You can use the packet capture feature of Anti-DDoS Proxy to capture packets and session details and analyze attacks and troubleshoot issues based on the details. You can create a manual packet capture task to immediately capture packets. After the packets are captured, a packet capture (PCAP) file is generated. You can analyze the file to configure mitigation policies. This topic describes how to create a packet capture task.
Packet capture scope
The scope of packet capture is the traffic between a client and Anti-DDoS Proxy. The traffic between Anti-DDoS Proxy and the origin server is excluded. If the client is a resource in Alibaba Cloud, the traffic between the client and Anti-DDoS Proxy is excluded.
Anti-DDoS Proxy (Chinese Mainland): All instances support the packet capture feature. Anti-DDoS Proxy (Chinese Mainland) captures packets from each scrubbing center in the Chinese mainland.
NoteFor China Telecom (Shenzhen), Anti-DDoS Proxy (Chinese Mainland) captures packets of traffic that is scrubbed.
Anti-DDoS Proxy (Outside Chinese Mainland):
Instances of the Insurance and Unlimited mitigation plans: Anti-DDoS Proxy (Outside Chinese Mainland) captures packets from scrubbing centers outside the Chinese mainland.
Instances of the Chinese Mainland Acceleration (CMA) mitigation plan: Anti-DDoS Proxy (Outside Chinese Mainland) captures packets only from the China (Hong Kong) region.
Instances of the Secure Chinese Mainland Acceleration (Sec-CMA) mitigation plan: The packet capture feature is not supported.
Usage notes
Samping ratio: By default, the samping ratio is 1:1. A smaller traffic volume results in a higher collection accuracy. If the traffic volume is extremely large, packet sampling is implemented. A larger traffic volume results in a higher samping ratio.
Limit on the packet size: The size of each packet that can be captured in regions in the Chinese mainland cannot exceed 300 MB. In regions outside the Chinese mainland, the size of each packet that can be captured cannot exceed 100 MB. Otherwise, the packet capture task stops and a packet capture file is generated.
Limit on the number of packet capture tasks: Each Alibaba Cloud account can create up to 50 packet capture tasks per calendar month.
Limit on the number of packet capture files: Each Alibaba Cloud account can have up to 20 packet capture files. If the limit is exceeded, you must delete existing packet capture files.
File retention period: Packet capture files can be retained for up to 30 days. The files are automatically deleted after 30 days.
Scenario in which Anti-DDoS Proxy instances expire: If an Anti-DDoS Proxy instance expires, the packet capture task is marked as Invalid. Released instances do not support packet capture.
Cross-border packet capture scenario: If a client that resides outside the Chinese mainland accesses Anti-DDoS Proxy (Chinese Mainland) or a client that resides in the Chinese mainland accesses Anti-DDoS Proxy (Outside Chinese Mainland), packet capture may fail.
Create a packet capture task
Enable the packet capture feature.
The first time you access the Analysis on Captured Packets page, click Authorize to authorize Anti-DDoS Proxy to store packet capture files in the shared resource pool of Object Storage Service (OSS).
Creates a packet capture task.
On the Packet Capture Task tab, click Create Packet Capture Task.
NoteYou can run only one manual packet capture task at a time.
Parameter
Description
Task Type
Manual Packet Capture: After a packet capture task is created, Anti-DDoS Proxy starts capturing packets.
Protocol Type
Valid values: TCP, UDP, ICMP, and ALL. Default value: ALL.
Destination IP Address
The IP address of the Anti-DDoS Proxy instance.
Instances of the Sec-CMA mitigation plan do not support the packet capture feature. You cannot select the IP address of an instance of the Sec-CMA mitigation plan.
Destination Port
Valid values: 0 to 65535. The value 0 specifies all ports.
Source IP Address
IP addresses and subnet masks are supported. An asterisk (*) indicates all source IP addresses.
Source Port
Valid values: 0 to 65535. The value 0 specifies all ports.
Packet Capture Duration
Valid values: 5 to 60. Unit: seconds.
Packet Capture Direction
Bidirectional: all requests between a client and Anti-DDoS Proxy.
Outbound: requests that Anti-DDoS Proxy sends to a client.
Inbound: requests that a client sends to Anti-DDoS Proxy.
In the packet capture task list, find the packet capture task that you want to manage and click Packet Capture File in the Actions column to download or delete the file.
NoteEach task that is created for an Anti-DDoS Proxy (Chinese Mainland) instance generates a packet capture file. After a packet capture task that is created for an Anti-DDoS Proxy (Outside Chinese Mainland) instance is issued, Anti-DDoS Proxy (Outside Chinese Mainland) stores data on each scrubbing center. Each task that is created for an Anti-DDoS Proxy (Outside Chinese Mainland) instance generates nine packet capture files. You can identify data in different regions based on the file names. When you download a packet capture file and no data exists in a region during packet capture, no packet capture file in the region is available for the download. When you download a packet capture file, data is obtained from scrubbing centers. This may cause cross-border data transmission latency, and the file download duration may be longer.
Optional. Click Issue Again to create another packet capture task.
References
View the operation logs of a packet capture task. For more information, see Query operation logs.
Analyze a packet capture file and configure mitigation policies to improve the protection effect. For more information, see Protection settings.