Packet Capture is a way of setting up a monitoring point to copy and store IP packets that it sees on its Usage monitoring interface. A monitoring point captures packets based on user-defined parameters that include which packets to capture, how much of each packet to capture, and when to start and stop capturing. Packets from AppNeta monitoring, assessments, diagnostic tests, and monitoring point communication are not captured.

The captured packets are packaged into a standard file format and securely uploaded to AppNeta Performance Manager (APM). You can view the results there, or you can download the capture file to analyze using third-party software (for example, Wireshark).

Start a packet capture

Prior to starting a packet capture you must set up for packet capture. You can then start a new capture or you can use an existing capture configuration as a template to start a capture.

Capture files are capped at 1GB or 1 million packets, which ever comes first. In addition, regardless of any stop conditions specified, capturing stops when the space remaining on the monitoring point is too low:

  • For full-packet captures (where maximum of 1500 bytes per packet are captured), capturing stops when less than 10MB remains on the device.
  • For partial-packet captures (where less than 1500 bytes per packet are captured), capturing stops when less than 1MB remains on the device.

Start a new packet capture

To start a new packet capture:

  1. Navigate to Usage > Packet Capture.
  2. Click + Start New Capture.
    • In the Name field, specify a name for the capture.
    • In the Monitoring Point dropdown, select the monitoring point to capture from.
    • In the Capture Interface dropdown, select the monitoring point capture interface to use.
    • In the Packet Limit field, specify the maximum number of bytes to store of each captured packet.
      • Default: 96 bytes. Range: 68 - 65,535
      • Deselect this option to capture entire packets.
    • In the Capture Filter field, use a filter to specify which packets are captured.
      • The filter uses libpcap syntax. For examples, click the icon. Filtering only the traffic you care about will reduce the capture size. This provides a longer captured duration, and it ensures that the capture analysis is relevant to the problem you are trying to solve.
      • Leave the field blank to capture all packets.
    • In the Capture Stop Condition(s) field, specify when to stop the capture.
    • In the Related Network Paths field, specify network paths associated with the capture to have the path name appear in relevant areas of the user interface and reports.

Use an existing packet capture as a template

To use an existing packet capture configuration as a template:

  1. Navigate to Usage > Packet Capture.
  2. For the capture you want to repeat, select > Start Again.
  3. Update the configuration if required.
  4. Click Start.
    • The capture is started.

Stop a packet capture

A capture can be stopped automatically as part of a stop condition specified when it is started or scheduled, or it can be stopped manually. Stopping a packet capture will not stop a packet capture schedule.

To stop a packet capture manually:

  1. Navigate to Usage > Packet Capture.
  2. For the capture you want to stop, select > Stop.
    • The capture is stopped.

View packet capture results

To view packet capture results:

  1. Navigate to Usage > Packet Capture.
  2. Click the name of the capture you are interested in.
    • The capture results are displayed on a number of tabs:
      • Overview - provides high-level capture details.
      • Alerts and Warnings - displays the number of packets in the capture that match a predefined set of display filters that identify notable network behavior that you may be interested in.
      • Protocol Breakdown - displays the number of packets, and the number of bytes in those packets, for each protocol in the capture.
      • Conversations - displays the network conversations (traffic between two specific endpoints for a protocol layer) with the highest total number of bytes.
      • Related Network Paths - lists the network paths associated with the capture. Click a path to display all of the captures related to that path

Notes regarding packet order

Note the following regarding packet order:

  • Within a given flow (same Layer 3 source and destination IP addresses), packets will not be reordered. Every packet in a flow will be processed by the same hardware receive queue and thus fed into the capture file (.pcap) in order.
  • Between flows (different Layer 3 source/dest addresses), packets may be reordered. Two flows may not be processed by the same receive queue, which results in nondeterministic ordering when they’re inserted into the final capture file (.pcap).
  • On physical monitoring points, sorting by timestamp will produce the correct order. Timestamps are taken before the packets are split into hardware receive queues and thus respect the absolute order of the packet, which means that sorting a capture file (.pcap) by time will produce a better picture of packet ordering than sorting by packet index.

Alert and warning statistic filters

Packet Capture uses the following Wireshark filters to provide alert and warning statistics:

Filter Expression
ICMP errors or warnings icmp.type eq 3 or icmp.type eq 4 or icmp.type eq 5
DNS errors dns.flags.rcode > 0
Bad TCP tcp.analysis.flags
BitTorrent bittorrent
SMTP errors smtp.response.code >= 400 and smtp.response.code < 600
FTP errors ftp.response.code >= 400 and ftp.response.code < 600
HTTP server errors http.response.code >= 500 and http.response.code < 600
HTTP client errors http.response.code >= 400 and http.response.code < 500
SIP errors sip.Status-Code >= 400
OSPF State Change ospf.msg != 1
Spanning Tree topology change stp.type == 0x80

Download a packet capture

Packet captures are packaged in a gzip compressed .pcap file format supported by Wireshark.

To download a packet capture:

  1. Navigate to Usage > Packet Captures.
  2. For the capture you want to download, select > Download.
  3. Enter the packet capture passphrase for the monitoring point the capture was taken from.
  4. Click OK.
    • The capture file (.pcap) is downloaded.

To uncompressed the downloaded file:

  1. Rename it with a .gz extension.
  2. Unzip it as you would normally.

Rename a packet capture

To rename a packet capture:

  1. Navigate to Usage > Packet Captures.
  2. Click the name of the capture you are interested in.
  3. Click the Overview tab.
  4. In the Name field, click the edit link.
  5. Specify the new name.
  6. Click OK.
    • The capture name is changed.

Add comments to a packet capture

To add comments to a packet capture:

  1. Navigate to Usage > Packet Captures.
  2. Click the name of the capture you are interested in.
  3. Click the Overview tab.
  4. In the Comments field, click the edit link.
  5. Add your comments.
  6. Click OK.
    • Your comments are added to the capture overview.

Delete a packet capture

To delete a packet capture:

  1. Navigate to Usage > Packet Captures.
  2. For the capture you want to delete, select > Delete.
  3. Click OK.
    • The capture is deleted.