Understanding Continuous Capture vs. On-Demand

The Packet Capture Module supports two capture modes: Continuous Capture and On-Demand Capture. Continuous Capture solves the problem of not having critical PCAPClosed Packet Capture. A file format that contains captured network packet data, typically used for network analysis and troubleshooting. files available when you need them most by maintaining a continuous rolling buffer of recent network traffic.

On-Demand Capture

On-demand captures are started manually after an incident is reported. As shown in the graphic below, this approach has a significant limitation: by the time you start the capture, the condition you need to analyze may have already cleared, and you must wait for a re-occurrence to capture the relevant packets.

Continuous Capture

Continuous Capture runs continuously in the background, collecting packets from every active network interface and storing them in a rolling buffer of fixed size on the device. The rolling buffer maintains a window of recent network traffic. When the buffer reaches its maximum size, the oldest packets are automatically overwritten by newer packets, ensuring you always have access to the most recent network activity up to the buffer's capacity.

When an incident occurs, you can harvest packets from the rolling buffer for the time period of interest. If the incident happened recently and the time period fits within your buffer's retention window, the packets are immediately available without waiting for the issue to reoccur.

How Continuous Capture Works

With Continuous Capture, there's a high degree of confidence that the rolling buffer will contain the time period of interest. You only need to harvest the packets from the buffer and proceed with troubleshooting efforts.

The amount of time covered by the rolling buffer depends on these factors:

  • Buffer size: The maximum size of the rolling buffer.

  • Target Time Period to Maintain: works in conjunction with the Capture Buffer size. When the target time period is reached, we will wrap around and start to write over the oldest packets. When maximum capture buffer size has been reached we will wrap around and over write the oldest packets.

  • Network traffic volume: Higher traffic volumes fill the buffer faster, reducing the time window of retained packets.

Harvesting from a Continuous Capture Job

When you need to analyze packets from a continuous capture, you can harvestClosed The process of retrieving PCAP files from Packet Capture Module devices and transferring them to a customer-provided repository for analysis. them in the following ways:

  • Time-based harvest - recent minutes: Harvest the last "nn" minutes of packets, working backward from the current time.

  • Time-based harvest – start / stop time: Harvests packets for the time period you specify, starting from the start time you specify, to the end time you specify.

  • Note: An active continuous capture may always be overwriting the oldest packets. It is possible that the start time you specify in the time based harvest was recently rolled off while you were working in the Web UI. In the case the harvest command will give you the earliest start time available.

  • Full buffer harvest: Harvest the entire contents of the rolling buffer.

For more information about harvesting packets, see Packet Capture Module Operations.

Configuring Continuous Capture

You configure continuous capture settings in your Capture Profiles. The Packet Capture Module also monitors disk space and automatically stops all captures if free space falls below the threshold you configure in Global Settings.