Do a packet capture for an Airwall Gateway

Packet capture is one of several diagnostic tools that you can use to facilitate troubleshooting a Conductor or Airwall Gateway. The Conductor offers several diagnostic capabilities and you can learn about the others by using the links near the bottom of this article.

What's in a packet capture

Packet Captures show how traffic is flowing within your network. You can request packet captures from the Conductor for any Airwall Edge Service that is online.

Depending on the nature of your issue, Customer Success may require captures from the underlay network, the overlay (protected) network, or both.

  • Underlay network captures show the HIP packets exchanged between Airwall Edge Services, MAP packets exchanged between the Airwall Edge Services and the Conductor, any other traffic to and from the Airwall, and ARP and Multicast messages.
  • Overlay network captures show everything traversing the HIP tunnel to and from your protected devices.

You select which to capture by setting the Capture interface when requesting a packet capture.

How to get a packet capture

  1. In the Conductor, go to Airwall edge services, open one from the list, and go to Diagnostics.
  2. Select Start Packet Capture.
  3. Select any needed options.
    Here are the options you might have. Options may vary based on Conductor or Airwall Edge Service versions.
    • Capture interface – Select which interface you want to capture.
    • Protocol – You can limit the capture to only a specific protocol, as needed.
    • IP address – Limit the capture to only a specific IP address. You can match either source or destination address to filter for only a specific device or remote destination on a busy Airwall Edge Service.
    • Port – Select a TCP/UDP or L4 port to capture on.
    • Snap length – Controls how much of each packet to capture. The default is 64 (headers only). Set to zero for unlimited, or to 1514 (standard size Ethernet packets) to not truncate each packet in the capture.
    • BPF filter expression – Set a filter using BPF filter expressions. See BPF Settings for Port Mirroring.
    • Max capture filesize – Limit how large the pcap file can be.
    • Max capture time – Set how long to capture.
    • Limit upload bandwidth – Slow down the upload of the resulting pcap for limited bandwidth environments (e.g. you pay for higher than a given throughput or you have a slow link (maybe shared with other devices) and the bulk upload of the pcap at the end could negatively impact other traffic.
  4. Select OK to start the packet capture.
  5. Do what you were doing when your issue occurred.
  6. Stop the packet capture by selecting Stop Packet Capture.

    The Conductor creates a packet capture .pcap file. When it's finished, you get a download link to the file. The .pcap file is a standard format file that can be viewed with an application such as Wireshark.