Selective packet captureΒΆ

When deployed as part of the Plixer One platform, Plixer FlowPro selectively captures network packets based on user-defined rules. This allows for targeted sampling of network traffic, which can result in more efficient analysis/investigation as well as optimal resource utilization.

Note

The steps described below require Plixer Scrutinizer 19.6.0 or higher. For assistance with other versions, contact Plixer Technical Support.

Selective packet capture rules can be defined via the Plixer Scrutinizer web interface as follows:

  1. Navigate to Admin > Resources > FlowPro Capture Rules.

  2. Click the + button and configure the following details in the tray:

    • Name: A name for the capture rule

    • Client IP: Client/source IP address of packets to capture

    • Server IP: Server/destination IP address of packets to capture

    • Well-Known Port: Well-known port to monitor for packets

    • Max Packets: Maximum number of packets to capture

    • Stops On: End date for capturing packets

    • Retain Until: End date for retaining captured packet data

  3. [Optional] Use the Enabled toggle to disable the rule to start capturing packets at a later time.

  4. Click the Save button to create the rule.

Packets will start being captured as soon as a rule is saved (if enabled). Rules with captured data will be indicated by a check in the Data column.

Note

The timezones configured on the Plixer Scrutinizer server and the Plixer FlowPro probe must be the same for the Stops On rule to be correctly observed.

Downloading PCAP files via Plixer Scrutinizer

Captures can be downloaded by clicking Download PCAP for events under the FlowPro Event Capture policy in the Plixer Scrutinizer Alarm Monitor views.

Because these download requests are redirected to the Plixer FlowPro appliance, an exception for the default self-signed certificate must be added to Plixer Scrutinizer user browsers. To do this, navigate to https://<FLOWPRO_MGMT_IP>:8080, and then accept the security exception.

Rule management

Once the maximum number of packets has been captured, or the defined end date has been reached, the rule will automatically be disabled. Inactive rules will be marked with a yellow indicator in the main view/table instead of green (enabled/active).

To continue capturing packets, click on the rule name, make the necessary changes (Max Packets or Stops On) in the configuration tray, and then re-enable the rule.

Rules that are no longer needed can instead be deleted. To do this, use the checkboxes to select one or more rules to be deleted, and then use the Delete option in the Bulk Actions menu/tray.