Configure and manage packet capture rules

You can filter the rule for capturing packets and apply it as a packet capture profile.

Task

  1. For a standalone Sensor, select Devices<Admin Domain Name>Devices<Device Name>TroubleshootingPacket CapturingCapture Now.
    For Sensors in a stack, select Devices<Admin Domain Name>Devices<Device Name><Stackname-node id>TroubleshootingPacket CapturingCapture Now.
  2. Under Capture Rules, the following list of capture rules is displayed.
    Option Definitions
    Monitoring port The monitoring ports on which the rule is applied: The options are:

    All and <Interface depending on the Sensors>.

    Note: Some options may not be displayed, depending on the configured Sensor model.
    Note: If you are configuring for a stacked NS9500 Sensor, you cannot configure rules at an interface level. You have to configure to All interface.

    Traffic

    The traffic for which the capture rule is to be filtered. The options are: ALL, ARP and IP.

    Protocol Type of protocols to be filtered. The options are:

    TCP, UDP, ICMP, and Protocol Number.

    IP Version

    Type of IP Setting. The options are IPv4 and IPv6

    Fragments Only? Captures only the fragmented traffic. By default this option is disabled.
    Source IP Source IP address of the packet
    Source Mask Source IP mask
    Source Port Source port number of the packet. This option will be enabled only if you select the protocol type as TCP or UDP.
    Destination IP Destination IP address of the packet
    Destination Mask Destination IP mask
    Destination Port Destination port number of the packet. This option will be enabled only if you select the protocol type as TCP or UDP
    Vlan ID VLAN ID of the packet to be captured. This option will be disabled if you select the protocol type as ALL or ARP.

    Note: Only the outer VLAN ID will be inspected in case of double VLAN tagged traffic

    Protocol Number

    The protocol number. This can be specified only if the option Protocol Number is selected under Protocol.

    • When a packet capture session is in progress, you cannot configure/push a new packet capture profile. To apply a new profile, the packet capture session needs to be stopped.
    • You can add/remove the rows by clicking - or + signs on the right-hand side of the Capture Rules field.
  3. The Capture Rule Template can be defined at the admin level to be applied across multiple Sensors or at a Sensor level. To create a capture rule template:
    • To create a packet capture rule template at an admin-domain level, select Policy<Admin Domain Name>Intrusion PreventionObjectsPacket Capture Rule TemplatesNew.
    • To create a packet capture rule template at a standalone Sensor level, select Devices<Admin Domain Name>Devices<Device Name>TroubleshootingPacket CapturingCapture Now Insert Capture Rule TemplateNew.
    • To create a packet capture rule template at a Sensor in a stack, select Devices<Admin Domain Name>Devices<Device Name><Stackname-node id>TroubleshootingPacket CapturingCapture Now Insert Capture Rule TemplateNew.
    The Add a Capture Rule Template page opens.
    Add a Capture Rule Template window


  4. Type the Name of the capture rule.
  5. Select the Make Visible to Child Admin Domains? option to make the rule visible to the child admin domain.
  6. Click Save to save the capture rule.
  7. The capture rules can be modified. Once a rule is modified, click Save.
  8. To delete a capture rule, click against the rule. Click Save.
    Note: A modification of the template rule does not affect the rule of the Sensor on which it has been applied.