Advanced Debugging - Packet Capture
When working with Tenable Nessus to understand scanner results, it may be necessary to understand the communications between a scanner and the host that was scanned. When this occurs, Tenable support may request a capture of network traffic between the scanner and the target host. Tenable Nessus now supports the ability to generate and download such a capture through the Tenable Nessus user interface.
- Packet capture does not apply to Tenable Nessus scanners that are linked to Tenable Security Center.
- Packet capture is limited to TCP and UDP traffic only. Other protocols such as ICMP (ping) are not captured.
- The Target to capture field must match a host in the scan's target list, or no capture will occur.
- Tenable Nessus limits the amount of disk space that can be allocated to packet capture data. The total disk space that may be used by the packet capture subsystem is the lesser of the following two parameters: 10% of the partition size on which Tenable Nessus is installed or 20GB.
- The maximum size of a single packet capture file is the lesser of the following two parameters: 10% of the packet capture total disk space value or 1GB.
- If, during a capture session, the amount of data exceeds the limit for a single capture file, the capture is terminated and the partial result is saved. These limits may be adjusted by a Tenable Nessus administrator using the global.network_capture.max_disk_mb and/or global.network_capture.max_file_mb advanced preferences.
- Tenable Nessus must be restarted for these changes to take effect.
To enable packet capture for a scan in the Tenable Nessus user interface:
In the top navigation bar, click Scans.
The My Scans page appears.
In the upper right corner, click the New Scan button.
The Scan Templates page appears.
Click the scan template that you want to use.
The New Scan page appears.
Click the Advanced settings tab.
Select Custom from the Scan Type drop-down.
Scroll to the bottom of the General settings window and set Packet Capture to ON.
In the Target to capture field, enter the IP address or hostname of a single host.
In the Ports to capture field, enter a port or range of ports.
Click the Save button.
Launch the scan.
To retrieve a packet capture:
After the scan is complete, a compressed archive containing the packet capture will be available for download.
To download the capture:
Select Settings from the top navigation bar.
Select Debug Logs from the side navigation bar.
The Debug Logs window will show a list of packet captures. For example, pcap_SCANNAME_SCANID.tar.gz.
Select the archive that matches your scan.
Click the Download button.
The file downloads from the scanner to your local host.