.. _section-CapturingForOfflineAnalysis:

Capturing Traffic for Offline Analysis
======================================

If Wireshark isn't available on the host that you want to analyze, you
can capture traffic from the console/terminal. Then you can use Wireshark to
display/analyze the captured traffic offline (instead of as live traffic).

.. _section-SharedMemory:

Shared Memory and Packet Capture
--------------------------------

By default, |CONNEXT| enables the shared memory transport alongside UDP.
When two DomainParticipants are on the same host, they will typically
communicate over shared memory. Because shared memory traffic does not
pass through a network interface, **Wireshark, Tshark, and tcpdump
cannot capture it**. This means you may see discovery traffic (which
uses multicast UDP) in your capture, but user data traffic may still 
be absent.

If you need to capture user data traffic with Wireshark or Tshark, you
have two options:

1. **Disable the shared memory transport** so that all communication
   uses UDP, which is visible to packet capture tools. Add the
   following snippet to your QoS XML configuration:

   .. code-block:: xml

      <domain_participant_qos>
          <transport_builtin>
              <mask>UDPv4</mask>
          </transport_builtin>
      </domain_participant_qos>

   This code forces all traffic onto the UDPv4 transport. Remember to
   remove this setting when you are done debugging because shared memory
   provides significantly better performance for same-host communication.

2. **Use the Connext Network Capture feature**, which can capture
   shared memory traffic directly. See :ref:`section-NetworkCapture`
   below.

Using tcpdump or Tshark
-----------------------

To capture traffic from the console/terminal, use tcpdump or Tshark.
To learn about these tools, enter ``tcpdump --help`` or ``tshark --help``.

.. note::

    On some hosts, you may need administrator permissions to capture traffic.
    If you happen to need them and you don't run as sudo/admin, you will not see
    any interfaces available to capture. Just close Wireshark and rerun it as
    sudo/admin.

.. _section-NetworkCapture:

Using |CONNEXT_HEADING| Network Capture
---------------------------------------

|CONNEXT| features a built-in network capture tool, enabling you to 
record RTPS traffic directly from your DDS application without running 
external tools like Wireshark or tcpdump. When enabled, each DomainParticipant 
generates a pcap-based capture file that can be opened in Wireshark for analysis.

Network capture offers several advantages over traditional packet capture
tools:

* It can capture traffic on transports that are not visible to
  OS-level capture tools, such as shared memory.
* It can include additional metadata, such as security-related
  information that is not present in a raw network capture.
* It can exclude user data payload from the capture to reduce file
  size when only protocol-level analysis is needed.

However, network capture only records traffic exchanged by the
DomainParticipants in your application. It does not capture other
network traffic on the system's interfaces. For full network-level
capture, use Wireshark, Tshark, or tcpdump.

For complete documentation on enabling, configuring, and using the
|CONNEXT| network capture feature, including the API reference and 
shared memory capture considerations, see the `Network Capture chapter <https://community.rti.com/static/documentation/connext-dds/current/doc/manuals/connext_dds_professional/users_manual/users_manual/NetworkCapture.htm>`__ 
in the |RTI_CONNEXT| *Core Libraries User's Manual*.