After the packet capture process is completed, the traffic_dump.pcap network dump file in PCAP format containing the recorded traffic is saved locally on the Kaspersky NGFW device in the /var partition. There is only one traffic_dump.pcap file which is overwritten every time packet capture is enabled. After the process is completed, you can view information about the file, download or delete it.
You can view information about the network dump file by running the following command:
show pcapdump packet-file
This command returns the file size, creation date and time, name and path to the file.
You can use SSH or SCP to download the network dump file from a Kaspersky NGFW device. If you want to download the file via SSH, you need to connect to Kaspersky NGFW as to a server. After downloading, the file also remains on the Kaspersky NGFW device.
Use shell commands only in accordance with their descriptions in this Kaspersky NGFW Help or when instructed to do so by Kaspersky Technical Support. In other cases, we recommended using the Kaspersky NGFW command line.
If you restart the Kaspersky NGFW device while the network dump file is being downloaded, the download is interrupted and will have to be restarted.
You can delete the network dump file by running the following command on the command line:
pcapdump delete-packet-file