Knowledge Base

How to Produce Packet Captures from a DefensePro Device

Note:
Enabling the Traffic Capture tool may cause severe performance degradation.
To verify the capture operation has been successfully terminated, it is recommended to monitor the device
CPU state.
The Traffic Capture tool captures packets that enter the device, leave the device, or both.
The captured traffic is in TCPDUMP format.
The output file from the packet capture can provide valuable forensics information. In some cases, the
Radware emergency response team (ERT) may require this file. With this file, the ERT can quickly and
effectively analyze the attack and provide the optimal actions to remedy the situation.
To produce a capture file from a DefensePro device
1. Access the DefensePro Web Based Management console by browsing to the DefensePro Web
Management URLhttp(s)://[Device IP Address]
2. From the Services menu, select Diagnostics > Capture > Parameters.
3. Configure the capture parameters to control the packet capture process.
It is recommended to use the following guidelines for each packet capture that the device performs:
a. Create a new policy for the capture file.
b. Configure a policy name and description.
c. Configure the maximal packet number to limit the number of captured packets and avoid having the output
file be too large. A typical limit is to 20,000 packets.
d. If the source or attack addresses of the attack are known, it is recommended to limit the capture to those
addresses by configuring the corresponding fields.
e. Verify that Capture Status and Trace-Log Status parameters are set to Enabled.
Note:
For additional information regarding the available parameters, see Appendix B - Diagnostics Policies Parameters.
4. Select the Files tab. The Diagnostic Tools Files Management pane opens. The Diagnostic Tools Files
Management pane displays the previous capture files stored on the device. To avoid confusion, it is
recommended to download any old capture file located on the device, either on the RAM drive or on the Main
1/4
Flash, and delete the repository before performing the capture.
5. Select the Capture Parameters tab and set the following parameters:
Output To File: RAM Drive and FLASH
Output To Terminal: Disabled
Capture Point: On Packet Arrive
Capture Rate: 1
The device is now ready to issue the packet capture operation.
6. To begin the packet capture, set the Status parameter to Enabled and click Set.
7. To stop the packet capture, set the Status parameter to Disable and click the Set.
8. Select the Files tab.
9. Select the latest captured file and download it to your local computer.
Appendix A: Capture Tool Configuration Parameters
Parameter Description
Status
Specifies whether the Capture Tool is enabled. Default:
Disabled
When the device reboots, the status of the Capture Tool
Note: reverts to Disabled
Output To File
Specifies the location of the stored captured data. Values:
RAM Drive and FlashThe device stores the data in RAM
and appends the data to the file on the CompactFlash
drive. Due to limits on CompactFlash size, the managed
device uses two files. When the first file becomes full, the
device switches to the second, until it is full and then it
overwrites the first file, and so on. RAM DriveThe device
stores the data in RAM. NoneThe device does not store
the data in RAM or flash, but you can view the data using
a terminal.
Output To Termina
Specifies whether the device sends captured data to the
terminal. Default: Disabled
2/4
Capture Point
Specifies where the device captures the data. Values: On
Packet ArriveThe device captures packets when they
enter the device. On Packet SendThe device captures
packets when they leave the device. BothThe device
captures packets when they enter the device and when
they leave the device
Traffic Match Mode
Specifies how the device logically captures a session
traversing a VIP.
Each session sent to a device VIP has two sidesthe
client side (the session between the client and the VIP)
and the server side (the session between the device and
the server). This parameter has no effect on traffic that
does not traverse a VIP. Values: Inbound OnlyCapture
the client-side session only. Inbound and
OutboundCapture both the client-side and the
corresponding server-side sessions. Default: Inbound
Only
Appendix B: Diagnostics Policies Parameters
Parameter Description
Name
The user-defined name of the policy. Maximum
characters:
Index
The number of the policy in the order in which the
diagnostics tool classifies (that is, captures) the packets.
Default: 1
Description The user-defined description of the policy.
VLAN Tag Group
The VLAN Tag group whose packets the policy
classifies (that is, captures).
Destination
The destination IP address or predefined class object
whose packets the policy classifies (that is, captures).
Default: anyThe diagnostics tool classifies (that is,
captures) packets with any destination address.
Source
The source IP address or predefined class object whose
packets the policy classifies (that is, captures). Default:
anyThe diagnostics tool classifies (that is, captures)
packets with any source address.
Outbound Port Group
The port group whose outbound packets the policy
classifies (that is, captures).
Note: You cannot set the Outbound Port Group when
the value of the Trace-Log Status parameter is Enabled.
Inbound Port Group
The port group whose inbound packets the policy
classifies (that is, captures).
3/4
Service Type
The service type whose packets the policy classifies
(that is, captures). Values: AND Group Basic Filter
None OR Group Default: None
Service
The service whose packets the policy classifies (that is,
captures).
Destination MAC Group
The Destination MAC group whose packets the policy
classifies (that is, captures).
Source MAC Group
The Source MAC group whose packets the policy
classifies (that is, captures).
Maximal Number of Packets
The maximal number of packets the policy captures.
Once the policy captures the specified number of
packets, it stops capturing traffic. In some cases, the
policy captures fewer packets than the configured value.
This happens when the device is configured to drop
packets. Default: 0
Maximal Packet Length
The maximal length for a packet the policy captures.
Default: 0
Capture Status
Specifies whether the packet-capture feature is enabled
in the policy. Values: Enabled, Disabled Default:
Enabled
Trace-Log Status
Specifies whether the Trace-Log feature is enabled in
the policy. Values: Enabled, Disabled Default: Enabled
Note: You cannot set the Outbound Port Group when
the value of the Trace-Log Status parameter is Enabled.
https://kb.radware.com/questions/3097/
4/4