Creating an ACL Matched Packet Capture Task

An ACL-based packet capture task captures packets that pass through the AntiDDoS and match an ACL. Generally, ACL-based packet capture is applied to capturing packet traffic when no attack is launched. In this way, it extracts the features of normal traffic and employs them as comparison conditions. Alternatively, when packet loss or access failure occurs due to defense failure such as no attack detecting, you are advised to adopt the ACL-based packet capture to determine the type of attack packets for analyzing defense failures. After a packet capture operation is complete, the ACL packet capture becomes in Disable state. Enable this task upon the next packet capture operation.

Prerequisites

  • Service configurations are complete.

  • The packet capture length was configured. For details, see Configuring Packet Capture Length.

  • Ensure that ACL 3999 on the AntiDDoS is not used.

Procedure

  1. Choose Defense > Policy Settings > Packet Capture.
  2. On the Packet Capture Task page, click .
  3. On the Create Packet Capture Task page, select ACL Matched from the Type drop-down list.

  4. Set other basic parameters. For details, see Table 1.

    Table 1 Creating a packet capture task
    Parameter Description Reference Value
    Task Name Indicates the packet capture task name. The name cannot be empty or null. Characters, such as apostrophes ('), vertical bars (|), backslashes (\), commas (,), less than (<), greater than (>), ampersands (&), semicolons (;), inch marks ("), and percents (%) cannot be included.
    Sampling Ratio Indicates the ratio of the number of packets complying with packet capture conditions to that of captured packets. The default value is 1024:1. In this value, the device captures one packet from 1024 packets that match packet capture conditions.
    Captured Packet

    • If the packet capture type is Global Defense Matched or ACL Matched, the value is the sum of packets captured by the device.

      When the number of captured packets hits Captured Packet and a packet capture operation is complete, the packet capture task becomes in Disable state.

    • If packets are captured on the basis of Zone Attack Matched and Zone Anomaly Matched, the number of captured packets is the number of packets (of the same attack or anomaly) captured by each CPU.

      For example, a device has four CPUs, Captured Packet is set to 1000. If an attack with ACK and UDP flood attack packets is launched, the packet capture result is as follows:
      • 4 x 1000 ACK flood attack packets are captured and four packet capture files are generated.
      • 4 x 1000 UDP flood attack packets are captured and four packet capture files are generated.

      After the packet capture operation is complete, the packet capture task is in Enable state. Capture packets upon the next attack.

    		 The default value is 1000.
    Automatically extract fingerprint
    • Disable
    • Enable automatic filtering

    This parameter is available only when Type is set to Zone Anomaly Matched.

  5. Add an ACL rule.
    1. In the ACL Rule group box, click .

    2. Set parameters. For details, see Table 2.

      Table 2 Adding an ACL rule
      Parameter Description
      Protocol Indicates the protocol type of packets.
      Source IP Indicates the source IP address of packets.
      Source IP address mask

      Indicates the source IP address mask.

      The mask is represented by dotted decimal notation. In practice, the masks are compared in binary mode. The number of 1 in the mask indicates the bit to be reserved and compared in an IP address and the number of 0 indicates the bit to be ignored. For example, if the source IP address needs to be matched, the matching value is 192.168.1.100, and the mask is 255.255.255.0, packets whose source IP addresses start with 192.168.1 meet matching rules.
      Source Port This item is required when TCP or UDP is selected for Protocol Type.
      Destination IP Indicates the destination IP address of packets.
      Destination IP address mask Indicates the destination IP address mask.
      Destination Port This item is required when TCP or UDP is selected for Protocol Type.

    3. Click OK.

      The Create Packet Capture Task page is displayed.

  6. Click Next.
  7. Click , click Detection/Cleaning Device to add network elements, and click OK.
  8. On the Create Packet Capture Task page, click Finish.

    The Packet Capture page is displayed. The packet capture task is displayed in the list.

  9. Select the check box of a packet capture task and click to enable the task.

    NOTE:
    Only one ACL-based packet capture task can be enabled on an AntiDDoS within a period of time.

Follow-up Procedure

You can disable, view, or delete a packet capture task by referring to Managing Packet Capture Task.
Parent topic: Managing Packet Capture Task
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.