Getting started with Packet Capture Module

Following is the recommended step by step guide to set up and operations of the Packet Capture Module.

Initial First Time Setup

  1. When your Riverbed Platform tenant is provisioned you will receive a welcome email for every person you designated as an Admin.

  2. Log in to the Packet Capture Module Web UI to establish your global settings.

  3. Prior to deploying your first Packet Capture Module:

    1. You must establish a “percent free space” value in the global profile.

    2. You must complete a Storage ProfileClosed A configuration that defines where the Packet Capture Module stores PCAP files, specifying the storage type and connection details for customer-managed repositories. needed for your customer provided repository in a Storage Profile. See Storage Profiles for information about supported storage configurations.

    3. You should update the Default Capture ProfileClosed A configuration template that defines packet capture parameters. or create a new capture profile with the desired settings.

    4. If you want newly deployed Packet Capture Modules to automatically start continuous captures, you must create one, and only one Capture Profile and enable the "continuous capture" toggle.

  4. Deploy the NPM+ Packet Capture Modules.

    1. If Unified Agent and NPM+ Core Module are not already deployed, you’ll need to deploy those first.

  5. As new devices are added to the environment, you can automatically deploy NPM+ Core module and Packet Capture module, along with other modules, using the Unified Agent version deployment features.

Harvesting PCAP Files - If Continuous Captures are Configured

Generally, when you need PCAP files, your support teams are working on a high impact, critical issue and time is of the essence. Expedited access to relevant PCAP files is essential.

  1. Use the Packet Capture Module Web UI to filter to the device(s) of interest.

  2. Issue a HarvestClosed The process of retrieving PCAP files from Packet Capture Module devices and transferring them to a customer-provided repository for analysis. command for the time period of interest.

  3. Once PCAPs are in your secure repository, users that you authorize can access those PCAPs and begin their protocol analysis deep dive.

Harvesting PCAP Files - If Module is Idle

If your support teams have determined they need packets from a particular device or devices, and you don’t already have continuous captures actively running, you will need to manually start a capture job and wait for the problem to reoccur.

  1. Use the Packet Capture Module Web UI to filter to the devices of interest.

  2. Use the New Capture Job button for each device to start a new capture job.

  3. Wait until the symptom conditions reappear.

  4. Issue a Harvest command the time period of interest.

  5. Decide if you want to Stop the Capture or leave it active to capture additional symptom forensics.