An anomaly-based packet capture task captures anomaly packets of various types for analyzing anomalies. The packet capture counting of the task is based on the anomaly type. After a packet capture operation is complete, the packet capture task is in Enable state. Packets are captured upon the next anomaly.
Prerequisites
Service configurations are complete.
The packet capture length was configured. For details, see Configuring Packet Capture Length.
Policies are successfully deployed on the Zone.
Procedure
- Choose .
- On the Capture attack packets page,
click
. - On the Create Packet Capture Task page,
select Zone Anomaly Matched from the Type drop-down list.
- Set other basic parameters. For details, see Table 1.
Table 1 Creating a packet capture task Parameter Description Reference Value Task name Indicates the packet capture task name. The name cannot be null and can contain letters, digits and special characters "!", "@", "#", "$", "*", "^", "+", "-", "=", "|", "}", "{", "]", "[", ";", "?", "/", ".". Sampling ratio Indicates the ratio of the number of packets complying with packet capture conditions to that of captured packets. The default value is 1024:1. In this value, the device captures one packet from 1024 packets that match packet capture conditions. Captured packets If the packet capture type is Global Defense Matched or ACL Matched, the value is the sum of packets captured by the device.
When the number of captured packets hits Captured Packet and a packet capture operation is complete, the packet capture task becomes in Disable state.
If packets are captured on the basis of Zone Attack Matched and Zone Anomaly Matched, the number of captured packets is the number of packets (of the same attack or anomaly) captured by each CPU.
For example, a device has four CPUs, Captured Packet is set to 1000. If an attack with ACK and UDP flood attack packets is launched, the packet capture result is as follows:- 4 x 1000 ACK flood attack packets are captured and four packet capture files are generated.
- 4 x 1000 UDP flood attack packets are captured and four packet capture files are generated.
After the packet capture operation is complete, the packet capture task is in Enable state. Capture packets upon the next attack.
The default value is 1000. After automatic fingerprint extraction is enabled and packets are captured, the ATIC management center automatically extracts fingerprints, creates a fingerprint filter, and delivers the fingerprints to all cleaning devices bound to the Zone. The conditions for extracting fingerprints are as follows:
- Click Next.
- Click
. Select
a Zone from the Zone list and click OK to add
the Zone. - Click Next.
- Click , click Detection/Cleaning Device to add network elements, and click OK.
- On the Create Packet Capture Task page,
click OK.
The Packet Capture Task page is displayed, with the packet capture task in the list.
- Select the check box of a packet capture task and click
to enable the task.
NOTE: Only one anomaly-based packet capture task can be enabled for each Zone within a period of time.