The recorded traffic is saved locally on the Kaspersky NGFW device in the idps-traffic-dump-<sig_id (the same as the cn1 field from the security event if an event was created)>-<devicePayloadId>-<timestamp> file. When multiple signatures are triggered, only one of the signatures is indicated in the name. The file can have the PCAP or TXT format, depending on the type of signature that was triggered.
You can use SSH or SCP to download the network dump file from a Kaspersky NGFW device. If you want to download the file via SSH, you need to connect to Kaspersky NGFW as to a server. After downloading, the file also remains on the Kaspersky NGFW device.
Use shell commands only in accordance with their descriptions in this Kaspersky NGFW Help or when instructed to do so by Kaspersky Technical Support. In other cases, we recommended using the Kaspersky NGFW command line.
If you restart the Kaspersky NGFW device while the network dump file is being downloaded, the download is interrupted and will have to be restarted.
You can view a list of all traffic dump files or delete a network dump file on the command line using commands from the system family of commands. For a description of command families and a link to the complete list of Kaspersky NGFW configuration commands, see the Managing Kaspersky NGFW using the command line document.