Remote packet capturing

Netrounds supports two ways of capturing traffic for packet-by-packet analysis using a packet analyzer such as Wireshark:

  • Remote packet capturing: This method captures traffic on Test Agent interfaces; the traffic can subsequently be downloaded to your PC. The method is accessed from Apps in the main menu.
    • Advantages: Can be used to capture traffic behind a NAT. Distributed captures can be easily triggered.
    • Disadvantages: No real-time capturing. Size of capture is limited.
  • Live remote packet capture: This method captures traffic in real time by forwarding all traffic from the Test Agent directly to Wireshark. The method is accessed under Test Agents by clicking on a Test Agent, then clicking the Applications tab.
    • Advantages: You can capture much more traffic, since the traffic is not stored on the Test Agents, and you can track the capture in real time.
    • Disadvantages: Capture behind NAT is not supported (you need a direct connection to the IP address). Distributed captures are not as easy.

Read more about the capture methods below.

Remote packet capturing

Use this method to capture real user traffic on any of your Test Agent interfaces directly from your Netrounds account.

You can start a capture on multiple interfaces in parallel, and you will see the number of captured packets updated live. When the specified number of packets have been captured, you can download the capture as a .pcap file. If the capture takes too long, you can cancel the capture at any time and still download the packets captured up until that point.

To configure this method, specify the parameters below, then start the capture by clicking the Start button.

Capture interfaces: Select the Test Agent interfaces on which to perform the packet capture.

Packet size (bytes): The maximum number of bytes to be captured of each packet. The default is 65,535.

Number of packets: The maximum number of packets to be captured on each interface. Min: 1. Max: 1000.

Capture filter: Only packets matching this filter will be captured.  

The RPCAP filter follows the same format as the capture filters in Wireshark. For the syntax of these filters, refer to the Wireshark capture filters wiki.

Some useful predefined filters are available:

  • ip – All IP
  • udp – All UDP
  • tcp – All TCP
  • icmp – All ICMP
  • udp port 53 – DNS
  • tcp port 80 – HTTP
  • port 5060 or port 5061 – SIP
  • tcp port 143 – Only IMAP
  • udp port 161 – Only SNMP

You can also create your own capture filters.

After the capture has finished, you have the option to download and open a .pcap file in Wireshark or in some other packet analyzer of your choice. 

The captured files are not stored on the Test Agents, nor on the Netrounds server.

 

Live remote packet capturing

  • To enable the live capture in the menu, click the Test Agent in the Test Agents listing, then select the Applications tab. Check the Enable box on the right.

  • You now get to select a capture interface and optionally which interface to capture from (the two can be different):

  • Add "<TestAgent_IP>:2002" as a remote interface, and start capturing packets.

For more information on how to capture traffic from remote interfaces using Wireshark, go here.

Have more questions? Submit a request

Comments

Powered by Zendesk