Captures in progress

Possible operations

Refresh list of captures	Refreshes the list of captures in progress and information about them.
Creating a capture	Creates a new capture. The procedure is explained in the following section.
Stop capture	Stops a capture in progress. Select the relevant capture beforehand.
Restart capture	Makes it possible to replay a capture by pre-entering its parameters in the window to create a new capture. Select the relevant capture beforehand.
Copy filter	Copy the capture’s TCPDump filter. Select the relevant capture beforehand. This filter can later be used to create a new capture.

Creating a capture

You can launch up to five simultaneous captures but only one at a time per interface. Do note that this may affect the firewall’s performance when network captures are in progress. If the disk space used by the captures reaches or exceeds 95%, new captures can no longer be launched. When this threshold is reached, all captures in progress will automatically stop.

To start a capture, click Create a capture and choose from:

TCPDump filter: makes it possible to create a capture by manually entering the filter. You must know the format of the TCPDump filters or already have the filter.
Filter creation wizard: creates a capture via a wizard to build a TCPDump filter step by step.

Once the creation window is open, enter the following information:

Interface	Select the interface on which network traffic will be captured. Do note that loopback interfaces cannot be selected for a network capture, to avoid capturing decrypted SSL proxy traffic.
Max. duration (sec)	Specify the maximum duration of the packet capture. This value cannot exceed 172800 seconds, i.e., 48 hours. The capture will automatically stop once the maximum duration is reached, unless another parameter stops the capture before that.
Max. no. of packets	Specify the maximum number of packets that can be captured. This value must not exceed 2147483647. The capture will automatically stop once this number is reached, unless another parameter stops the capture before that.
Packet size limit	You can set a limit for the size of captured packets. Packets that exceed this size will be truncated. A value of 0 makes it possible to capture full packets. This value must not exceed 262144.
TCPDump filter	If you have selected TCPDump filter, only the TCPDump filter field appears. Enter the filter in the field. If you have selected Filter creation wizard, several fields will appear. Fill in only the fields needed for your capture. Transport protocols: enter the transport protocols (TCP, UDP, ICMP, etc.) involved in the capture. Network protocols: enter the network protocols (IP, IP6, ARP, etc.) involved in the capture. Bimap: this checkbox is selected by default and makes it possible to to apply the same Host, MAC address and Port values in the source and destination. Unselect this checkbox to access the Source and Destination tabs. Hosts: enter the IP addresses of the hosts involved in the capture. MAC addresses: enter the MAC addresses involved in the capture. Ports: enter the ports involved in the capture. NOTE Use the Equal to or Different from attribute according to what you wish to capture. Click on the icon next to the text zone to change the attribute.

Once you have entered the information, click on Start to launch the capture. While it is running, you can quit the Network captures module and come back to it later.

NOTE
In high availability (HA) configurations, network captures can only be stopped from the firewall that launched the captures. During the switch from the active firewall to the passive firewall, captures in progress will continue to run until they automatically stop when the Max. duration (sec) value is reached.

The table

Interface	Interface on which the capture is currently running.
TCPDump filter	Capture’s TCPDump filter.
Max. capture duration	Maximum duration of the packet capture.
Packet size limit	Packet size limit set for the capture.
Number of packets	Number of packets currently captured. The value of this column is not refreshed in real time. Use the Refresh list of captures button to refresh the information in the grid.
Max. no. of packets	Maximum number of packets that can be captured.