When a customer specifies a PCAP file, they are given the option of setting the duration of the PCAP to 5,10,30,60 or 120, in certain cases the display time of the PCAP may be lower than the requested time, this article discusses the causes and the resolution for the issue.

Cloud and on-prem environments when the customer is trying to generate a PCAP file for a certain duration.

-When we execute the generate PCAP bundle on the VCO, the VCO asks the edge to run the PCAP command on the edge, if the edge is in HA state, the PCAP will first be run on the standby box, after that the PCAP will trigger on the active edge.

2024-11-06T11:26:22.955 INFO    [diag (20496:Thread-33727:2725875)] Pre standbygenerateDiagnosticBundle
2024-11-06T11:26:31.344 DEBUG   [worker (20496:Stats Upload:21228)] do_stat_upload: Sleeping for 29.77 sec
2024-11-06T11:26:31.561 INFO    [fwlog (20496:FW Upload:21230)] In do_fw_upload
2024-11-06T11:26:33.661 INFO    [diag (20496:Thread-33727:2725875)] Post standbygenerateDiagnosticBundle

-After standby bundle is generated, the active bundle will start generating and will run the below script, generate the bundle then uploaded to the VCO.

2024-11-06T11:26:33.679 INFO    [diag (20496:Thread-33727:2725875)] Generating packet capture bundle (GE3, 10) into /velocloud/diagtmp/mgd-diag-91b07i8z/pcap-Angelos-710-GE3-2024-11-06_11-26-33.pcap.zip: requestId = b61fc8a1-5c8c-437b-a78e-08b1f8ef206b
2024-11-06T11:26:33.701 INFO    [diag (20496:Thread-33727:2725875)] tcpdump_command = '/opt/vc/bin/vctcpdump -n -w /velocloud/diagtmp/mgd-diag-hg8aqoj8/pcap-Angelos-710-GE3-2024-11-06_11-26-33.pcap -W 1 -G 10 -C 100 -i ge3'
2024-11-06T11:26:47.884 INFO    [diag (20496:Thread-33727:2725875)] Generated bundle, starting upload

 -The bundle is written in the diagtmp folder on the edge, the -W means it will generate one file -G stands for the duration which the script will be run for, in the above example it's 10 seconds, the -C 100 is the size of the file generated, which is 100 megs and lastly the -i ge3 stands for the interface which we will run the PCAP on.

-If the traffic on said interface is very high, the PCAP will keep over riding the PCAP file till the duration is done, for example in the below output, we can see that the PCAP file started to reach the 100 mega threshold and then it reset again and kept over riding the file till the duration was done.

edge:Angelos-710(active):/velocloud/diagtmp# ls -lha | grep -i pcap-Angelos-710-GE3-2024-11-06_11-26-33.pcap
-rw-r--r--    1 root     root       68.0M Nov  6 14:01 pcap-Angelos-710-GE3-2024-11-06_11-26-33.pcap
edge:US-Lake Oswego(active):/velocloud/diagtmp# ls -lha | grep -i pcap-Angelos-710-GE3-2024-11-06_11-26-33.pcap
-rw-r--r--    1 root     root       86.2M Nov  6 14:01 pcap-Angelos-710-GE3-2024-11-06_11-26-33.pcap
edge:US-Lake Oswego(active):/velocloud/diagtmp# ls -lha | grep -i pcap-Angelos-710-GE3-2024-11-06_11-26-33.pcap
-rw-r--r--    1 root     root        2.3M Nov  6 14:01 pcap-Biotronik-US-Lake-Oswego-VLAN1-2024-11-06_11-26-33.pcap

 -After the PCAP duration specified is done, the PCAP file will contain only the traffic which was over ridden during that duration only, which means that if the customer is trying to capture a specific issue at the beginning of the PCAP it will be over ridden.

High traffic will cause the 100 meg PCAP file to keep over riding itself until the PCAP duration is done.

If the customer knows the specific IP/Ports , sources and destinations they are facing an issue at, they should open a case to VMware by Broadcom support to run the PCAP from the CLI and save the files.