Catpure all traffic to one device in a pcap file

triggers

#1

I am trying to capture all the traffic to one of the servers using the pcap feature for a period of time when we have an issue crawling up.

Below is what I have but there are a few thing that are messing up. I am trying to get traffic to or from one ip and the traffic that is captured is not contained to just that IP. I assigned this trigger to the subject device.

Any help is greatly appreciated.
I’d also like to understand the relation between setting up the capture options on the administration page and setting them up in the trigger itself.

var pcapName = 'OnDemand_' + Flow.server.ipaddr;
Flow.captureStart(pcapName);
debug('Start PCAP: ' + pcapName);

#2

// Capture traffic to a specific server on a specific port.

// Re-use this trigger for specific server IPs and Ports by simply changing them in the ‘server’ section below.

/--------------Configuration--------------------/

var dest_server = {

    ipaddr: '64.68.124.141', // change this to match the destination server you want to capture.
    port: 1270 // change this to match the destination port you want to captue.
};

var pcapName = ‘OnDemand_’ + Flow.client.ipaddr + ‘:’ + Flow.client.port + ’ TO -> ’ + Flow.server.ipaddr + ‘:’ + Flow.server.port;

/-------------End configuration values--------------/

// Don’t touch the values below.

if (Flow.server.ipaddr == dest_server.ipaddr && Flow.server.port == dest_server.port) {
//Test passed, start packet capture

var opts = { maxPackets: 2000 };
Flow.captureStart(pcapName, opts);
debug('Start PCAP: ' + pcapName)
}//Successful match

else {
return; // Bail, no match.

}


#3

Hi Clint, First of Thank you so very much for the answer. How can I capture the traffic on all ports? I don’t want to contain myself to one port.


#4

Try this:

/--------------Configuration--------------------/ 
var dest_server = { ipaddr: '64.68.124.141' }; // change this to match the destination server you want to capture. 
var pcapName = 'OnDemand_' + Flow.client.ipaddr + ' TO -> ' + Flow.server.ipaddr;
/-------------End configuration values--------------/ 

// Don't touch the values below. 
if (Flow.server.ipaddr == dest_server.ipaddr) { //Test passed, start packet capture 
    var opts = { maxPackets: 2000 }; 
    Flow.captureStart(pcapName, opts); 
    debug('Start PCAP: ' + pcapName) 
} else { 
    return; 
} /--------------End of trigger------------------/