Creating a Zone Attacked Packet Capture Task

A Zone attack packet capture task captures packets discarded when the Zone is attacked for analyzing attack events. The packet capture counting of the task is based on the attack type. After a packet capture operation is complete, the packet capture task is in Enable state. Packets are captured upon the next attack.

Prerequisites

  • Service configurations are complete.

  • The packet capture length was configured. For details, see Configuring Packet Capture Length.

  • Policies are successfully deployed on the Zone.

Context

Only the cleaning device discards packets when a Zone is under attack. Therefore, when you create a Zone attacked packet capture task, Device can be only the cleaning device.

Procedure

  1. Choose Defense > Policy Settings > Packet Capture.
  2. On the Capture attack packets page, click .
  3. On the Create Packet Capture Task page, select Zone Attack Matched from the Type drop-down list.

  4. Set other basic parameters. For details, see Table 1.

    Table 1 Creating a packet capture task
    Parameter Description Reference Value
    Task name Indicates the packet capture task name. The name cannot be null and can contain letters, digits and special characters "!", "@", "#", "$", "*", "^", "+", "-", "=", "|", "}", "{", "]", "[", ";", "?", "/", ".".
    Sampling ratio Indicates the ratio of the number of packets complying with packet capture conditions to that of captured packets. The default value is 1024:1. In this value, the device captures one packet from 1024 packets that match packet capture conditions.
    Captured packets

    • If the packet capture type is Global Defense Matched or ACL Matched, the value is the sum of packets captured by the device.

      When the number of captured packets hits Captured Packet and a packet capture operation is complete, the packet capture task becomes in Disable state.

    • If packets are captured on the basis of Zone Attack Matched and Zone Anomaly Matched, the number of captured packets is the number of packets (of the same attack or anomaly) captured by each CPU.

      For example, a device has four CPUs, Captured Packet is set to 1000. If an attack with ACK and UDP flood attack packets is launched, the packet capture result is as follows:
      • 4 x 1000 ACK flood attack packets are captured and four packet capture files are generated.
      • 4 x 1000 UDP flood attack packets are captured and four packet capture files are generated.

      After the packet capture operation is complete, the packet capture task is in Enable state. Capture packets upon the next attack.

    		 The default value is 1000.

  5. Click Next.
  6. Click . Select a Zone from the Zone list and click OK to add the Zone.
  7. Click Next.
  8. Click , click Detection/Cleaning Device to add network elements, and click OK.
  9. On the Create Packet Capture Task page, click OK.

    The Packet Capture Task page is displayed, with the packet capture task in the list.

  10. Select the check box of a packet capture task and click to enable the task.

    NOTE:
    Only one attack event-based packet capture task can be enabled for each Zone within a period of time.

Follow-up Procedure

You can disable, view, or delete a packet capture task by referring to Managing Packet Capture Task.
Parent topic: Managing Packet Capture Task
Copyright © Huawei Technologies Co., Ltd.