Capturing local packets using the command line

Kaspersky NGFW allows capturing local packets passing through Kaspersky NGFW at specific interfaces, regardless of their status or configuration. Traffic packets are written to a network dump file before the MITM mechanism is applied to them. You can use packet capture to analyze the operation of Kaspersky NGFW and resolve any problems that might occur. By default, packet capture is disabled. You can enable packet capture on the command line with pcapdump commands, using default settings or by managing the necessary settings in advance.

Managing packet capture

To start or stop packet capture:

  1. Start encrypted traffic packet capture:

    pcapdump start <interace name>

    where <interface name> is the interface for which you want to start packet capture.

    Kaspersky NGFW starts capturing packets on the specified interface. Only one packet capture process can be running at a time. To restart, you must stop the current process and start it again. This overwrites the network dump file.

    When one of the parameters is reached, writing to the file stops. If you restart the device in the process of packet capture, the process is interrupted and you will need to start packet capture again.

  2. If necessary, stop packet capture manually:

    pcapdump stop

The captured traffic packets are written to the traffic_dump.pcap network dump file. This file is saved on the Kaspersky NGFW device in the /var partition, and you can download this file. Packet capture events are logged.

Configuring packet capture

You can view information about the current packet capture settings by running the following command on the command line:

show pcapdump settings

Example output

The table below describes the commands that you can use to configure packet capture.

Commands for configuring packet capture

Command

Description

Possible values

Default value

pcapdump settings duration <value>

Duration of packet capture in seconds.

From 1 to 600.

30

pcapdump settings max-packets <value>

Maximum number of packets to capture.

From 1 to 100,000.

1000

pcapdump settings direction <value>

Direction of packets to be captured.

  • in – incoming only.
  • out – outgoing only.
  • both – incoming and outgoing.

both

pcapdump settings max-frame-size <value>

Maximum size of network frame data to be recorded, in bytes.

From 32 to 9000.

1514

pcapdump settings capture-filter-names <list of values>

Names of one or more filters to be applied to captured packets. Only packets that satisfy the conditions of all specified filters are recorded in the file.

Filters must be created manually.

Comma-separated list of filter names, without spaces.

Empty

After running the command, the corresponding parameter is saved and applied automatically after the device is restarted. Changing the settings does not affect the performance of Kaspersky NGFW.

In this section

Filtering captured packets

Managing network dump files

Page top