Instructions are provided here for the Simple Packet Query Management V13.1+ dashboard.

Usage instructions

To use the Simple Packet Query Management dashboard, you must instruct it to run one or more jobs.
A job is a predefined query that is either temporary or (if you choose to preserve it) you create and then can rerun whenever required.

  1. Complete the Query Name field.
    Choose an appropriate name (especially useful if you are preserving the query) or retain the default query name and make sure that you choose ‘Apply time range’.
    Take care with the default timezone for the query - you can edit this in the time picker, and it’s important to be precise with these time ranges when retrieving a packet capture.

  2. Choose an appropriate time period for the query using the dashboard time picker.

Packet captures tend to contain much more data than the timeseries statistics that are normally queried on a Grafana dashboard. Exercise caution when choosing long time periods for the packet capture retrieval.

  1. Complete the Preserve field:

    1. true: The job will stay in the Query Job List in the dashboard.

    2. false: The job will be deleted from the Query Job List after a specified time. By default, this is a week.

  2. Choose the appropriate capture probe(s) from which to retrieve packet data.

  3. (Optional) To filter down the packet capture more tightly, enter the appropriate BPF filter.
    For example, filter for a given IP, port, or protocol, with a text-based filter such as tcp and (dst 172.18.10.36 and dst port 5001).
    You’ll define the filter using Berkeley Packet Filter syntax.

    1. Enter the BPF filter in the Filter Inspector section of the dashboard.
      For a raw BPF filter, just expand this section and enter the BPF that you want in the BPF Expression field.

    2. If you enable Compound Filters, you can use the Filter Inspector section to retrieve a filter from an existing stack probe or to exclude traffic based on a stack probe filter. This makes it easy to create complex BPF filters without having to manually type them.

    3. Select Apply Filter to add the filter to your query.

  4. Create a job by choosing Run Query.

    The query will be added to the list in the Query List panel. The query status will be running or ready.

  5. Once the query is ready, select the query name in the Query List panel and select Show details.
    The Query Detail panel will show the PCAP file(s) that the query generated.

  6. Select the PCAP file(s) to download them.

Troubleshooting

If you enter a time window that is too wide, your results will be truncated to a smaller time window.

  • You will see a comment next to the job that reads Truncated input files.

  • You will need to run the query again in smaller retrieval windows (we suggest 10 minute periods).

If your query does not match any data, the query status will still transition to ready but there will be no PCAP Files listed in the Query Detail panel.