11-Network Management and Monitoring Command Reference

HomeSupportResource CenterH3C S5560S-EI&S5560S-SI&S5500V3-SI Switch Series Command References-R612x-6W10211-Network Management and Monitoring Command Reference
14-Packet capture commands
Title Size Download
14-Packet capture commands 46.71 KB

Packet capture commands

packet-capture interface

Use packet-capture interface to capture incoming packets on an interface.

Syntax

Save captured packets to a file:

packet-capture interface interface-type interface-number [ capture-filter capt-expression | limit-captured-frames limit | limit-frame-size bytes | autostop filesize kilobytes | autostop duration seconds | autostop files numbers | capture-ring-buffer filesize kilobytes | capture-ring-buffer duration seconds | capture-ring-buffer files numbers ] * write filepath [ raw | { brief | verbose } ] *

Filter packet data to display:

packet-capture interface interface-type interface-number [ capture-filter capt-expression | display-filter disp-expression | limit-captured-frames limit | limit-frame-size bytes | autostop duration seconds ] * [ raw | { brief | verbose } ] *

Views

User view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an Ethernet interface by its type and number.

capture-filter capt-expression: Specifies an expression to match packets to be captured, a case-sensitive string of 1 to 256 characters. If you do not specify a capture filter expression, the device captures all incoming packets on an interface.

display-filter disp-expression: Specifies an expression to match packets to be displayed, a case-sensitive string of 1 to 256 characters. If you do not specify a display filter expression, the device displays all captured packets.

limit-captured-frames limit: Stops capturing packets when the maximum number of captured packets is reached. The limit argument sets the maximum number of packets to capture. The value range is 0 to 2147483647, and the default value is 10. If you set the limit to 0, the maximum number of captured packets is unlimited.

limit-frame-size bytes: Sets the maximum number of bytes to capture for a packet. The value range is 64 to 8000 bytes, and the default value is 8000 bytes.

autostop filesize kilobytes: Stops capturing packets if the maximum packet file size is exceeded when file rotation is disabled. The kilobytes argument sets the maximum packet file size. The value range is 1 to 65536 kilobytes. If you do not set a limit, the packet file size is unlimited.

autostop duration seconds: Stops capturing packets when the capturing duration expires. The seconds argument sets the capturing duration. The value range is 1 to 2147483647 seconds. If you do not set a limit, the capturing duration is unlimited.

autostop files numbers: Stops capturing packets when the maximum number of file rotations is reached. The numbers argument sets the maximum number of file rotations. The value range is 2 to 64. The capture creates a file to store packet data when a rotation is triggered. The first rotation occurs when the capture starts. If you do not set a limit, the number of file rotations is unlimited.

capture-ring-buffer filesize kilobytes: Rotates the packet file when the maximum file size is reached. The kilobytes argument sets the maximum file size. The value range is 1 to 65536 kilobytes.

capture-ring-buffer duration seconds: Rotates the packet file when the rotation interval expires. The seconds argument sets the rotation interval. The value range is 1 to 2147483647 seconds.

capture-ring-buffer files numbers: Sets the maximum number of packet files for file rotation, in the range of 2 to 64. If this limit is reached before the capture stops, newly captured packets will overwrite the packet data in the oldest file.

write filepath: Specifies the full path of the packet file to store captured packet data. The path must be a case-sensitive string of up to 64 characters. The filename extension must be .pcap. For more information about setting a file path, see file system management in Fundamentals Configuration Guide.

raw: Displays packet contents in hexadecimal notation. If you do not specify this keyword, the capture displays packet data in a string format.

verbose: Displays detailed information about captured packets.

brief: Displays brief information about captured packets.

Usage guidelines

To use this command, you must install the packet capture feature image by using boot-loader commands. For more information about image installation, see software upgrade in Fundamentals Configuration Guide.

The device displays captured packet data in real time.

·          If you specify the write filepath option without specifying the raw, brief, or verbose keyword, this command displays the number of captured packets.

·          If you do not specify any one of the raw, brief, verbose, and write filepath parameters, this command displays brief information about captured packets.

After packet capture is enabled, you are not allowed to configure other commands from the CLI. To stop the capture while it is capturing packets, press Ctrl+C.

If file rotation is disabled, the capture creates a packet file with the file name specified by the write filepath option. If file rotation is enabled, the capture automatically creates a packet file for each rotation, and renames the file to include a sequence number and timestamp. The sequence number increases by 1 for each file rotation. For example, set the file name to a.pcap. For the first rotation, the capture will create a packet file named a_00001_20140211034151.pcap. For the second rotation, the capture will create a packet file named a_00002_20140211034207.pcap.

Use Table 1 when you configure the options for stopping the capture or rotating the file.

Table 1 Using the packet filter parameters

Purpose

Options

Remarks

Stop capturing

·         Stop based on the capturing duration:
autostop duration seconds

·         Stop based on the number of captured packets:
limit-captured-frames limit

·         Stop based on the number of file rotations:
autostop files numbers

·         Stop based on the file size if file rotation is disabled:
autostop filesize kilobytes

The packet capture stops if any one of the limits for the stop options is reached. The packet capture also stops if the file system's limit on the number of files has been reached.

The autostop filesize option does not stop the capture if file rotation is enabled by the autostop files, capture-ring-buffer files, or capture-ring-buffer filesize option.

Rotate files

·         Rotate based on the file size:
capture-ring-buffer filesize kilobytes

·         Rotate based on the rotation interval:
capture-ring-buffer duration seconds

·         Rotate based on the file size specified for the autostop filesize kilobytes option:
autostop files numbers
autostop filesize kilobytes
capture-ring-buffer files numbers

The capture rotates the packet file when any one of the limits for the rotation options is reached.

If you specify the autostop filesize option after the capture-ring-buffer filesize option, the capture rotates the file based on the file size specified for the autostop filesize option.

Examples

# Capture incoming packets on GigabitEthernet 1/0/1.

<Sysname> packet-capture interface gigabitethernet 1/0/1

Related commands

packet-capture read

packet-capture read

Use packet-capture read to display the contents in a packet file.

Syntax

packet-capture read filepath [ display-filter disp-expression ] [ raw | { brief | verbose } ] *

Views

User view

Predefined user roles

network-admin

Parameters

filepath: Specifies the full path of the packet file to store captured packet data. The path must be a case-sensitive string of up to 64 characters. The filename extension must be .pcap or .pcapng. For more information about setting a file path, see file system management in Fundamentals Configuration Guide.

display-filter disp-expression: Specifies an expression to match packets to be displayed, a case-sensitive string of 1 to 256 characters. If you do not specify a display filter expression, this command displays all file contents.

raw: Displays file contents in hexadecimal notation. If you do not specify this keyword, the capture displays packet data in a string format.

brief: Displays brief information about captured packets in the file.

verbose: Displays detailed information about captured packets in the file.

Usage guidelines

To use this command, you must install the packet capture feature image by using boot-loader commands. For more information about image installation, see software upgrade in Fundamentals Configuration Guide.

To stop displaying the file contents, press Ctrl+C.

The device stores captured packets in .pcap files but can read .pcap and .pcapng files.

If you do not specify the raw, brief, or verbose keyword, this command displays brief information about captured packets in the file.

Examples

# Display the contents in the file flash:/test/aaaa.pcap.

<Sysname> packet-capture read flash:/test/aaaa.pcap

Related commands

packet-capture interface