Question & Answer
Question
Answer
Packet capture tuning parameters
Description: Sets the maximum file count for capture files.
Default: 10000
Minimum: 10
Maximum: 20000
Name: pktcap.file.maxsize
Description: Sets the maximum individual capture file size in bytes.
Default: 5000000
Minimum: 1000000
Maximum: 500000000
Name: pktcap.file.timeout
Description: Sets the maximum capture timeout period in seconds.
Default: 120
Minimum: 0
Maximum: 86400
Name: pktcap.diskspace.percent
Description: Sets the maximum allowed disk space utilization in percent of total disk space.
Default: 4
Minimum: 1
Maximum: 20
Name: pktcap.alpsd.interval
Description: Sets the period in seconds for monitoring capture timeout.
Default: 60
Minimum: 1
Maximum: 3600
After configuring the parameters, use the following instructions to verify that your settings were accepted by the appliance.
- Log in to the XGS using the admin account via SSH connection.
- Navigate to the
capture
submenu by entering the following sequence of commands:
tools
capture - Enter the following command:
limits
The following tuning parameters can be added to the sensor to modify its default behavior in regard to packet capture size and time limitations.
Protection interface captures
- Log in to the XGS using the admin account via SSH connection.
- Navigate to the pinterface submenu by entering the following sequence of commands:
tools
capture
pinterface - Run the
show
command to ensure that there are no filters applied. If any filters are present, enter theremove
command to clear them. Once there are no filters, enter theadd
command to add a generic filter as shown below:
xgs5100:pinterface> add
Added Filter (id=1)
xgs5100:pinterface> show
Id Interface Saddr Sport Daddr Dport Vlan Proto eType
1 any any any any any any any any
Notes:- It is highly recommended to add a more specific filter than the basic example listed above.
- To capture traffic from a specific IP, you can use
ifname
X.X
src host
x.x.x.x
, where X.X is the interface and x.x.x.x is the source IP address. - To capture traffic on a specific interface, you can use the
ifname
X.X
filter. For example, to only capture traffic on interface 1.3, you would enteradd ifname 1.3
for your filter. - You can make use of the
starthelp
command for detailed usage for protection interface filtering and capture. - If an additional filter is added, id=2 for example, and you delete filter 1 (id=1), the capture will fail to record any traffic. Filter 1 (id=1) must be present in order for the capture to function.
- Start the packet capture by entering the
start
command. This will cause the capture to run until it reaches one of the pre-defined limits that are described in the "Packet capture tuning parameters" section of this article.
If you want the capture to run for a set time and then stop, include theT
option, specifying time interval in seconds (minimum: 60). This will cause the packet capture to continue for the specified amount of time, or until the maximum size (default: 5 MB) is reached. If the time interval is not set, the packet capture will continue until stopped manually or until it reaches the other defined capture limits.
If you want to capture more than the pre-defined file size of traffic, include theC
,W
, andw
options, specifying the maximum size in MB, maximum number of files (value between 1 and 10), and the base file name.
Example: If you want to gather a capture for 60 seconds, with a maximum of ten 20 MB files gathered, you would enter the following command:
start -T 60 -C 20 -W 10 -w test.pcacp
Important: Packet captures can grow very large when capturing high volume network segments. - Replicate the issue that you are trying to capture.
- Stop the capture manually with the
stop
command or wait for it to reach your configured time limit. - Download the captures from the XGS sensor.
- To download the captures to a connected USB device, enter the
back
command to return to thecapture
menu and then enter thedownload
command. - Download the packet capture files from the Local Management Interface (LMI) by going to Manage System Settings > System Settings > Packet Captures.
- To download the captures to a connected USB device, enter the
- Add the capture file(s) to a compressed file. Send the compressed file containing the logs to IBM Support using Enhanced Customer Data Repository (ECuRep) .
The management interfaces are used by the sensor to allow users access to the Local Management Interface (LMI) and to communicate with the SiteProtector management software when registered there.
Management interface captures
- Log in to the XGS using the admin account via SSH connection.
- Navigate to the minterface submenu by entering the following sequence of commands:
tools
capture
minterface - Use the
tcpdump
command to run the capture on the system.
Example: If you want to capture traffic to and from the 198.168.1.2 address on the M.1 interface and save it to a file named mcapture.cap, you would enter:
tcpdump -i M.1 -n host 198.168.1.2 -w mcapture.cap
Note: You can review detailed usage instructions for the command by enteringtcpdumphelp
. - Replicate the issue that you are trying to capture.
- Type
Ctrl
+C
to stop the capture. - Download the captures from the XGS sensor.
- To download the captures to a connected USB device, enter the
back
command to return to thecapture
menu and then enter thedownload
command. - Download the packet capture files from the Local Management Interface (LMI) by going to Manage System Settings > System Settings > Packet Captures.
- To download the captures to a connected USB device, enter the
- Add the capture file(s) to a compressed file. Send the compressed file containing the logs to IBM Support using Enhanced Customer Data Repository (ECuRep) .
The protection interfaces are used by the sensor to scan network traffic for security issues.
Was this topic helpful?
Document Information
Modified date:
20 September 2022
UID
swg21883213