Take traffic captures

If you want to analyze network traffic, capture the network traffic data.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Right-click an NGFW Engine, then select Tools > Capture Traffic.
  3. Select one or more interfaces whose traffic you want to capture, then click Select.
  4. (Optional) Click Add to add more interfaces to the traffic capture.
    You can also add interfaces from other types of engines.
    Tip: You can create tcpdump files for several different interfaces in the same Traffic Capture task. The Traffic Capture .zip file contains a separate CAP file for each interface included in the capture.
  5. (Optional) To limit the scope of the traffic capture, click the Limit by field, then enter an IPv4 or IPv6 address.
    The IP address must match either the source or destination of the packets included in the capture.
  6. Define the other traffic capture options.
  7. Click Start Capture.

Traffic Capture Task Properties dialog box

Use this dialog box to define settings for capturing traffic.

Option Definition
Engine Interfaces and Filters The engine interfaces to capture traffic from, and the filters used to limit the scope.
Search Opens a search field for the selected element list.
Tools
  • Expand All — Expands all levels of the interface tree.
  • Collapse All — Collapses all levels of the interface tree.
  • Refresh View — Updates the interface tree.
Add Opens the Select Engine Interface dialog box.
Remove Removes the selected Engine Interfaces and Filters from the list.
Comment An optional comment for your own reference.
Maximum Duration Specifies the maximum duration of the traffic capture. The duration is applied to all interfaces selected for the capture. The creation of the tcpdump file stops automatically once the maximum duration has been reached.
Maximum File Size Specifies the maximum size of the tcpdump file. The creation of the tcpdump file stops automatically once the maximum file size has been reached.
Description

(Optional)

Adds a description of the traffic capture. This description is included as a separate file in the traffic capture .zip file.
Capture Headers Only

(Optional)

When selected, includes only IP headers in the tcpdump files. Do not select this option if you want to include full packets in the capture.
Include sgInfo

(Optional)

When selected, includes system configuration files and system trace files in the traffic capture .zip file.

It is important to include this information if you send the traffic capture to Forcepoint support.

Destination Path
  • Management Server — Saves the traffic capture .zip file in the <installation directory>/data/TrafficCapture directory on the Management Server.
    Note: If you installed the Management Server in the C:\Program Files\Forcepoint\SMC directory in Windows, some program data might be stored in the C:\ProgramData\Forcepoint\SMC directory.
  • Local Workstation — Click Browse to select the location on your local workstation where you want to save the file.
Start Capture Starts the traffic capture.