Packet capture configuration for monitoring network traffic
captures
Captures are used for detailed logging of protocol messages. The capture allows dumping received and sent messages to an output specified by the capture configuration.
There are three capture output locations:
- log - Structured log output with configurable format
- memory - In-memory buffer accessible through API and management web UI.
- file - PcapNG files for analysis with Wireshark
Examples
Example configuration of a captures clause with various capture types:
captures {
capture "CAPTURE_TO_LOG" {
log;
}
capture "CAPTURE_TO_MEMORY" {
memory;
}
capture "CAPTURE_TO_LOG_AND_DIRECTORY" {
log;
file {
directory "/var/lib/radiator/captures";
}
}
capture "CAPTURE_TO_LOG_AND_FILE" {
log {
loglevel debug;
format hex;
}
file {
directory "/var/lib/radiator/captures";
filename "radiator-server.pcap";
}
}
capture "CAPTURE_TO_DIRECTORY" {
file {
directory "/var/lib/radiator/captures";
}
}
capture "CAPTURE_TO_FILE" {
file {
directory "/var/lib/radiator/captures";
filename "radiator-server.pcap";
}
}
}
A capture can be enabled, for example, within:
servers {
radius {
capture "EXAMPLE_CAPTURE";
# Rest of the radius configuration
}
}
Capture scope
When a capture is configured on a server, it captures all messages associated with requests handled by that server, including:
- Incoming requests - Messages received from clients
- Outgoing replies - Messages sent back to clients
- Outgoing proxy requests - Messages sent to backend servers (when proxying)
- Incoming proxy replies - Messages received from backend servers
For example, for a proxied RADIUS authentication request, a single capture configuration will produce 4 packet captures:
| Frame | Direction | Description |
|---|---|---|
| 0 | Incoming | Access-Request from client to server |
| 1 | Outgoing | Access-Request from server to backend |
| 2 | Incoming | Access-Accept/Reject from backend |
| 3 | Outgoing | Access-Accept/Reject from server to client |
The capture context is propagated through the AAA pipeline, so backend proxy operations automatically inherit the capture configuration from the originating server.