How to use PCAP packet capture (10.x)

Security Gateway Articles and How to's
Post Reply
Peter
Posts: 627
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

How to use PCAP packet capture (10.x)

Post by Peter » 04 Nov 2010, 17:41

This How-to applies to:
  • Clavister Security Gateway 8.x, 9.x and 10.x.
This How-To contains the following sections:
  • 1. Description
    2. Version differences
    3. Quick syntax example
    4. Before you start
    5. Setup using version 8.x
    6. Setup using version 9.x/10.x
    7. When address translation is involved
    8. Downloading the capture files
    9. Clearing the memory and media (storage) buffer
1. Description:

Sometimes a network problem is not possible to solve with some of the basic tools available such as logs, CLI output etc. The need to have packet captures can sometimes become necessary in order to find the cause of a complex and/or strange network behavior. The syntax to use PCAP is not always obvious and this How-To is meant to give some insights in how to use it and some filters that is commonly used.

2. Version differences:

Version 8.x and 9.x are quite different when it comes to using the PCAP command. In 8.xx some of the PCAP commands need to be performed one after another while in 9.xx the complete syntax can be performed in one line. This is shown in the examples both used in 8.xx and 9.xx versions below. There are also information about the PCAP command in the manual for each version. This How-To will not go into details about every function of the PCAP but rather give some examples on filters and such.

3. Quick syntax example:
For those that are interested in only a quick syntax example, please see below:

8.xx
  • Pcap –size 1024
    Pcap ip 10.10.10.10 port 80
    Pcap start lan,dmz
    <capture required data>
    Pcap stop
    Pcap write lan ifacelan.cap
    Pcap write dmz ifacedmz.cap
    <download pcap files>
    Pcap cleanup
9.xx
  • pcap -start lan -port=80 -ip=10.10.10.10 -size=1024
    pcap -start dmz -port=80 -ip=10.10.10.10 -size=1024
    <capture required data>
    pcap -stop
    pcap -write lan -filename=ifacelan.cap
    pcap -write dmz -filename=ifacedmz.cap
    <download pcap files>
    pcap –cleanup
4. Before you start:

The most common filters one want to use is that of an IP or port. It is possible to use others as well such as different protocols and MAC addresses, but that is fairly uncommon and will not be discussed in this How-To.

The most common filter is to filter on IP. A common mistake when making a PCAP capture is to filter directly on source or destination. This means that if you want to catch the entire “conversation” between the client and the server, you will only see half of the conversation. That may be useful depending on the situation but it can also cause problems if you are unfamiliar with the PCAP tool, more on that further on.

Let’s say we want to filter on the IP 10.10.10.10 (lan) that wants to reach a server at IP 20.20.20.20 (dmz). Both of these IP’s are private IP’s used in the internal networks that are routed behind the SGW, there are some problems between these hosts and we want to see more clearly what is going on between them. They can communicate with each other using normal Allow rules, so no address translation is involved.

Example: Filter on IP, source and/or destination.

5. Setup using version 8.x

By default the memory buffer for the PCAP capture is 512kb, we suspect this will not be enough and increase the buffer to twice that value using the following command:
  • Pcap –size 1024
Next we want to set a filter. Since we want to see the conversation that initiates from 10.10.10.10 to 20.20.20.20 we set the following filter:
  • Pcap ipdest 20.20.20.20
If we were to start the capture now we would get all packets going to 20.20.20.20, but note that it will only be packets sent TO 20.20.20.20, not FROM. This is because we filter on the destination IP address only. Depending on the situation this may be enough, but not in our example as we want to see the whole conversation both TO and FROM 20.20.20.20.

A better filter would then be:
  • Pcap ip 20.20.20.20
Now we will get both the source and destination packets to 20.20.20.20. But this is towards the server, if the problem is only for this specific client a better filter would be to filter on the client.
  • Pcap ip 10.10.10.10
Now we know that this client and the server is exchanging a lot of data, our problem is with HTTP only. So it might be a good idea to try narrow down the packet captures as much as possible, setting a filter on HTTP will be a good idea:
  • Pcap ip 10.10.10.10 port 80
Same thing here, we can use source or destport but since we want to see it all we apply the filter “port 80” which means both source and destination also the filter expressions must be in the same command line.

Now we start the PCAP capture using the following command:
  • Pcap start lan,dmz
Now we try to reproduce the problem on the client (10.10.10.10), once the problem has been reproduced we stop the capture.
  • Pcap stop
Now we have a PCAP capture buffer that only exists in the memory of the SGW. So we write it down to the media using the write command, optionally you can use "Pcap status" to see the current status of the PCAP capture you just performed.
  • Pcap write lan ifacelan.cap
    Pcap write dmz ifacedmz.cap
Note: Do not use the same interface name when writing the capture files (such as wan.cap) as it could in some scenarios cause problems writing the capture file.

As you may have noticed we create separate files for each interface. This is extremely useful when trying to determine where the problem is. Is it on the client side or the server side? Or is it perhaps after it has passed the SGW in either direction? Having the packet captures separated based on interface is an easy way to see relevant information. It is however not possible at this time to write down the captures from both Lan and Dmz in the same file.

Once we are done with the packet captures the files need to be downloaded and then analyzed.

This example used IP and Port only, but there are other filter expressions as well depending on your scenario. More filter expressions are explained in the manual and in the pcap command description in the CLI (simply type PCAP).

6. Setup using version 9.x/10.x

Recommend that you read through the “Setup using version 8.xx”, the syntax is very similar with the exception that a lot of the command(s) are performed in a single syntax instead of several in a row as in 8.xx.
  • pcap -start lan -port=80 -ip=10.10.10.10 -size=1024
    pcap -start dmz -port=80 -ip=10.10.10.10 -size=1024
As you see you need to use two commands in order to start the capture on both Lan and Dmz instead of only one in 8.xx. The alternative is to use no interface filter at all, then it will default to start capturing on all interfaces. If you are sure that the filter(s) you are using is good enough (i.e will not generate hits on other interfaces) then it should be no problem to capture on all interfaces. Only packets matching the filter(s) will be captured.

When we are done we stop the capture and write the files to the media in a similar way. Optionally you can use the command "Pcap -status" to see the current status of the PCAP capture you just performed.
  • pcap -stop
    pcap -write lan -filename=ifacelan.cap
    pcap -write dmz -filename=ifacedmz.cap
Note: Do not use the same interface name when writing the capture files (such as wan.cap) as it could in some scenarios cause problems writing the capture file.

Alternatively you can simply use "Pcap -write", then it will automatically write all interface Pcap files with the default naming "<interfacename>.cap".

Once we are done with the packet captures the files need to be downloaded and then analyzed.

This example used IP and Port only, but there are other filter expressions as well depending on your scenario. More filter expressions are explained in the manual and in the pcap command description in the CLI (simply type “PCAP -?”).

7. When address translation is involved

When address translation is involved (such as a NAT rule for outgoing traffic) you may not get the results you expect if you filter on i.e the clients source IP. The reason for this is because the source IP of the client changes when it leaves the SGW due to the address translation.

This needs to be taken into account when performing PCAP captures, so the IP of the client may not be a good filter. If possible the filter should then be the destination server (assuming you know the address and that it is not multiple addresses) or the port. If the amount of traffic is not extreme it should be possible use these kinds of filters.

Another alternative is to temporarily give the client a public IP address and use non address translating rules for its traffic in order to perform the PCAP capture.

8. Downloading the capture files:

For a detailed description on how to download the PCAP capture files, please see the latest manual for the version you are using.

9. Clearing the memory and media (storage) buffer:

When you are done with the pcap captures and the needed files downloaded from the SGW, there is no reason to keep the PCAP memory buffer and/or the files on the storage media. Use the following command to wipe both the memory and the media of any capture files.

8.xx
  • PCAP cleanup
9.xx
  • PCAP -cleanup

Peter
Posts: 627
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: How to use PCAP packet capture (10.x)

Post by Peter » 04 Nov 2014, 12:26

Update 2014-11-04:

In version 10.21.00 and above it is now possible to perform a PCAP packet capture & also download the capture files directly from the WebUI.

The new packet capture GUI is located under Status->Tools->Packet Capture.

Post Reply