D-Link DFL-1660 User Manual page 82

2.5. The pcapdump Command
It is possible to have multiple pcapdump executions being performed at the same time. The
following points describe this feature:
1. All capture from all executions goes to the same memory buffer.
The command can be launched multiple times with different interfaces specified. In this case
the packet flow for the different executions will be grouped together in different sections of the
report.
If a clearer picture of packets flowing between interfaces is required in the output then it is best
to issue one pcapdump command with the interfaces of interest specified.
2. If no interface is specified then the capture is done on all interfaces.
3. The -stop option without an interface specified will halt capture on all interfaces.
4. pcapdump prevents capture running more than once on the same interface by detecting
command duplication.
Filter Expressions
Seeing all packets passing through a particular interface often provides an excess of information to
be useful. To focus on particular types of traffic the pcapdump command has the option to add an
filter expression which has one of the following forms:
-eth=<macaddr> - Filter on source or destination MAC address.
-ethsrc=<macaddr> - Filter on source MAC address.
-ethdest=<macaddr> - Filter on destination MAC address.
-ip=<ipaddr> - Filter source or destination IP address.
-ipsrc=<ipaddr> - Filter on source IP address.
-ipdest=<ipaddr> - Filter on destination IP address.
-port=<portnum> - Filter on source or destination port number.
-srcport=<portnum> - Filter on source port number.
-destport=<portnum> - Filter on destination port number.
-proto=<id> - Filter on protocol where id is the decimal protocol id.
-<protocolname> - Instead of the protocol number, the protocol name alone can be specified and
can be one of -tcp, -udp or -icmp.
Downloading the Output File
As shown in one of the examples above, the -write option of pcapdump can save buffered packet
information to a file on the NetDefend Firewall.
These output files are placed into the NetDefendOS root directory and the file name is specified in
the pcapdump command line, usually with a filetype of .cap. The name of output files must follow
certain rules which are described below. Files can then be downloaded to the local workstation using
Secure Copy (SCP) (see Section 2.1.6, "Secure Copy"). A list of all files in the NetDefendOS root
directory can be viewed by issuing the ls CLI command.
The -cleanup option will erase any saved pcapdump files (including any left over from earlier uses
of the command) so cleanup should only be done after file download is complete.
Note: NetDefendOS keeps track of saved files
NetDefendOS keeps track of all files created by pcapdump. This is true even between
system restarts so the -cleanup option is always able to delete all files from the
firewall's memory.
Chapter 2. Management and Maintenance
82