Trace extraction settings
The options for trace extraction jobs include date and time ranges, the probe instance selection, filtering, file type, and more.
 
Instance
Sets which probe instance is used for this extraction job. The resulting packet capture will contain data from this probe instance only.
If you are using OMS, only the probe instances you can access are listed.
File Name
The resulting packet capture will have this file name.
Example: myTraceFile_1
Valid Input: Any character can be used except: \ " / : * ? < > |. The length can be 1-128 characters.
File Type
Sets the file type of the resulting packet capture.
 
PCAPNG Packet Capture Next Generation
PCAP Packet Capture
BFR Observer Packet Buffer
 
Expert Information Packets are not retained in ‘PCAP’.
Save To
Sets how this packet capture can be retrieved after the extraction job is complete.
 
Downloadable File Capture is downloadable from the job viewer using a web browser.
Local GigaStor File Path Capture is saved to a specified local directory on the GigaStor.
 
If ‘Downloadable File’ is selected, the download is available for 24 hours or until the completed job is deleted.
File Path
The resulting packet capture is saved to this disk directory—local to the target GigaStor. If the directory does not already exist, it will be created.
The Windows user account running Observer needs write permissions to this directory. Writing to the OS drive is recommended.
Example: C:\MyTraces\GigaStor1 -or- C:/Program Files/Observer/traces
Time Range
The extraction job extracts packets only within this date and time range.
Times and dates are calculated by your web browser. Always use your local time zone and not the time zone of the GigaStor.
Example: Set ‘Trailing Hour’ for the current hour regardless of the physical time zone of the target GigaStor.
Filter
Filter strings can be added to narrow your results.
Valid Input: The maximum number of characters is 5120.
pattern|patternSensitive|patternBin|patternHex|
patternRegex search pattern[(ip|tcp|
tcpData|udp|udpData:)#|#-#]
A search pattern may be ASCII (default), binary, or hex. It may start from an offset. The offset can be a specific location or range from the beginning of the:
Undefined: Packet (default, no packet component is specified)
ip: IP header
tcp: TCP header
tcpData: TCP data
udp: UDP header
udpData: UPD data
Any offset looks only at the specified location or range (if provided). For example, if you specify an offset of [14] the filter only searches byte 14 for the first character of the search pattern.
If you specify the offset range [14-20] the filter searches at byte 14 to byte 20 for the first character of the search pattern. The search may not necessarily end at byte 20; byte 20 is the last starting location. For instance, if your search is HTTP/1.1 (an 8-byte string) the bytes 14 through 20 are searched for H. If the H is found in any of those locations the next byte is searched for T and so on until the second 1 is found (which could be on byte 27 if the H was found on byte 20) or pattern stops matching.
If you want to search from a specific offset to the end of the packet, then use 32767 for the ending offset. For example, [14-32767].
ASCII patterns may be case-sensitive. The pattern filters are case-insensitive. If you need a case-sensitive use patternSensitive.
Search patterns that contain spaces must be surrounded by double quotes.
Any Unicode characters used in the filter are converted to your web browser's character encoding. If a different UTF-level is required, use hexadecimal characters in the filter pattern.
Hex filters work with or without spaces. These are the same search:
 
“41 70 65 78”
41706578
“0x41 0x70 0x65 0x78”
 
A binary pattern is one or more 8-bit numbers separated by a space. Each binary number is a sequence of 0, 1, or x. An x is a wildcard character that matches either the 0 or 1 bit.
Regular Expression filters allow you to use Unix/Perl-style regular expressions, which let you use a wildcard for single characters, groups of characters, ranges of characters and numeric values, and more. These searches may be slow, especially if the expression is complex or the data to be searched is large.
Documentation is available at API filter snyntax.