[Data Packet Capture Menu] capture - Capture packets stop - Stop capturing packets dumpcap - Display captured packets snaplen - Set the packet snap length count - Set the max number of captured packets putcap - Upload capture buffer via FTP/TFTP/SCP clearcap - Clear capture buffer cur - Display current packet capture options |
Command Syntax and Usage | ||
---|---|---|
capture cap [-l/-live] [-p/-i <port range>]* [-sp <number | empty for all sps>] [-t <from port>:<to port>]* [-v/vlan <vlan number>] [-s <len>] [-c <count>] [-inj (injected frames)] [-E (Extra Info)] [-e] [-d][-n] [-x] [-A] [-O] [-a] [-m] <pcap filter string> [dst/src host <host ip>] [dst/src port <port no.>] [port <port no.>] [tcp/udp/icmp/ip multicast/ip broadcast] [-M] | ||
Starts the packet capture operation and sets the packet capture options parameters. Note: The parameters are case sensitive. ![]() ![]() ![]() Note: The following flags are not supported when using the -sp flag: -l, -e, -n, -x, and -A. ![]() ![]() Range: 1-4090 ![]() Range: 0-9100 Note: Defines the snap length for the current capture only and overrides the globally-defined snap length value defined using the snaplen parameter. ![]() Range: 0-1000000000 Note: Defines the packet count for the current capture only and overrides the globally-defined packet count value defined using the count parameter. ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Note: This is useful when there is a tunnel with an SSL (port 443) but the back-end flow is clear (port 80). ![]() — Physical Port number - where packet came from or are going to. — Direction - in or out. — Source - whether this packet was: ![]() ![]() ![]() ![]() ![]() ![]() — SP Number -where this packet was processed. — Session ID -Session ID through session's life, FE and BE. ![]() Import the pre-master secret file to Wireshark in order to decrypt the SSL session. Note: Decryption of the SSL application data may expose sensitive information. Make sure to keep the security of this data. ![]() The following filter parameters can be set with an "and/or" operator between them: — dst host <host> — Filters output on the specified destination host IP address. — src host <host> — Filters output on the specified source host IP address. — dst port <port> — Filters output on the specified destination port. — src port <port> — Filters output on the specified source port. — port — Filters output on the specified port. — tcp — Filters output for TCP traffic only. — udp — Filters output for UDP traffic only — icmp — Filters output for ICMP traffic only. — ip multicast — Filters output for multicast traffic only. — ip broadcast — Filters output for broadcast traffic only. Note: The packet capture can include up to 21 filters. | ||
stop | ||
Stops the current packet capture process. | ||
dumpcap {-s <number_of_packets from_start> | -c <number_of_packets[decrypt]} | ||
Displays the original or decrypted captured packets in the CLI. | ||
snaplen <length_of_packets> | ||
Sets the length of packets to capture (snap length). Note: This snap length command is a globally-defined parameter, and is overridden by the -s parameter in the capture command that defines the snap length for the current capture only. | ||
count <number_of_packets> | ||
Sets the maximum number of captured packets. Note: This packet count command is a globally-defined parameter, and is overridden by the -c parameter in the capture command that defines the packet count for the current capture only. | ||
putcap <hostname [-v4|-v6]|v4 or v6 IP address> <filename> <-tftp|username password> [-mgmt|-data] [-scp] | ||
Uploads captured packets to a FTP/TFTP/SCP server. If decrypted captures exist, both the original and decrypted capture files are uploaded. To distinguish between the original and decrypted files exported, the following extensions are added to the user-specified file name: .orig and *.dcrypt. | ||
clearcap | ||
Clears the packet capture buffer. | ||
cur | ||
Displays the current packet capture status. |