Views:

Packet Trace

Packet trace files contain information only about packets that triggered the filter. It encapsulates the information according to requirements set in the application per filter and saves the packet trace to a PCAP file. The default filename uses the convention SMSTrace-VulnerabilityId - FilterName, where VulnerabilityId and FilterName are unique identifiers of the attack filter for which packet trace was enabled.  Packet trace options are available from the Events or Device areas of the SMS. You can request multiple packet trace files from multiple events or all packet traces on a specific device. Packet trace options are available for devices that support the packet trace feature. 


Traffic Capture

A traffic capture file contains one or more packets a device captures on a single or multiple segments. Users can see the files for only one device at a time. Traffic capture files are saved in PCAP format and support either an internal or external viewer. Traffic capture expressions (based on TCPDump) are used in traffic captures to refine the types of packets that are captured. Refer to the TCPDump (http://www.tcpdump.org/tcpdump_man.html) website for additional information.


PCAP File Information

You can run and manage up to five concurrent traffic captures. Traffic captures are managed via the device Local Security Manager (LSM):

  • TPS: Tools > Traffic Capture

You can also manage Traffic Captures with the debug traffic-capture CLI command or from the SMS client interface.

The Traffic Capture feature now supports true TCPDump expressions when defining the parameters of a traffic capture. The maximum traffic capture size has also been increased to 10,000,000 packets, 10MB (10,000,000 bytes), or 100 files. The traffic capture files are saved on the external compact flash card. The traffic capture files are moved from the device if they were created from the SMS or if the user wants to work with the file.


PCAP Remote Storage: PCAP files on the IPS/TPS can be stored remotely and viewed through the SMS. The remote storage option must be enabled in the SMS's Preferences section, and users must have a user role that allows them to edit preferences.

PCAP Large Packet Captures: Viewing large packet captures with the built-in SMS viewer may cause server errors. The best practice is to use an external viewer.

PCAP Filenames: PCAP filenames (name-1349957094405.PCAP) are automatically created when a PCAP is downloaded to the SMS. The name includes a number based on a UNIX timestamp or epoch format. In this example, the file was saved to the SMS on Thu, 11 Oct 2012, 12:04:54 UTC. The UNIX epoch (or UNIX time or POSIX time or UNIX timestamp) is the number of seconds that have elapsed since January 1, 1970. PCAP filenames are limited to 22 characters plus the extension.

Keywords: What is the difference between a Packet Trace and a Packet Capture?