The OnDemand PCAP Bundle is an excellent example of how to use ExtraHop's Precision Packet Capture capability.
Here is my take. It's not as sophisticated as the bundle mentioned above.
- ExtraHop firmware 3.8.16174 and newer.
Note: If you are not running at least 3.10.18564, you should be. Contact ExtraHop Support (firstname.lastname@example.org) for assistance.
- Precision Packet Capture installed and licensed.
- Download the bundle
- Upload the bundle into ExtraHop. Click Settings >> Bundles >> Upload >> Upload From File
- Apply the resulting Precision Packet Capture Bundle in the bundle detail page.
- Edit the Precision Packet Capture trigger. Configure the client and server IP addresses.
- Assign the Precision Packet Capture trigger to either the client or server device(s) configured in the step above.
- Wait for an L4 conversation to open between the client and server configured above.
- Once packets have been captured, you can disable the trigger by checking the Disable Trigger box.
- To view the packets captured, navigate to Settings >> Administration. On the Admin interface, scroll down to View Packet Captures.
By default, the trigger included with this bundle will grab up to 2,000 packets in a conversation. You can tune that number up or down depending on how much traffic you want to see.