pcapdump – a family of commands for configuring, starting, stopping, and viewing the results of capturing local packets passing through Kaspersky NGFW

pcapdump start <name1[,name2[,name3[...]]]>

Start packet capture on one or more interfaces. Interface names must be separated by commas without spaces.

utils> pcapdump start Ge2,Ge4

pcapdump stop

Stop packet capture.

pcapdump settings direction (in|out|both)

Configure packet capture direction. By default, both.

utils> pcapdump settings direction in
utils> pcapdump settings direction out
utils> pcapdump settings direction both

pcapdump settings duration <value>

Configure packet capture duration in seconds. Possible values: from 1 to 600. By default, 30.

utils> pcapdump settings duration 90

pcapdump settings max-frame-size <value>

Configure maximum size of network frame data to be recorded. Possible values: from 32 to 9000. By default, 1514.

utils> pcapdump settings max-frame-size 9000

pcapdump settings max-packets <value>

Configure maximum number of network frames. Possible values: from 1 to 10000. By default, 1000.

utils> pcapdump settings max-packets 5000

pcapdump settings filter-names <name1[,name2[,name3[...]]]>

Specify whether to use packet capture filters. By default, no filters are applied, that is, after the start command, all traffic is recorded. You can specify the names of the filters configured in the pcapdump filters section, separated by commas without spaces.

utils> pcapdump settings filter-names ssh,tcp-80

no pcapdump settings filter-names

Clear packet capture filters.

pcapdump filters

Go to the packet capture filters configuration menu.

pcapdump filters> name <filter name>

Create (or edit an existing) packet capture filter named <filter name>.

utils> pcapdump filters> name ssh
utils> pcapdump filters> name=['ssh']>

pcapdump filters> name=['ssh']> value <'filter value'>

Specify the value of name packet capture filter. As the filter value, you must specify a string in single quotes, using the syntax described in the Filter syntax in the VPP classify format section.

utils> pcapdump filters> name=['ssh']> value 'mask l3 ip4 proto l4 dst_port match l3 ip4 proto 6 l4 dst_port 22'

pcapdump delete-packet-file

Delete the network dump file.

show pcapdump filters

Show information about configured packet capture filters.

{
  "ngfw-pcapdump:capture-filters": {    "filters": [      {
        "name": "tcp-80",
        "value": "mask l3 ip4 proto l4 dst_port match l3 ip4 proto 6 l4 dst_port 80"      }    ]  }
}

show pcapdump settings

Show packet capture configuration information.

utils> show pcapdump settings
{  "ngfw-pcapdump:settings": {    "max-packets": 1000,    "max-frame-size": 1514,    "direction": "both",    "duration": 30,
    "capture-filter-names": "tcp-80"  }
}

show pcapdump packet-file

Show information about the network dump file (size, recording time, name).

utils> show pcapdump packet-file
579  Jan 27 01:50 2025  /var/traffic_dump.pcap

Filter syntax in the VPP classify format

mask <mask-value> match <match-value>

<mask-value>:

l2 src dst proto tag1 tag2 ignore-tag1 ignore-tag2 cos1 cos2 dot1q dot1ad

l3 ip4 <ip4-mask>, <ip4-mask>: version hdr_length src[/width] dst[/width] tos length fragment_id ttl protocol checksum

l4 src_port dst_port

<match-value> – for each of the fields listed in the <mask-value> section, you must specify values in the same format following each field of the packet.

Examples:

mask l2 src match l2 src 8C:88:FB:FA:11:44
mask l3 ip4 src match l3 ip4 src 192.168.1.11
mask l3 ip4 src/24 dst/24 match l3 ip4 src 1.2.3.0 dst 4.5.6.0
mask l3 ip4 proto l4 dst_port match l3 ip4 proto 6 l4 dst_port 80

| Prev | Home | Next |