Configuring 5-Tuple Packet Capture Using the CLI

To configure 5-tuple packet capture can affect the device performance to some extent, please be cautious.

After finishing network issue locating, immediately run the undo packet-capture command to stop packet capture and delete the packet capture configuration, run the reset packet-capture queue all command to clear the packet capture queue, and run the reset packet-capture statistic command to clear the packet capture statistics.

The FW supports 5-tuple packet capture based on the hardware chip and 5-tuple packet capture based on the MPU CPU. FW packets first pass through the NP chip and then are sent to the MPU CPU. After the hardware fast forwarding function is enabled by default, only some traffic is sent to the CPU. Therefore, the packets captured based on the hardware chip are more comprehensive. In addition, it helps reduce the CPU usage and is therefore recommended.

Hardware chip-based 5-tuple packet capture does not support global packet capture. To capture packets on all interfaces, use MPU CPU-based 5-tuple packet capture.

The FW supports packet capture in the root and virtual systems. USG6000E root and virtual systems have different packet capture queues and packet clearing mechanisms. Details are as follows:

The differences between the packet capture queues of the root system and virtual system:

In the root system, the packet capture queue is a block in the memory. Each queue can store a maximum of 1000 packets. Excess packets are discarded. To restart packet capture when the queue already stores 1000 packets, select another queue for the interface.In the virtual system, the packet capture queue is a .txt file that stores the captured packet data.Each virtual system has two packet capture queues.

The root system and virtual system have different mechanisms for clearing captured packets:

In the root system, the captured packet data is permanently stored in the memory, unless you run the reset packet-capture queue command to delete the data. In the virtual system, the captured packet data is directly stored in the CF card as a .txt file for only 30 minutes. Afterwards, the data is automatically deleted.

Configuring MPU CPU-based 5-Tuple Packet Capture

1. Run the system-view command to access the system view.
2. Run the packet-capture { all-packet | ipv4-packet acl-number | ipv6-packet acl6-number | no-ip-packet } [ queue queue-id ] [ vlan vlan-id1 [ to vlan-id2 ] ] [ interface interface-type interface-number [ inbound | outbound ] ] command to configure the packet capture interface, direction, and queue for storing captured packets.
3. Run the packet-capture drop drop-type { blackhole | default-filter | fib-miss | arp-miss | session-miss | attack | bandwidth } [ queue queue-id ] command to capture discarded packets of a specified queue based on the packet type.
4. Run the packet-capture startup [ packet-len packet-len | sample-rate sample-rate ] [ packet-num packet-num ] command to enable the packet capture process.

Configuring Hardware Chip-based 5-Tuple Packet Capture

1. Run the system-view command to access the system view.
2. Run the packet-capture hardware { all-packet | ipv4-packet acl-number | ipv6-packet acl6-number | no-ip-packet } [ queue queue-id ] interface interface-type interface-number [ inbound | outbound ] command to configure the packet capture interface, direction, and queue for storing captured packets.
3. Run the packet-capture hardware startup [ packet-len packet-len | sample-rate sample-rate ] [ packet-num packet-num ] command to enable the packet capture process.
4. Run the packet-capture hardware queue queue-id to-file file-name command to save a specified packet capture queue as a user-defined .cap file to the CF card of the device.
5. After fault location is complete, run the reset packet-capture hardware queue { queue-id | all } command to clear the packet capture queue.