Figure: PCAP Mirroring Service illustrates a PCAP mirroring service. Configuration is done on the source node, including specifying a mirror source, mirror destination, and packet capture start and stop.
The PCAP feature supports only mirror destinations that have remote file URLs. As shown in Figure: PCAP Mirroring Service, the remote URL includes the absolute path and filename for the remote FTP server.
A PCAP instance is required for packet capture and is created by issuing the pcap session-name create command. Creating a PCAP instance allocates a buffer and other background processes necessary to capture packets. The buffer does not accept packets until a file location for the mirror destination is specified and a mirror source is specified. The PCAP session name (session-name) has a one-to-one relationship with the PCAP file (file-url), meaning each session name is associated with one PCAP file.
The PCAP file is created when the filename is specified in the mirror destination configuration.
The debug pcap capture start command starts the capture, which stops automatically after a configured number of packets or the maximum number of packets (250) have been captured. Alternatively, before automatic capture is complete, the capture stop command can manually stop the capture.
In addition to starting the capture, the start command starts an FTP session. Packets start being written to the FTP server 500 ms after the start command is issued.
When the stop command is issued, all packets remaining in the buffer are written to the FTP server before the connection closes.
After buffering has stopped, restarting the PCAP session will overwrite the existing PCAP file unless this is restricted by the FTP server's operating system.
When the buffer starts receiving packets, a periodic process to write packets to the file destination begins. The period is approximately 500 ms. Therefore, the operator must expect a similar delay before packets are written to the PCAP file. Packets continue to be written to the remote server until 250 packets have been captured, the operator manually stops the debug process, or the configured number of packets have been captured.
Packets are buffered in PCAP format and are ready to be written to the file without changes.
Deleting a mirror destination is allowed at any time, which immediately purges the buffer.
Deleting a mirror source is also allowed at any time; this causes the packets remaining in the buffer to be written to the mirror destination.