Configure packet capture for the Discover appliance

Packet capture enables you to collect, store, and retrieve data packets from your network traffic. You can download a packet capture file for analysis in a third-party tool, such as Wireshark. Packets can be inspected to diagnose and resolve network problems and to verify that security policies are being followed.

By adding a packet capture disk to the Discover appliance, you can store the raw payload data sent to your Discover appliance. This disk can be added to your virtual appliance or an SSD that is installed in your physical appliance.

These instructions only apply to the Discover appliance and Reveal(x) systems. To store packet captures to a dedicated appliance, see the deployment guides for the ExtraHop Trace appliance and the Packets concepts.

Enable packet capture

Your Discover appliance must be licensed for packet capture and be configured with a dedicated SSD storage disk for a physical appliance or a disk configured on your hypervisor for a virtual appliance.

Before you begin

  • Verify that your Discover appliance is licensed for Packet Capture by logging into the Admin UI and clicking License. Packet Capture is listed under Features and should display Enabled.
  1. Log into the Admin UI on your Discover appliance.
  2. In the Appliance Settings section, click Disks.
  3. Depending on your appliance type and menu options, configure the following settings.
    • For physical appliances click Enable next to SSD Assisted Packet Capture, and then click OK.
    • For virtual appliances, verify that running appears in the Status column and that the disk size you configured for packet capture appears in the Size column. Click Enable next to Triggered Packet Capture, and then click OK.

Next steps

Your packet capture disk is now enabled and ready to store packets. Click Configure if you want to encrypt the disk, or configure global or precision packet captures.

Encrypt the packet capture disk

Packet capture disks can be secured with 256-bit AES encryption.

Here are some important considerations before you encrypt the packet capture disk:
  • You cannot decrypt a packet capture disk after it is encrypted. You can clear the encryption, but the disk is formatted, and all data is deleted.
  • You can lock an encrypted disk to prevent any read or write access to stored packet capture files. If the Discover appliance is restarted, encrypted disks are automatically locked and remain locked until they are unlocked with the passphrase. Unencrypted disks cannot be locked.
  • You can reformat an encrypted disk, but all data is permanently deleted. You can reformat a locked disk without unlocking the disk first.
  • You can perform a secure delete (or system wipe) of all system data. For instructions, see the ExtraHop Rescue Media Guide.
  1. In the Appliance Settings section, click Disks.
  2. On the Disks page, select one of the following options based on your appliance type.
    • For virtual appliances, click Configure next to Triggered Packet Capture.
    • For physical devices, click Configure next to SSD Assisted Packet Capture.
  3. Click Encrypt Disk.
  4. Specify a disk encryption key from one of the following options:
    • Type a passphrase into the Passphrase and Confirm fields.
    • Click Choose File and select an encryption key file.
  5. Click Encrypt.

Next steps

You can change the disk encryption key by returning to the Disks page and clicking Configure and then Change Disk Encryption Key.

Format the packet capture disk

You can format an encrypted packet capture disk to permanently remove all packet captures. Formatting an encrypted disk removes the encryption. If you want to format an unencrypted packet capture disk, you must remove the disk, and then enable the disk again.

Warning:This action cannot be reversed.
  1. In the Appliance Settings section, click Disks.
  2. On the Disks page, choose one of the following options based on your appliance platform.
    • For virtual appliances, click Configure next to Triggered Packet Capture.
    • For physical devices, click Configure next to SSD Assisted Packet Capture.
  3. Click Clear Disk Encryption.
  4. Click Format.

Remove the packet capture disk

If you want to replace a packet capture disk, you must first remove the disk from the system. When a packet capture disk is removed from the system, all of the data on the disk is permanently deleted.

Removing the disk requires selecting a format option. On physical appliances, you can safely remove the disk from the appliance after this procedure is complete.
  1. In the Appliance Settings section, click Disks.
  2. On the Disks page, choose one of the following options based on your appliance platform.
    • For virtual appliances, click Configure next to Triggered Packet Capture.
    • For physical devices, click Configure next to SSD Assisted Packet Capture.
  3. Click Remove Disk.
  4. Select one of the following format options:
    • Quick Format
    • Secure Erase
  5. Click Remove.

Configure a global packet capture

A global packet capture collects every packet that is sent to the ExtraHop appliance for the duration that matches the criteria.

  1. Log into the Admin UI on your Discover appliance.
  2. In the Packet Captures section, click Global Packet Capture.
  3. In the Start Global Packet Capture section, complete the following fields. You only need to specify the criteria you want for the packet capture:

    Name: A name to identify the packet capture.

    Max Packets: The maximum number of packets to capture.

    Max Bytes: The maximum number of bytes to captures.

    Max Duration (milliseconds): The maximum duration of the packet capture in milliseconds. We recommend the default value of 1000 (1 second), or configure up to 60000 milliseconds (1 minute).

    Snaplen: The maximum number of bytes copied per frame. The default value is 96 bytes, but you can set this value to a number between 1 and 65535.

  4. Click Start.
  5. Click Stop to stop the packet capture before any of the maximum limits are reached.
Download your packet capture.
  • For Discover appliances, log into the Admin UI, and click View and Download Packet Captures.
  • For Reveal(x) systems, log into the Web UI, and click Packets from the top menu.

Configure a precision packet capture

Precision packet captures require ExtraHop Triggers, which enable you to capture only the packets that meet your specifications. Triggers are highly customizable user-defined code that run upon defined system events.

Before you begin

Packet capture must be licensed and enabled on your Discover appliance or Reveal(x) system.
It is recommended that you have familiarity with writing triggers before configuring a precision packet capture. Here are some resources to help you learn about ExtraHop Triggers:

In the following example, the trigger captures an HTTP flow with the name HTTP host <hostname> and stops the capture after a maximum of 10 packets are collected.

  1. Click the System Settings icon and then click Triggers.
  2. Click Create.
  3. Type a name for the trigger and select the HTTP_REQUEST and HTTP_RESPONSE events.
  4. Type or paste the following trigger code in the right pane.
    Flow.captureStart("HTTP host " + HTTP.host, {maxPackets: 10});
    
  5. Assign the trigger to a device or group of devices.
    Warning:Running triggers on unnecessary devices and networks exhausts system resources. Minimize performance impact by assigning a trigger only to the specific sources that you need to collect data from.
  6. Select Enable trigger.
  7. Click Save.

Next steps

Download the packet capture file.
  • For Discover appliances, log into the Admin UI, and click View and Download Packet Captures.
  • For Reveal(x) systems, log into the Web UI, and click Records from the top menu. Select Packet Capture from the Record Type drop-down list. After the records associated with your packet capture appear, click the Packets icon , and then click Download PCAP.

View and download packet captures

If you have packet captures stored on a virtual disk or on an SSD disk in your Discover appliance, you can manage those files from the View Packet Captures page in the Admin UI. For Reveal(x) systems and on Trace appliances, view the Packets page in the Web UI.

  • Click Configure packet capture settings to automatically delete stored packet captures after the specified duration (in minutes).
  • View statistics about your packet capture disk.
  • Specify criteria to filter packet captures and limit the number of files displayed in the Packet Capture List.
  • Select a file from the Packet Capture list and then download or delete the file.
Published 2020-02-24 10:52