Packet Trace
Packet trace files contain information only about packets that triggered the filter. It encapsulates the information according to requirements set in the application per filter and saves the packet trace to a PCAP file. The default filename uses the convention SMSTrace-VulnerabilityId - FilterName where VulnerabilityId and FilterName are unique identifiers of the attack filter for which packet trace was enabled. Packet trace options are available from the Events area or Device area of the SMS. You can request multiple packet trace files from multiple events or all packet traces on a specific device. Packet trace options are available for devices that support the packet trace feature. Devices, such as the Core Controller and the SSL do not support packet trace.
Traffic Capture
A traffic capture file contains one or more packets captured by a device on a single segment or multiple segments. Users can see the files for only one device at a time. Traffic capture files are in saved in PCAP format and support either an internal or external viewer. Traffic capture expressions (based on TCPDump) are used in traffic captures to refine the types of packets that are captured. Refer to the TCPDump (http://www.tcpdump.org/tcpdump_man.html) website for additional information.
PCAP File Information
You can run and manage up to five concurrent traffic captures. Traffic captures are managed via the device Local Security mnager (LSM):
- IPS: Network > Network Tools
- TPS: Tools > Traffic Capture
You can also manage Traffic Captures with the debug traffic-capture CLI command or from the SMS client interface.
The Traffic Capture feature now supports true TCPDump expressions when defining the parameters of a traffic capture. The maximum traffic capture size has also been increased to 10,000,000 packets, 10MB (10,000,000 bytes), or 100 files. The traffic capture files are saved on the external compact flash card. The traffic capture files are moved from the device if they were created from the SMS or if the user wants to work with the file.
PCAP Remote Storage: PCAP files on the IPS/TPS can be stored remotely and viewed through the SMS. The remote storage option must be enabled in the Preferences section of the SMS and users must have a user role that allows preferences to be edited.
PCAP Large Packet Captures: Viewing large packet captures with the SMS built-in viewer may cause errors on the server. The best practice is to use an external viewer to view large packet captures.
PCAP Filenames: PCAP filenames are limited to 22 characters plus the extension.
PCAP Filenames: PCAP filenames (name-1349957094405.PCAP) are automatically created when a PCAP is downloaded to the SMS. The name includes a number that is based on a UNIX timestamp or epoch format. So in this example, the file was saved to the SMS on Thu, 11 Oct 2012 12:04:54 UTC. The UNIX epoch (or UNIX time or POSIX time or UNIX timestamp) is the number of seconds that have elapsed since January 1, 1970.