Exporting Data › Export Data to a PCAP File

Export Data to a PCAP File

You can export the packet-capture data for the current view to a packet-capture file, in PCAP format. The packet-capture file is built from raw capture files and displays packets for all sessions included in the current analysis.

The PCAP format is widely used for network trace files and other methods of examining and exchanging packet-level data. PCAP is compatible with WinPcap (Windows) and libpcap (UNIX). Applications that use these application programming interfaces easily read and display PCAP.

The administrator and a user with rights for the CA Application Delivery Analysis Investigations role can use the Export to PCAP feature. By default, only the IT Engineer and IT Manager roles allow access to this feature.

Tips:

• PCAP file exports can take a while to complete. The amount of time necessary to open the File Download dialog depends on the amount of data being exported.
• Narrow the time frame of the analysis to improve the performance of the Export to PCAP feature. A narrower time frame reduces the number of raw capture files that are searched for relevant packets. Use the Time Period selector or the chart time control to zoom in on the time frame of interest.
• The ability to export to PCAP is not available when the raw capture files containing the data of interest are deleted. Capture files are not retained as long as the metric data in the metrics database.
• The "Header Only" option for the "Maximum Bytes per Packet" parameter applies to IPv4 (TCP and UDP) headers, including extension headers. If you select "Header Only" when you export non-IP traffic, you receive only the Layer 2 MAC headers. Instead, select a byte value, such as 128, to see more of each frame.
• Session-level performance data is available only for the IPv4-based port mirror data that is received on the Multi-Port Monitor logical ports.
• The PCAP files can be viewed in a protocol analyzer, or packet sniffer, such as the freeware tool Wireshark. Protocol analyzers observe data flows passing across the network and inspect copies of each packet. They display the contents of each field in the packet header in a graphical user interface, where data can be filtered, sorted, and analyzed.
• A protocol analyzer is a valuable tool for troubleshooting or analyzing the data that Multi-Port Monitor captures. Use of a protocol analyzer requires an understanding of Ethernet, IP, and Layer 4 protocol packet structures.

Follow these steps:

1. Display the data that you want to export:
   1. Click a data view in the Analysis pane.
   2. Apply more filters or sort the data table by a selected column.
2. Click Export, To PCAP.

   The Export To PCAP dialog displays the time range of the packet trace to export.

3. Select the port that received the data that you want to export in the Logical Port field. The number of sessions and the traffic volume in bytes are shown for each available port. These statistics are based on the current filters, such as the time frame and the view. They are not an indication of the size of the file you want to export.

   Select only one port for each exported PCAP file.

4. Select the maximum number of bytes to include from each packet in the Maximum Bytes per Packet field. The default option is to include only headers in the PCAP file.
5. Click OK.

   The Save As dialog opens.

6. Select a location in which to save the exported PCAP file.
7. Click Save.

More information:

Set Global Preferences

Time Range Exceeds Raw Packet Retention Time