When using the PCAPDump or Logsnoop command in the CLI it might be scenarios where we only want a quick sample of data of what is happening on a specific interface, IP, network etc. without risking getting spammed by excessive output.
If we use for instance the CLI command “pcapdump -start ge1 -out-nocap” and the interface in question is very active it means that the console may be spammed to death with data output and could even cause network disturbances as the firewall is spending a large amount of CPU power to send all the packet data to the console.
Both the PCAPDump and Logsnoop commands have options in place where you can specify how many packets or rows of logs that should be displayed before the output stops automatically. This can be very useful if you only want a quick sample of what is happening on the system and to avoid forgetting that the capture is running in the background.
Pcapdump –start ge1 –out-nocap –count=10
The above command means that after 10 packets on the Ge1 interface, the packet dump to the console will automatically stop after 10 packets. Please note that if an interface is not specified it means 10 packets per interface.
When the capture limit has been reached, the system will print out the following message on the console:
ge1: Packet capture stopped (packet count reached)
Logsnoop –on –num=10
The above command means that after 10 log entries, the logsnoop output to the console will automatically stop after 10 log entries.
When the log limit has been reached, the system will print out the following message on the console:
Log limit reached. Printed 10/10 logs. Switching log output off
7 Sep, 2022 core cli pcap netwall pcapdump
4 Apr, 2023 core pcap pcapdump wireshark