Packet Capture is a way of setting up a Monitoring Point to copy and store IP packets that it sees on its Usage monitoring interface. A Monitoring Point captures packets based on user-defined parameters that include which packets to capture, how much of each packet to capture, and when to start and stop capturing. Packets from AppNeta monitoring, assessments, diagnostic tests, and Monitoring Point communication are not captured.

The captured packets are packaged into a standard file format and securely uploaded to AppNeta Performance Manager (APM). You can view the results there, or you can download the capture file to analyze using third-party software (for example, Wireshark).

Start a packet capture

Prior to starting a packet capture you must set up for packet capture. You can then start a new capture, use an existing capture configuration as a template to start a capture, or you can edit an existing packet capture configuration.

Capture files are capped at 1GB. In addition, regardless of any stop conditions specified, capturing ends when the space remaining on the Monitoring Point is too low:

  • For full-packet captures (where maximum of 1500 bytes per packet are captured), capturing ends when less than 10MB remains on the device.
  • For partial-packet captures (where less than 1500 bytes per packet are captured), capturing ends when less than 1MB remains on the device.

Start a new packet capture

To start a new packet capture:

  1. Navigate to Usage > Packet Capture.
  2. Click + Start New Capture.
    1. In the Name field, specify a name for the capture.
    2. In the Monitoring Point dropdown, select the Monitoring Point to capture from.
    3. In the Capture Interface dropdown, select the Monitoring Point capture interface to use.
    4. In the Packet Limit field, specify the maximum number of bytes to store of each captured packet.
      • Default: 96 bytes. Range: 68 - 65,535
      • Deselect this option to capture entire packets.
    5. In the Capture Filter field, use a filter to specify which packets are captured.
      • The filter uses libpcap syntax. For examples, click the icon. Filtering only the traffic you care about will reduce the capture size. This provides a longer captured duration, and it ensures that the capture analysis is relevant to the problem you are trying to solve.
      • Leave the field blank to capture all packets.
    6. In the Capture Stop Condition(s) field, specify when to stop the capture.
    7. In the Related Network Paths field, specify network paths associated with the capture to have the path name appear in relevant areas of the user interface and reports (for example, on the network path performance Events chart), and to filter completed packet captures by related network paths.
  3. Click Start.
    • The capture is started.

Use an existing packet capture as a template

To use an existing packet capture configuration as a template:

  1. Navigate to Usage > Packet Capture.
  2. For the capture you want to repeat, select > Start Again.
  3. Update the configuration if required.
  4. Click Start.
    • The capture is started.

Edit a packet capture configuration

To edit an existing packet capture configuration:

  1. Navigate to Usage > Packet Capture.
  2. Click the name of the capture you want to edit.
  3. Click Start Again.
  4. Edit the existing fields.
  5. Click Start.
    • The updated capture is started.

Stop a packet capture

A capture can be stopped automatically as part of a stop condition specified when it is started or scheduled, or it can be stopped manually. Stopping a packet capture will not stop a packet capture schedule.

To stop a packet capture manually:

  1. Navigate to Usage > Packet Capture.
  2. For the capture you want to stop, select > Stop.
    • The capture is stopped.

View packet capture results

To view packet capture results:

  1. Navigate to Usage > Packet Capture.
  2. Click the name of the capture you are interested in.
    • The capture results are displayed on a number of tabs:
      • Overview - provides high-level capture details.
      • Alerts and Warnings - displays the number of packets in the capture that match a predefined set of display filters that identify notable network behavior that you may be interested in.
      • Protocol Breakdown - displays the number of packets, and the number of bytes in those packets, for each protocol in the capture.
      • Conversations - displays the network conversations (traffic between two specific endpoints for a protocol layer) with the highest total number of bytes.
      • Related Network Paths - lists the network paths associated with the capture. Click a path to display all of the captures related to that path.

Note: You can also share a link to the page.

Notes regarding packet order

Note the following regarding packet order:

  • Within a given flow (same Layer 3 source and destination IP addresses), packets will not be reordered. Every packet in a flow will be processed by the same hardware receive queue and thus fed into the capture file (.pcap) in order.
  • Between flows (different Layer 3 source/dest addresses), packets may be reordered. Two flows may not be processed by the same receive queue, which results in nondeterministic ordering when they’re inserted into the final capture file (.pcap).
  • On physical Monitoring Points, sorting by timestamp will produce the correct order. Timestamps are taken before the packets are split into hardware receive queues and thus respect the absolute order of the packet, which means that sorting a capture file (.pcap) by time will produce a better picture of packet ordering than sorting by packet index.

Alert and warning statistic filters

Packet Capture uses the following Wireshark filters to provide alert and warning statistics:

Filter Expression
ICMP errors or warnings icmp.type eq 3 or icmp.type eq 4 or icmp.type eq 5
DNS errors dns.flags.rcode > 0
Bad TCP tcp.analysis.flags
BitTorrent bittorrent
SMTP errors smtp.response.code >= 400 and smtp.response.code < 600
FTP errors ftp.response.code >= 400 and ftp.response.code < 600
HTTP server errors http.response.code >= 500 and http.response.code < 600
HTTP client errors http.response.code >= 400 and http.response.code < 500
SIP errors sip.Status-Code >= 400
OSPF State Change ospf.msg != 1
Spanning Tree topology change stp.type == 0x80

Download a packet capture

Packet captures are packaged in a gzip compressed .pcap file format supported by Wireshark.

To download a packet capture:

  1. Navigate to Usage > Packet Captures.
  2. For the capture you want to download, select > Download.
  3. Enter the packet capture passphrase for the Monitoring Point the capture was taken from.
  4. Click OK.
    • The capture file (.pcap) is downloaded.

To uncompressed the downloaded file:

  1. Rename it with a .gz extension.
  2. Unzip it as you would normally.

Rename a packet capture

To rename a packet capture:

  1. Navigate to Usage > Packet Captures.
  2. Click the name of the capture you are interested in.
  3. Click the Overview tab.
  4. In the Name field, click the edit link.
  5. Specify the new name.
  6. Click OK.
    • The capture name is changed.

Add comments to a packet capture

To add comments to a packet capture:

  1. Navigate to Usage > Packet Captures.
  2. Click the name of the capture you are interested in.
  3. Click the Overview tab.
  4. In the Comments field, click the edit link.
  5. Add your comments.
  6. Click OK.
    • Your comments are added to the capture overview.

Delete a packet capture

To delete a packet capture:

  1. Navigate to Usage > Packet Captures.
  2. For the capture you want to delete, select > Delete.
  3. Click OK.
    • The capture is deleted.

Associate a packet capture with a network path

When creating or editing a packet capture configuration, you can associate it with one or more network paths using the Related Network Paths feature. This enables you to easily see all packet captures related to a given network path and to have the packet captures appear in relevant areas of the user interface and reports (for example, on the network path performance Events chart).

You can associate a network path with a packet capture configuration when you create or edit it, or when you are viewing the capture results.

To associate a network path with a packet capture configuration:

  1. Navigate to Usage > Packet Capture.
  2. Access the Start Packet Capture dialog from one of the following:
    • While creating a new packet capture configuration, click + Start New Capture.
    • While editing a packet capture configuration, for the packet capture you want to edit, select > Start Again.
    • While viewing capture results, click the name of the capture you are interested in, then click Start Again.
  3. In the Related Network Paths field, click Edit Related Network Paths.
    • The Edit Related Network Paths dialog appears.
  4. In the Add Related Network Paths dropdown, select the path or paths to associate with the packet capture.
  5. Click OK.
    • The network path or paths are associated with the packet capture.
  6. Click Start.
    • The capture is started.

To remove a related network path from a packet capture:

  1. Navigate to Usage > Packet Capture.
  2. Access the Start Packet Capture dialog from one of the following:
    • While creating a new packet capture configuration, click + Start New Capture.
    • While editing a packet capture configuration, for the packet capture you want to edit, select > Start Again.
    • While viewing capture results, click the name of the capture you are interested in, then click Start Again.
  3. In the Related Network Paths field, click Edit Related Network Paths.
    • The Edit Related Network Paths dialog appears.
  4. In the Related Network Paths section, click Remove next to the network path you want to disassociate with the packet capture.
  5. Click OK.
    • The network path is disassociated with the packet capture.
  6. Click Start.
    • The capture is started.

You can create a list of packet captures related to a network path.

To filter packet captures related to a network path:

  1. Navigate to Usage > Packet Capture.
  2. Click the name of a capture that is related to a network path you are interested in, then click Start Again.
  3. Select the Related Network Paths tab.
  4. In the Related Network Paths section, click the network path you are interested in.
    • A list of packet captures associated with the network path is displayed.

After you have created a list of packet captures associated with a network path, you can remove the filter.

To remove the related network path filter:

  1. Click Remove Path Filter.
    • The filter is removed and all packet captures are listed.