Start and Stop Data Capture

When a Decoder starts up, it automatically begins aggregating data if Capture Autostart is enabled. When autostart is not enabled, you can start and stop data capture manually.

Note: The Capture Configuration Settings in the Service Config view for a Decoder determine whether Capture Autostart is enabled.

The following figure illustrates commonly used settings on a Decoder. For a quick basic setup with only the required steps, see Decoder and Log Decoder Quick Setup. You may want to stop and start capture at other times, for example, before you shut down the service.

netwitness_deccfgwf-startcap.png

To start and stop capture:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Decoder or Log Decoder service, and select netwitness_ic-actns.png > View > System.
  3. In the toolbar, click Start Capture.

    If the service is a Decoder, it begins capturing packets. If the service is a Log Decoder, it begins capturing logs.

    When packet or log capture is in progress, the option in the toolbar changes to Stop Capture, and the option to upload a file is unavailable.

  4. Whenever you want to discontinue traffic capture on a Decoder, click Stop Capture.

    Packet or log capture ceases, and the option to upload a file to the service is again available.

Note: When you stop the Log Decoder service while capture is running, all events currently in Log Decoder memory will be processed and persisted. Should an issue arise where it is necessary to quickly shutdown the service, use the Services Explore view to stop capture (/decoder stop), passing the parameters flush=false before stopping the Log Decoder service. For further information, see the "Services Explore View" in the Host and Services Getting Started Guide.