Capturing Data Packets

Data Capture lets you establish data-capture parameters and run a data capture when you learn of a network problem and need detailed information for troubleshooting, or when you need to see more detailed information about the activity between two nodes on a network segment.

The following sections contain more information about Data Capture:

Overview of Data Capture

With Data Capture, you can indicate:

Where you want the captured data packets stored.
The format in which you want to save the data packets (TrafficDirector or Sniffer format).
What information you want included in the data capture (for example, you could create a data capture file for all HTTP packets being exchanged between a pair or hosts).

After you have captured the data packets to a file, you can analyze the contents of the packets captured in the TrafficDirector format by using Protocol Decode, or you can copy files saved in the Sniffer format to disk for input to a Sniffer device for analysis.

Packets captured on one interface might include packets seen on other interfaces. If you run a data capture for a selected interface on a SwitchProbe device or Network Analysis Module and wish to perform a second data capture for a different interface on the same device, you must clear the agent buffer before performing the second data capture to ensure the integrity of the data capture.

Establishing Data Capture Parameters

To establish Data Capture parameters, follow these steps:

Step 1 Click Traffic, Protocol, or Application from the TrafficDirector main window.

Step 2 Click Agent, Switch, or Frame Relay.

Step 3 Do one of the following:

If you selected Agent, select an agent name in the agent list box.
If you selected Agent Group, select the name of the agent group in the agent group list box. Then select a member of the agent group in the list box (lower left of screen).
If you selected Switch, select a switch name in the switch list box. Then select a switch port name in the interface list box (lower left of screen).
If you selected Frame Relay, select a Frame Relay agent name in the Frame Relay list box. And if necessary, select a DLCI interface in the interface list box (lower left of screen).

Step 4 Click the Data Capture icon.

Step 5 Do one of the following:

If you selected a SwitchProbe device, or a switch other than a Catalyst 5000 switch, the Data Capture window is displayed. Continue with Step 6.
If you selected a Catalyst 5000 switch, the confirmation window is displayed (Figure 28-1) and it displays the current roving information.

Figure 28-1: Confirmation Window

Step 6 Within the confirmation window, do one of the following:

Click replace to replace the currently roved ports with the port number you selected.
Click add to add the specified port number to the existing list of ports you are currently roving.

Note

Yes

Step 7 Enter information in the Data Capture window (Figure 28-2).

Figure 28-2: Data Capture Window

Table 28-1 describes each field in the Data Capture window:

Table 28-1: Data Capture Window Fields

Field Name Description/Action

Save As

The format of the file created when the data capture is uploaded.

Select TrafficDirector to save captured packets for use with the Protocol Decode application. The TrafficDirector application appends a .dat extension to the captured file name and writes the file $NSHOME/usr directory.

Select Sniffer (when available and appropriate) to save Ethernet, Token Ring, or FDDI captured packets in Sniffer 5.0 format. If you select Sniffer, the TrafficDirector application appends one of the following extensions to the captured file name:

.trc for Token Ring agents

.fdc for FDDI agents

.enc for other agent types

The file is written to the $NSHOME/usr directory.
Note Sniffer format is not supported (the radio button is dimmed) when rawhdr_capture has been turned on in the SwitchProbe device.

Mode

Determines when you want the Data Capture session to stop.

Select Lock When Full to stop the data-capture session when the capture buffer is full.

Select Wrap When Full to allow the data capture session to continue when the buffer is full. If you select this option, the most recent packets overwrite earlier packets until you click Stop.

Filter List

Specifies which filters you want to use from the list of available filters to more tightly focus the data capture.

Select Filter List then select up to four filters.

Protocol List

Specifies which protocols you want to use from the list of protocols the agent is monitoring to more tightly focus the data capture.

Select Protocol List, then up to four protocols.
Note If agent you are performing the data capture on is an RMON1 agent, or no protocols are installed on the agent, the Protocol List is not supported.

Buffer Size

The maximum number of bytes that can be saved in this capture buffer.

Select either KB or MB, then enter the buffer size. The buffer size can be 32 to 16384 KB or 1 to 64 MB (default is 64 KB). Enter the size as a decimal number.
Note On Windows NT platforms, the Buffer Size field only accepts a value with a maximum of four digits. Click the Mb radio button to specify a value larger than 9999 Kb.

Slice Size

The maximum number of bytes of each captured packet For example, if a 1500-byte packet is received and Slice Size is set to 500, only the first 500 bytes of the packet are captured.

Enter the slice size as a decimal number from 0 to 1518 bytes (default slice size is 128 bytes). To obtain the largest slice size possible, set the slice size to 1518 bytes.

Address Type

The format of the source and destination address fields.

Select MAC to identify source and destination addresses as physical addresses.

Select IP to identify source and destination addresses as network addresses.

Source Address

Enter the MAC or IP address, depending on the selection you made in the Address Type field. MAC addresses must be in hexadecimal format: 01-23-45-67-89-ab. IP addresses must be in dotted decimal notation: 204.205.206.207.

Destination Address

Enter the MAC or IP address, depending on the selection you made in Address Type field. MAC addresses must be in hexadecimal format: 01-23-45-67-89-ab. IP addresses must be in dotted decimal notation: 204.205.206.207.

Direction

Specifies what type of traffic you want to capture---Traffic from source-to-destination only, or traffic in both directions.

When you select the Filter List, click Single to capture traffic from source-to-destination. The default value is Both---capture traffic in both directions.

When you select the Protocol List, the default value is Both---capture traffic in both directions.

Filter Type

Specifies how you want the selected filters to perform the data capture when you select the Filter List option.

Select Inclusive (default) to capture only packets that match your filter list.

Select Exclusive to capture all packets except the ones that match your filter list.

Packet Type

Specifies what type of packets to capture when you select the Filter List option.

Select good to capture only good packets.

Select bad to capture only bad packets.

Select all to capture all packets.

When you select the Protocol List option, good is selected.

Update Interval

Specifies the time, in seconds, between updates of the capture information that displays in the bottom of the Data Capture window.

Enter a value between 5 seconds and 60 seconds as a decimal integer.

Protocol List

One or more protocols from the list of TrafficDirector-supported protocols. Lets you capture traffic in terms of protocol type.

Field Name	Description/Action
Save As	The format of the file created when the data capture is uploaded. Select TrafficDirector to save captured packets for use with the Protocol Decode application. The TrafficDirector application appends a .dat extension to the captured file name and writes the file `$NSHOME/usr` directory. Select Sniffer (when available and appropriate) to save Ethernet, Token Ring, or FDDI captured packets in Sniffer 5.0 format. If you select Sniffer, the TrafficDirector application appends one of the following extensions to the captured file name: .trc for Token Ring agents .fdc for FDDI agents .enc for other agent types The file is written to the `$NSHOME/usr` directory. Note Sniffer format is not supported (the radio button is dimmed) when rawhdr_capture has been turned on in the SwitchProbe device.
Mode	Determines when you want the Data Capture session to stop. Select Lock When Full to stop the data-capture session when the capture buffer is full. Select Wrap When Full to allow the data capture session to continue when the buffer is full. If you select this option, the most recent packets overwrite earlier packets until you click Stop.
Filter List	Specifies which filters you want to use from the list of available filters to more tightly focus the data capture. Select Filter List then select up to four filters.
Protocol List	Specifies which protocols you want to use from the list of protocols the agent is monitoring to more tightly focus the data capture. Select Protocol List, then up to four protocols. Note If agent you are performing the data capture on is an RMON1 agent, or no protocols are installed on the agent, the Protocol List is not supported.
Buffer Size	The maximum number of bytes that can be saved in this capture buffer. Select either KB or MB, then enter the buffer size. The buffer size can be 32 to 16384 KB or 1 to 64 MB (default is 64 KB). Enter the size as a decimal number. Note On Windows NT platforms, the Buffer Size field only accepts a value with a maximum of four digits. Click the Mb radio button to specify a value larger than 9999 Kb.
Slice Size	The maximum number of bytes of each captured packet For example, if a 1500-byte packet is received and Slice Size is set to 500, only the first 500 bytes of the packet are captured. Enter the slice size as a decimal number from 0 to 1518 bytes (default slice size is 128 bytes). To obtain the largest slice size possible, set the slice size to 1518 bytes.
Address Type	The format of the source and destination address fields. Select MAC to identify source and destination addresses as physical addresses. Select IP to identify source and destination addresses as network addresses.
Source Address	Enter the MAC or IP address, depending on the selection you made in the Address Type field. MAC addresses must be in hexadecimal format: 01-23-45-67-89-ab. IP addresses must be in dotted decimal notation: 204.205.206.207.
Destination Address	Enter the MAC or IP address, depending on the selection you made in Address Type field. MAC addresses must be in hexadecimal format: 01-23-45-67-89-ab. IP addresses must be in dotted decimal notation: 204.205.206.207.
Direction	Specifies what type of traffic you want to capture---Traffic from source-to-destination only, or traffic in both directions. When you select the Filter List, click Single to capture traffic from source-to-destination. The default value is Both---capture traffic in both directions. When you select the Protocol List, the default value is Both---capture traffic in both directions.
Filter Type	Specifies how you want the selected filters to perform the data capture when you select the Filter List option. Select Inclusive (default) to capture only packets that match your filter list. Select Exclusive to capture all packets except the ones that match your filter list.
Packet Type	Specifies what type of packets to capture when you select the Filter List option. Select good to capture only good packets. Select bad to capture only bad packets. Select all to capture all packets. When you select the Protocol List option, good is selected.
Update Interval	Specifies the time, in seconds, between updates of the capture information that displays in the bottom of the Data Capture window. Enter a value between 5 seconds and 60 seconds as a decimal integer.
Protocol List	One or more protocols from the list of TrafficDirector-supported protocols. Lets you capture traffic in terms of protocol type.

Starting the Data Capture Application

Part of the Data Capture window is a tool bar that includes a series of icons. Each icon performs a specific function when you start Data Capture.

The Data Capture tool bar is shown in Figure 28-3:

Figure 28-3: Data Capture Tool Bar

Note If the Raw Header option is in effect on the SwitchProbe device on which you are performing the Data Capture, during Protocol Decode you can only decode WAN frames captured with the Frame Relay encapsulation type. See the Cisco SwitchProbe Installation and Configuration Guide for more information about setting the Raw Header option.

To start Data Capture, follow these steps:

Step 1 Click the Start icon or select Capture > Start to send the capture configuration to the SwitchProbe device and initiate the data capture according to the data capture parameters you have established.

Note

Step 2 Click the Stop icon or select Capture > Stop to end the data capture session.

The captured data is stored in a buffer in the agent.

The TrafficDirector application updates the fields in the bottom right corner of the Data Capture window while the data capture is running, based on the update interval.

These fields are described in the following table.

This Field... Contains This Information

Started @

Date and time the data capture started.

Running for

How long---in hours, minutes, and seconds---the data capture has been running.

Buffer Status

Status of the data capture buffer:

Stopped---If capture is stopped.

Not Known---If a capture entry does not exist.

Full---If buffer is full.

Available---If buffer has available space.

Capture Packets

Number of packets in the capture buffer. This field is updated according to the update interval specified.

This Field...	Contains This Information
Started @	Date and time the data capture started.
Running for	How long---in hours, minutes, and seconds---the data capture has been running.
Buffer Status	Status of the data capture buffer: Stopped---If capture is stopped. Not Known---If a capture entry does not exist. Full---If buffer is full. Available---If buffer has available space.
Capture Packets	Number of packets in the capture buffer. This field is updated according to the update interval specified.

Step 3 Click the Upload icon or select Capture > Upload to transfer the captured data from a buffer in the SwitchProbe device in the TrafficDirector or Sniffer format to the file name you previously specified in the Captured File Name field.

When the upload process begins, the number of packets uploading is displayed in the status bar in the lower left corner of the Data Capture window.

Step 4 When the upload process completes, click the Clear Agent Buffer icon or select Capture > Clear Agent Buffer to remove any existing data capture configuration information from the device.

For more information about Protocol Decode, see Chapter 29, "Decoding Packets."

Table of Contents