Automatically stop active PCAPdump or Logsnoop in the CLI

Last modified on 7 Dec, 2022. Revision 10
The PCAPdump and Logsnoop are very useful commands, but if not careful they can generate a massive amount of console output. This short guide describes the subcommands needed to avoid that from happening.
Up to date for
cOS Core 14.00.06
Supported since
cOS Core 10.x
Status OK
Author
Peter Nilsson



Description

When using the PCAPDump or Logsnoop command in the CLI it might be scenarios where we only want a quick sample of data of what is happening on a specific interface, IP, network etc. without risking getting spammed by excessive output.

If we use for instance the CLI command “pcapdump -start ge1 -out-nocap” and the interface in question is very active it means that the console may be spammed to death with data output and could even cause network disturbances as the firewall is spending a large amount of CPU power to send all the packet data to the console.

Solution

Both the PCAPDump and Logsnoop commands have options in place where you can specify how many packets or rows of logs that should be displayed before the output stops automatically. This can be very useful if you only want a quick sample of what is happening on the system and to avoid forgetting that the capture is running in the background.

PCAP Example

Pcapdump –start ge1 –out-nocap –count=10

The above command means that after 10 packets on the Ge1 interface, the packet dump to the console will automatically stop after 10 packets. Please note that if an interface is not specified it means 10 packets per interface.

When the capture limit has been reached, the system will print out the following message on the console:

ge1: Packet capture stopped (packet count reached)

Logsnoop Example

Logsnoop –on –num=10

The above command means that after 10 log entries, the logsnoop output to the console will automatically stop after 10 log entries.

When the log limit has been reached, the system will print out the following message on the console:

Log limit reached. Printed 10/10 logs. Switching log output off 



Related articles

Using PCAP packet capture in cOS Core
7 Sep, 2022 core cli pcap netwall pcapdump
Troubleshoot firewall MTU issues using Wireshark
4 Apr, 2023 core pcap pcapdump wireshark