Packet capture analysis

Updated at:
Copy as MD

Anti-DDoS Proxy allows you to capture traffic to obtain packet and session details for attack analysis and troubleshooting. You can create a manual packet capture task to immediately capture traffic. After the capture, a PCAP file is generated. You can analyze this file to fine-tune your protection policies. This topic describes how to create a packet capture task.

Packet capture scope

Packet capture covers traffic between client IP addresses and the Anti-DDoS Proxy IP address. It does not include traffic between the Anti-DDoS Proxy IP address and the origin server. Note that traffic from client IP addresses that belong to Alibaba Cloud resources is not captured.

  • Anti-DDoS Proxy (Chinese Mainland): All instances support packet capture. The capture occurs at scrubbing centers in the Chinese mainland.

    Note

    For China Telecom (Shenzhen), the captured data consists of scrubbed traffic and does not include pre-scrubbing data.

  • Anti-DDoS Proxy (Outside Chinese Mainland):

    • For the Insurance and Unlimited, packet capture occurs at scrubbing centers Outside Chinese mainland.

    • For Chinese Mainland Acceleration instances, packet capture is supported only in the China (Hong Kong) region.

    • For Sec-CMA 2.0 instances, packet capture is supported only in the China (Hong Kong) region. Only traffic scrubbed by the upstream provider can be captured.

Limitations

  • Sampling ratio: The default sampling ratio is 1:1. Sampling accuracy is higher for lower traffic volumes. For extremely high traffic volumes, the system automatically samples packets, and the sampling ratio increases as traffic volume grows.

  • Packet file size limit: For the Chinese mainland region, the maximum size of a packet capture file is 300 MB per task. For regions Outside Chinese mainland, the maximum size is 100 MB per task. If the limit is reached, the capture stops, and the packet capture file is generated immediately.

  • Task quota: Each Alibaba Cloud account can create up to 50 packet capture tasks per calendar month.

  • File storage limit: Each Alibaba Cloud account can store a maximum of 20 packet capture files at a time. If you reach the limit, you must delete older files to create new ones.

  • File retention period: Packet capture files are stored for a maximum of 30 days.

  • Expired instances: When an Anti-DDoS Proxy instance expires, its associated packet capture tasks become Invalid. Packet capture is not supported for released instances.

  • Cross-border scenarios: Packet capture may fail when a client Outside Chinese mainland accesses an Anti-DDoS Proxy IP address in the Chinese mainland, or when a client in the Chinese mainland accesses an Anti-DDoS Proxy IP address Outside Chinese mainland.

Create a packet capture task

  1. Enable packet capture analysis.

    The first time you access the Packet Capture page, click Confirm Authorization to allow packet capture files to be stored in a shared Object Storage Service (OSS) resource pool.

  2. Create a packet capture task.

    1. On the Packet Capture Task tab, click Create Packet Capture Task.

      Note

      Only one manual packet capture task can run at a time.

      Parameter

      Description

      Task Type

      Manual Packet Capture: Starts the capture immediately after task creation.

      Protocol Type

      Valid values: TCP, UDP, ICMP, and ALL. Default value: ALL.

      Destination IP Address

      The IP address of the Anti-DDoS Proxy instance.

      Chinese Mainland Acceleration instances do not support packet capture and their IP addresses cannot be selected.

      Destination Port

      Valid values: 0 to 65535. A value of 0 indicates all ports.

      Source IP Address

      Enter an IP address or an IP address with a subnet mask. An asterisk (*) represents all IP addresses.

      Source Port

      Valid values: 0 to 65535. A value of 0 indicates all ports.

      Packet Capture Duration

      Valid values: 5 to 60. Unit: seconds.

      Packet Capture Direction

      • Bidirectional: Captures all traffic between the client IP address and the Anti-DDoS Proxy IP address.

      • Outbound: Captures traffic from the Anti-DDoS Proxy IP address to the client IP address.

      • Inbound: Captures traffic from the client IP address to the Anti-DDoS Proxy IP address.

  3. In the packet capture task list, click Packet Capture File in the Actions column to download or delete the file.

    • Each task for an Anti-DDoS Proxy (Chinese Mainland) instance generates a single packet capture file. In contrast, tasks for Anti-DDoS Proxy (Outside Chinese mainland) instances are distributed across multiple scrubbing centers and can generate up to nine files per task. You can identify the region of each file by its name.

    • If no data passes through a specific region during the capture period, no packet capture file is generated for that region.

    • Downloading a packet capture file pulls data from the local scrubbing center. Cross-border data transfers may increase download times. The following table shows the mapping between filenames and regions:

      Region

      Field in filename

      China (Hong Kong)

      cn-hongkong

      Singapore

      ap-southeast-1

      Japan (Tokyo)

      ap-northeast-1

      US (Silicon Valley)

      us-west-1

      US (Virginia)

      us-east-1

      Germany (Frankfurt)

      eu-central-1

      UK (London)

      eu-west-1

      Indonesia (Jakarta)

      ap-southeast-5

      Malaysia (Kuala Lumpur)

      ap-southeast-3

  4. (Optional) Click Issue Again to create a new task with the same configuration.

FAQ

  • Are the source IPs in packet capture (PCAP) files the real attack source IPs?

    The source IPs recorded in DDoS attack PCAP files are typically not the real attacker IPs. Attack traffic usually originates from compromised hosts (botnets) or uses spoofed source IP addresses. You cannot trace the real attack source directly from the captured data. We recommend that you use packet capture data to analyze attack types and traffic patterns rather than to identify attackers.

  • What should I do if I cannot download a packet capture file?

    To download a packet capture file, the system must have successfully generated a capture record. If the download fails or the file is unavailable, check the following possible causes:

    • No packet capture task was executed during the specified time period, or the task did not successfully generate a file.

    • The Anti-DDoS Proxy instance has expired. The packet capture task is marked as Invalid, and released instances cannot provide downloads.

    • In cross-border packet capture scenarios, the capture failed and no packet capture file was generated.

    • The automatic packet capture trigger conditions were not met. Automatic packet capture is triggered only by transport-layer volumetric attacks or web application-layer attacks.

Related documents

  • To view the operation logs for packet capture tasks, see Operation Logs.

  • Analyze packet capture files and configure targeted protection policies. For details, see Protection Settings.