Automatically make PCAPdump or Logsnoop stop console output

Security Gateway Articles and How to's
Post Reply
Peter
Posts: 611
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Automatically make PCAPdump or Logsnoop stop console output

Post by Peter » 24 Nov 2016, 09:29

This How-to applies to:
  • Clavister Security Gateway 10.x and up.
Description:

When using the PCAPDump or Logsnoop command in the CLI it might be scenarios where you only want a quick sample of data of what is happening on a specific interface, IP, network etc. without risking getting spammed by excessive output.

If we use for instance the CLI command "pcapdump -start ge1 -out-nocap" and the interface in question is very active it means that the console may be spammed to death with data output and could even cause network disturbances as the firewall is spending a large amount of CPU power to send all the packet data to the console.

Solution:

Both the PCAPDump and Logsnoop commands have options in place where you can specify how many packets or rows of logs that should be displayed before the output stops automatically. This can be very useful if you only want a quick sample of what is happening on the system and to avoid forgetting that the capture is running in the background.

PCAP Example:

Code: Select all

Pcapdump –start ge1 –out-nocap –count=10
The above command means that after 10 packets on the Ge1 interface, the packet dump to the console will automatically stop after 10 packets. Please note that if an interface is not specified it means 10 packets per interface.

When the capture limit has been reached, the system will print out the following message on the console:
ge1: Packet capture stopped (packet count reached)
Logsnoop Example:

Code: Select all

Logsnoop –on –num=10
The above command means that after 10 log entries, the logsnoop output to the console will automatically stop after 10 log entries.

When the log limit has been reached, the system will print out the following message on the console:
Log limit reached. Printed 10/10 logs. Switching log output off

Post Reply