Trend Micro - Securing Your Journey to the Cloud Business
Success
Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

What is the difference between a Packet Trace and a Packet Capture?

    • Updated:
    • 24 Jun 2020
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • TippingPoint SMS All
    • TippingPoint TPS All
    • TippingPoint TX-Series All
    • TippingPoint Virtual SMS
    • TippingPoint Virtual TPS All
    • Platform:
Summary
This article discusses the differences between a packet trace and a packet capture as performed by Trend Micro TippingPoint devices.
Details
Public

Packet Trace

Packet trace files contain information only about packets that triggered the filter. It encapsulates the information according to requirements set in the application per filter and saves the packet trace to a PCAP file. The default filename uses the convention SMSTrace-VulnerabilityId - FilterName where VulnerabilityId and FilterName are unique identifiers of the attack filter for which packet trace was enabled.  Packet trace options are available from the Events area or Device area of the SMS. You can request multiple packet trace files from multiple events or all packet traces on a specific device. Packet trace options are available for devices that support the packet trace feature. Devices, such as the Core Controller and the SSL do not support packet trace.


Traffic Capture

A traffic capture file contains one or more packets captured by a device on a single segment or multiple segments. Users can see the files for only one device at a time. Traffic capture files are in saved in PCAP format and support either an internal or external viewer. Traffic capture expressions (based on TCPDump) are used in traffic captures to refine the types of packets that are captured. Refer to the TCPDump (http://www.tcpdump.org/tcpdump_man.html) website for additional information.


PCAP File Information

You can run and manage up to five concurrent traffic captures. Traffic captures are managed via the device Local Security mnager (LSM):

  • IPS: Network > Network Tools
  • TPS: Tools > Traffic Capture

You can also manage Traffic Captures with the debug traffic-capture CLI command or from the SMS client interface.

The Traffic Capture feature now supports true TCPDump expressions when defining the parameters of a traffic capture. The maximum traffic capture size has also been increased to 10,000,000 packets, 10MB (10,000,000 bytes), or 100 files. The traffic capture files are saved on the external compact flash card. The traffic capture files are moved from the device if they were created from the SMS or if the user wants to work with the file.


PCAP Remote Storage: PCAP files on the IPS/TPS can be stored remotely and viewed through the SMS. The remote storage option must be enabled in the Preferences section of the SMS and users must have a user role that allows preferences to be edited.

PCAP Large Packet Captures: Viewing large packet captures with the SMS built-in viewer may cause errors on the server. The best practice is to use an external viewer to view large packet captures.

 

PCAP Filenames: PCAP filenames are limited to 22 characters plus the extension.

 

PCAP Filenames: PCAP filenames (name-1349957094405.PCAP) are automatically created when a PCAP is downloaded to the SMS. The name includes a number that is based on a UNIX timestamp or epoch format.  So in this example, the file was saved to the SMS on Thu, 11 Oct 2012 12:04:54 UTC. The UNIX epoch (or UNIX time or POSIX time or UNIX timestamp) is the number of seconds that have elapsed since January 1, 1970.

Premium
Internal
Partner
Rating:
Category:
Troubleshoot
Solution Id:
TP000257048
Feedback
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

This website uses cookies for website functionality and traffic analytics. Our Cookie Notice provides more information and explains how to amend your cookie settings.

Learn More Ok, got it