This article is intended for IT support.
This article outlines how to run a Packet Capture in School Manager. PCAP (Packet Capture) filter syntax is a tool for network professionals to help investigate traffic flow on your network. This syntax helps isolate specific types of traffic for troubleshooting, security monitoring, and performance analysis. This article aims to demystify the basics of PCAP filter syntax, making it accessible and easy to understand for everyone.
PCAP Filter Syntax Overview
PCAP filter syntax is a method to define filters that specify the network traffic you wish to capture or analyse. It enables you to set criteria based on IP addresses, port numbers, protocols and much more. This ensures that you focus only on relevant data.
Running a Packet Capture in School Manager
- Log in to School Manager using an account with the Owner/Admin permission.
- Select the kebab menu icon (three vertical dots) in the upper-left of your window.
- Select Tools
- Scroll down to Capture Tool. You can use the Capture Tool Filters to test an IP Address and/or Port.
- Select the Interface and select Start
- After a few seconds, you will see the number of collected packets. When you are ready, select Stop, this will automatically download the results into a .pcap file.
When the Packet Capture reaches 10,000 packets, the process will stop capturing any further packets.
If there are no results, ensure the filter IP address and network interface are correctly selected.
Using the Capture Tool Filter
If you want to filter the captured traffic, you can use the filter syntax outlined below.
All filters and operators must be in lowercase otherwise the packet capture will not work.
- Protocols: Filter by protocol type (e.g., tcp, udp, arp).
- Hosts and Networks: Use src or host for specific IP addresses and net for network ranges.
- Ports: The port keyword isolates traffic based on port numbers.
- and: Both conditions must be true (e.g., src net 192.168.0.0/16 and port 443).
- or: Either condition is sufficient (e.g., tcp or udp).
- not: Excludes specified traffic (e.g., not port 21).
- Source and Destination: src and dst specify if the filter applies to the source or destination.
Combine different criteria for complex filters (e.g., tcp port 80 and src host 192.168.1.1).
Practical Packet Capture Examples
- Capture HTTP Traffic: tcp port 443
- Capture Traffic from a Specific IP: src host 192.168.1.100
- Capture but Exclude HTTP Traffic: not port 443
- Capture Traffic to a Specific Network: dst net 192.168.0.0/16
- Capture TCP Traffic on Ports 80 or 443: tcp port 80 or tcp port 443
- Capture UDP Traffic from a Specific Port: udp src port 53
- Capture Traffic with Specific Source and Destination: src host 10.0.0.5 and dst port 22
- Capture Non-ICMP Traffic: not icmp
- Capture Traffic Exceeding a Certain Size: greater 500