Verify that Disk usage is within safe bounds Capture Packets Dialog Bo

Use the Capture Packets dialog box to configure a traffic capture. It is available to users to whom the Packet Capture User role is assigned.

The task name, estimated result size, and free space are displayed at the top and bottom of all tabs.

Task name

The name of the task as it will appear in the list of tasks. Set this to a name that is useful for searching and sorting.

Description

The description of the task as it will appear in the list of tasks. Estimated task size

The estimated total size of the capture, combining all data sources. Free space

The storage space available for the capture. If this is not larger than the estimated task size, there will not be enough space available to save the capture.

OK, Cancel

Click OK to schedule the task and display a list of tasks with the filter set to your user name.

Click Cancel to discard task submission.

Traffic Filters

Use the Traffic Filters tab to narrow the range of your capture to traffic between two dates and times, limit the duration of the capture, and review the filter settings.

Time range

• To capture traffic during a specific time range, select Fixed date and time and set the Start time and Stop time.

• To capture traffic for a certain amount of time starting from when you click OK, select Period relative to the current date and set Duration to the number of seconds, minutes, or hours you want to capture data.

The date range is initially populated from the CAS report, but you can adjust it in the Capture Packets dialog box.

Related messages:

• “The selected time range extends into the past. The AMD does not support back-in-time captures, so all AMD data sources will be ignored.”

To fix this, add data sources that do support back-in-time captures.

• “The selected data sources do not support back-in-time captures. Change the time range or add data sources that support back-in-time captures.”

To fix this, either change the time range so that the capture does not require back-in-time data sources or add data sources that support back-in-time captures. • “Too many concurrent recordings for this time range.”

This occurs when the number of concurrent connections to one AMD exceeds the maximum, which, by default is 10. This value is defined in userprop-nf.properties (SYSTEM.NF_AMD_MAX_NUMBER_OF_CONCURRENT_TASKS). You cannot schedule a new task when this condition's maximum is exceeded.

Assuming the default value (10), change the schedule so that you do not have more than 10 tasks scheduled to run at the same time. You can schedule the new task to run after one or more of the already scheduled tasks have finished, or you can reschedule or cancel one of the previously scheduled tasks so that there are no more than 10 scheduled to run after you create this task.

NOTE

In the case of a “Client from” dimension, the filter is generated for the most active client IP address (most total bytes), not for all client IP addresses.

TCPDUMP filter

The filters are initially populated from the CAS reports filters (converted to tcpdump filter format), but you can adjust them in the Capture Packets dialog box. If you edit this field,

be sure to conform to the tcpdump filter format. If a filter setting is invalid, an error message is displayed and it is not possible to submit the task.

You can copy these filters into DNA and edit them to filter your trace during import. For more information, see Importing a DC RUM Traffic Capture into DNA in the Data Center Real User Monitoring Smart Packet Capture User Guide.

Click Syntax warnings under the filter box to list all syntax warnings. For more information, see Filter Error Messages and Syntax in the Data Center Real User Monitoring Smart Packet Capture User Guide.

NOTE

If both the server and the client are aggregated, the real client IP address is present in the filter expression but the real server IP address is not. In such cases, you probably need to change the filter expression manually to use the real server IP address.

For servers that are not aggregated, the server IP address is present in the filter expression.

Data Sources

Use the Data Sources tab to select the devices that will be used to gather data for this task. By default, network packets are gathered from all available data sources.

NOTE

In a farm deployment, you can have multiple slaves and AMDs connected to them in various configurations (for example, AMD1 connected to slave 1, and AMD2 connected to slave 2). If you are browsing DMI reports (on a master CAS), data is downloaded from slave servers and aggregated on the master. For packet capture, this screen displays all probes (AMDs and EndaceProbes) from the master and all slaves. It is not known which server in the farm holds a given porting of data. If data for a given tcpdump filter is not visible to a given probe, no data is captured on that probe.

Type Device type. IP Device address. Port Port number. File size

Size of the trace.

Advanced Options

Use the Advanced Options tab to set file-related parameters. TCPDUMP filter settings

(AMD only.) Select Remove encapsulation remove IP encapsulation from the capture. Default: selected.

File Settings

(AMD only.) Change Maximum file size (AMD) to adjust the maximum file size for the capture. Default: 500 MB.

Secure files with password

Select Secure files with password (and provide the password twice) to password-protect all task files stored on the CAS. If you select this option, you will need to provide this password to open the trace in DNA or another application.