Network Packet Capture

Scenario

Data is transmitted between devices as packets, a process that is usually invisible. Data flows cannot be quickly checked, making it difficult locate problems and handle network delay, connection failures, or security threats. CFW provides a network packet capture tool to accurately filter traffic by source/destination IP address, port, and protocol. It helps you quickly obtain the original data packet content, detect attacks, and identify security risks.

This section describes how to create a packet capture task to check the network status, view packet capture tasks, and download their results.

Constraints

• Only the professional edition instances can capture network packets.
• You can create up to of 20 packet capture tasks every day, but only one can be executed at a time.
• A maximum of 1 million packets can be captured.
• For an abnormal task, its possible packet capture results are as follows:
  • The packet capture data is completely lost and cannot be downloaded.
  • Some packet capture data is lost. Existing data can be downloaded.

Creating a Packet Capture Task to Check the Network Status

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
5. In the navigation tree on the left, choose System Management > Packet Capture.
6. Click Create Capture Task and configure parameters. For details, see Table 1.

   Table 1 Packet capture task parameters

   Parameter	Description	Example Value
   Task Name	Task name. It must meet the following requirements: Only uppercase letters (A to Z), lowercase letters (a to z), numbers (0 to 9), and the following special characters are allowed: -_ Enter up to 30 characters.	cfw
   Max. Packets Captured	Maximum number of captured packets. Enter an integer in the range 1 to 1,000,000.	100,000
   Capture Duration (min)	Maximum duration for capturing packets. Enter an integer in the range 1 to 10.	3
   IP Type	IP address type for packet capture. The value is IPv4 by default.	IPv4
   Protocol Type	Protocol type of captured packets. It can be: Any TCP UDP ICMP	Any
   Source Address	The following input formats are supported: A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 Address segment, for example, 192.168.2.0/24	192.168.10.5
   Source Port	(Optional) Source port. The input rules are as follows: If this parameter is left blank, it indicates all port numbers (1 to 65535). Enter a single port number in the range 1 to 65535.	80
   Destination Address	It can be: A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 Address segment, for example, 192.168.2.0/24	192.168.10.6
   Destination Port	(Optional) Destination port. The input rules are as follows: If this parameter is left blank, it indicates all port numbers (1 to 65535). Enter a single port number in the range 1 to 65535.	-

7. Click OK.

Viewing a Packet Capture Task

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
5. In the navigation tree on the left, choose System Management > Packet Capture.
6. (Optional) Choose whether to search for a task by task name or IP address, enter keywords, and click .
   • Task name search supports fuzzy match. The input rules are as follows:
     • Only uppercase letters (A to Z), lowercase letters (a to z), numbers (0 to 9), and the following special characters are allowed: -_
     • Enter up to 30 characters.
   • To search by IP address, enter a single complete IP address, for example, 0.0.0.0.

7. View the information about the packet capture task. For details, see Table 2.

   Table 2 Packet capture task parameters

   Parameter	Description
   Task Name	Task name.
   Status	Task status. Running: The packet capture command has been delivered and the task is in progress. Completed: The packet capture result has been uploaded and the task is complete. Exception: Packet capture data upload times out due to network problems, and some packet capture results are lost. NOTE: To retry a task, you can click Copy in its Operation column to create and execute it again. Stopping: The task is being stopped and the packet capture result is being uploaded. Expired: The packet capture result has been uploaded and the task has been manually stopped.
   Protocol Type	Protocol type specified for packet capture.
   IP Address	IP addresses specified for packet capture, including the source and destination addresses.
   Port	Ports specified for packet capture, including the source and destination ports.
   Max. Packets Captured	Maximum number of captured packets in the current task.
   Packet Capture Time	Start time and end time of a packet capture task.
   Capture Duration (min)	Duration of packet capture.
   Remaining Retention Period (Days)	Number of days for storing a packet capture task. The default value is 7.
   Capture Size	Size of captured packets.

Downloading Packet Capture Results

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
5. In the navigation tree on the left, choose System Management > Packet Capture.
6. In the row of a task, click Download in the Operation column to view the packet capture result.
7. Share or download the packet capture result. Set the download range of the packet capture results as required.
   

   The sharing link is valid within 30 minutes after it is generated. Please use it in a timely manner or generate a new one after it is invalid.

   • Unlimited: Any person can download the packet capture file through the link.
     • Share the packet capture result: Click Copy all in the lower right corner and share the information with others.
     • Download the packet capture result: Click Open URL in the lower right corner to go to the browser, click Copy next to Access Code, paste the code to Extraction Code, and click Obtain Shared File List.
   • Specified EIP: Set the CIDR blocks where users are allowed to download the packet capture results through the generated link.
     After setting the CIDR blocks, click Generate Link. All packet capture result files are displayed in the list below.

     • Share one or more packet capture results: Click Copy link in the URL column and share the information with others.

       The recipient end can paste the link to the browser to download the packet capture result files.

     • Download the packet capture result:
       • Download a single result: Click Download in the URL column of the list.
       • Download all results: Click Download All in the lower right corner.
   Figure 1 Downloading the packet capture result
   
   

   • A maximum of three CIDR blocks can be added at a time.
   • When you open the Download Result page again, you can modify the CIDR blocks and generate new links.
   • If your CIDR block is not included in the configured CIDR blocks, you can receive the shared link but cannot download the packet capture result.

8. Check whether the data in the captured packet files is consistent with service data. Identify and evaluate the risks in network communication.

Related Operations

• To copy a task, click Copy in its Operation column. In the displayed dialog box, enter the task name and click OK.
• To stop a packet capture task, click Stop in its Operation column.
• To delete packet capture tasks, select them and click Delete above the list.
• For details about how to enable Internet border traffic protection, see Enabling Internet Border Traffic Protection.
• For details about how to enable VPC border traffic protection, see Enabling VPC Border Traffic Protection.
• For details about how to enable NAT gateway traffic protection, see Enabling NAT Gateway Traffic Protection.