Running a Packet Capture

Packet Capture allows support personnel to see the TCP/IP data and other packets going into and out of the appliance. This allows Support to debug the network setup and to discover what network traffic is reaching the appliance or leaving the appliance.

Procedure

Step 1	Choose Help and Support > Packet Capture.
Step 2	Specify packet capture settings: In the Packet Capture Settings section, click Edit Settings. (Optional) Enter duration, limits, and filters for the packet capture. Your Support representative may give you guidance on these settings. If you enter a capture duration without specifying a unit of time, AsyncOS uses seconds by default. In the Filters section: Custom filters can use any syntax supported by the Unix `tcpdump` command, such as host 10.10.10.10 && port 80 . The client IP is the IP address of the machine connecting to the appliance, such as a mail client sending messages through the Email Security appliance. The server IP is the IP address of the machine to which the appliance is connecting, such as an Exchange server to which the appliance is delivering messages. You can use the client and server IP addresses to track traffic between a specific client and a specific server, with the Email Security appliance in the middle. Click Submit.
Step 3	Click Start Capture. Only one capture may be running at a time. When a packet capture is running, the Packet Capture page shows the status of the capture in progress by showing the current statistics, such as file size and time elapsed. The GUI only displays packet captures started in the GUI, not from the CLI. Similarly, the CLI only displays the status of a current packet capture run started in the CLI. The packet capture file is split into ten parts. If the file reaches the maximum size limit before the packet capture ends, the oldest part of the file is deleted (the data is discarded) and a new part starts with the current packet capture data. Only 1/10 of the packet capture file is discarded at a time. A running capture started in the GUI is preserved between sessions. (A running capture started in the CLI stops when the session ends.)
Step 4	Allow the capture to run for the specified duration, or, if you have let the capture run indefinitely, manually stop the capture by clicking Stop Capture.
Step 5	Access the packet capture file: Click the file in the Manage Packet Capture Files list and click Download File. Use FTP or SCP to access the file in the captures subdirectory on the appliance.

What to do next

Make the file available to Support:

If you allow remote access to your appliance, technicians can access the packet capture files using FTP or SCP. SeeEnabling Remote Access for Cisco Technical Support Personnel.
Email the file to Support.