Kaspersky NGFW allows capturing local packets passing through Kaspersky NGFW at specific interfaces, regardless of their status or configuration. Traffic packets are written to a network dump file before the MITM mechanism is applied to them. You can use packet capture to analyze the operation of Kaspersky NGFW and resolve any problems that might occur. By default, packet capture is disabled. You can enable packet capture on the command line with pcapdump
commands, using default settings or by managing the necessary settings in advance.
Managing packet capture
To start or stop packet capture:
pcapdump start
<interace name>
where <interface name>
is the interface for which you want to start packet capture.
Kaspersky NGFW starts capturing packets on the specified interface. Only one packet capture process can be running at a time. To restart, you must stop the current process and start it again. This overwrites the network dump file.
When one of the parameters is reached, writing to the file stops. If you restart the device in the process of packet capture, the process is interrupted and you will need to start packet capture again.
pcapdump stop
The captured traffic packets are written to the traffic_dump.pcap network dump file. This file is saved on the Kaspersky NGFW device in the /var partition, and you can download this file. Packet capture events are logged.
Configuring packet capture
You can view information about the current packet capture settings by running the following command on the command line:
show pcapdump settings
The table below describes the commands that you can use to configure packet capture.
Commands for configuring packet capture
Command |
Description |
Possible values |
Default value |
---|---|---|---|
|
Duration of packet capture in seconds. |
From 1 to 600. |
30 |
|
Maximum number of packets to capture. |
From 1 to 100,000. |
1000 |
|
Direction of packets to be captured. |
|
|
|
Maximum size of network frame data to be recorded, in bytes. |
From 32 to 9000. |
1514 |
|
Names of one or more filters to be applied to captured packets. Only packets that satisfy the conditions of all specified filters are recorded in the file. Filters must be created manually. |
Comma-separated list of filter names, without spaces. |
Empty |
After running the command, the corresponding parameter is saved and applied automatically after the device is restarted. Changing the settings does not affect the performance of Kaspersky NGFW.