Until now we saw how to create simple capture using either the WebUI or the command line. This part will be a tour of the "advanced" capture options.
First let start our lab with the usual
While we create a capture we can decide to capture everything or just a part of
the traffic leveraging
BPF filtering via the
PCAP filter syntax.
Filtering ICMPv4 packets with the WebUI :
Or with the command line :
Skydive supports multiple ways to capture packets. By default the most adapted type
is chosen automatically by Skydive. For example if you start a capture on a Open vSwitch
sFlow type will be used.
Here the list of the currently supported capture types :
- AFPACKET : MMap’d AF_PACKET socket (default).
- PCAP : Packet Capture library based.
- PCAP Socket : open a TCP port accepting PCAP file format. Useful to inject already captured traffic to Skydive.
- sFlow : implement a sFlow agent. It opens a UDP port reading
sFlowframes. Useful to send
sFlowtraffic from external resources to Skydive.
- eBPF : in Kernel lightweight capture solution.
- OvsMirror : leverages Open vSwitch port mirroring.
Capture type has to be specified during the capture creation.
Keep original packets
While Skydive analyzes the packets to build flows, keeping them in flow tables,
it is possible to keep the original packets attached to flows. This allows us to
download them as PCAP file. That way Skydive acts as a distributed
The following video shows how to start a such capture and how to retrieve the PCAP file.
Clicking on the download icon we get the file which opened with
Wireshark gives :
We can of course use the command line to create the capture, here limiting to 5 raw packets per flow.
To get the
PCAP file we just need to use the
RawPackets specifying the
This searches flows with the
ICMPv4 protocol since the last 1000 seconds
RawPackets in the icmp.pcap file.
It gaves us 4 packets, 2 per capture from 2 different hosts.
RawPackets captures and the query language makes Skydive a really powerful
distributed troubleshooting tool.