APM packet capture analysis
- Navigate to Usage > Packet Capture.
- Click on any link to see detailed capture results.
Packet Capture uses the following Wireshark filters to provide alert and warning statistics:
|DNS errors||dns.flags.rcode > 0|
|SMTP errors||smtp.response.code >= 400 and smtp.response.code < 600|
|FTP errors||ftp.response.code >= 400 and ftp.response.code < 600|
|HTTP server errors||http.response.code >= 500 and http.response.code < 600|
|HTTP client errors||http.response.code >= 400 and http.response.code < 500|
|SIP errors||sip.Status-Code >= 400|
|ICMP errors or warnings||icmp.type eq 3 or icmp.type eq 4 or icmp.type eq 5|
|Spanning Tree topology change||stp.type == 0x80|
- Click a non-link portion of any row to reveal the side panel.
- Packet Capture presents analysis of the packet capture over several tabs on the capture details page. There are only a few actions you can perform on this page:
- Download the capture, start a new capture based on the same parameters, or delete the capture.
- On the overview tab, edit the capture name and add comments.
- On the related paths tab, click a path to display all of the captures related to that path.
Note the following regarding packet order:
- Within a given flow (same Layer 3 source and destination IP addresses), packets will not be reordered. Every packet in a flow will be processed by the same hardware receive queue and thus fed into the PCAP in order.
- Between flows (different Layer 3 source/dest addresses), packets may be reordered. Two flows may not be processed by the same receive queue, which results in nondeterministic ordering when they’re inserted into the final PCAP file.
- On physical monitoring points, sorting by timestamp will produce the correct order. Timestamps are taken before the packets are split into hardware receive queues and thus respect the absolute order of the packet, which means that sorting a PCAP by time will produce a better picture of packet ordering than sorting by packet index.
Download a packet capture
Packet captures are packaged as a gzip compressed .pcap file, delivery format supported by Wireshark.
- Navigate to Usage > Packet Captures.
- Select > Download.
- Enter your passphrase when prompted.
- To uncompressed the file:
- Rename it with a .gz extension.
- Unzip it as you would normally.