
• Viewing PCAP Information
• Downloading the PCAP File to Your Desktop System
Viewing PCAP Information
You can view a readable version of the data in the PCAP file. To view PCAP information:
Step 1 Click the Log Activity tab.
Step 2 Perform or select a search that displays the PCAP Data column. See Displaying the PCAP Data Column.
The event search results are displayed.
Step 3 Choose one of the following options:
• Right-click the PCAP icon for the event you want to investigate, and then select More Options > View PCAP Information.
• Double-click the event you want to investigate, and then select PCAP Data >
View PCAP Information from the event details toolbar.
NOTE
If you are viewing events in streaming mode, you must pause streaming before you double-click an event.
NOTE
Before PCAP data can be displayed, STRM Log Manager must retrieve the PCAP file for display on the user interface. If the download process takes an extended period of time, the Downloading PCAP Packet Information window is displayed. In most cases, the download process is quick and this window is not displayed.
After the file is retrieved, a pop-up window is displayed, displaying a readable version of the PCAP file.
You can read the information displayed on the window, or download the information to your desktop system
Step 4 If you want to download the information to your desktop system, choose one of the following options:
a Click Download PCAP File to download the original PCAP file to be used in an external application.
b Click Download PCAP Text to download the PCAP information in .TXT format.
The Opening window is displayed.
Step 5 Choose one of the following options:
a If you want to open the file for immediate viewing, select the Open with option and select the application from the list box.
b If you want to save the list, select the Save File option.
Step 6 Click OK.
Downloading the PCAP File to Your Desktop System
You can download the PCAP file to your desktop system for storage or for use in other applications. To download the PCAP File to your desktop system:
Step 1 Click the Log Activity tab.
Step 2 Perform or select a search that displays the PCAP Data column. See Displaying the PCAP Data Column.
The event search results are displayed.
Step 3 For the event you want to investigate, choose one of the following options:
• Click the PCAP icon.
• Right-click the PCAP icon and select More Options > Download PCAP File.
• Double-click the event you want to investigate, and then select PCAP Data >
Download PCAP File from the event details toolbar.
NOTE
If you are viewing events in streaming mode, you must pause streaming before you double-click an event.
The Opening window is displayed.
Step 4 Choose one of the following options:
a If you want to open the file for immediate viewing, select the Open with option and select the application from the list box.
b If you want to save the list, select the Save File option.
Step 5 Click OK.
Exporting Events
You can export events in Extensible Markup Language (XML) or Comma Separated Values (CSV) format.To export events:
Step 1 Click the Log Activity tab.
Exporting Events 73
NOTE
If you are viewing events in streaming mode, you must pause streaming before you export event information.
a If you want to export the events in XML format, select Export to XML from the Actions list box.
b If you want to export the events in CSV format, select Export to CSV from the Actions list box.
The status window is displayed.
Step 2 If you want to resume your activities, click Notify When Done.
When the export is complete, you receive notification that the export is complete. If you did not select the Notify When Done icon, the status window is displayed.
STRM Log Manager Users Guide