nfdump command is one of the methods to capture and filter the specific traffic on a particular NAM Probe.
Capturing and filtering the traffic on a specific NAM Probe has the following traits:
- It allows you to capture traffic regardless of NAM Probe sampling mode, while other capturing methods disallow capturing when sampling is in effect.
- It lessens the performance impact of such capture limiting the strain only to the NAM Probe where this command was used.
nfdump, you can start a number of simultaneous captures. We assign a unique filter ID to each capture, so you can indicate which to stop or remove.
nfdump command is an rcon command executed from the rcon console or system command prompt. For information on executing rcon commands, see RTM console (rcon).
nfdump syntax is:
nfdump [action] [parameters]
[action] can be:
To show the
nfdump manpages (help), run
nfdump start + [parameters]
Begins capturing traffic based on additional parameters provided in the command line. The parameters are:
- (optionally) Force capturing to begin even if the NAM Probe sampling is in effect.
- A filter pattern in pcap format expressed as a quoted string (refer to tcpdump manpages for examples).
- A capture file size limit expressed in bytes, kilobytes (k), megabytes (M) and gigabytes (G).
- A capture duration expressed in seconds.
The following example indicates that this NAM Probe will perform capture and filter the traffic from the
host located at
10.1.1.1, the capture file cannot be larger than
10k, the capture will be active for
200 seconds, and the capture will occur regardless of NAM Probe sampling mode.
$ nfdump start noabort "host 10.1.1.1" 10k 200 noabort
You can specify the port of your traffic filter. For example, to filter traffic on port
137, use this filter pattern:
$ nfdump start "port 137"
Use operators to combine and group your filters:
- Negation (not)
For example, capture and filter the traffic between the
10.1.1.1, and any host except
$ nfdump start "host 10.1.1.1 and not 10.4.4.4"
- Concatenation (and)
For example, capture and filter the traffic that is observed on port
10.3.3.3, and any other host.
$ nfdump start "host 10.3.3.3 and port 137"
- Alternation (or)
For example, capture and filter the traffic that is observed on the
hostlocated either at
$ nfdump start "host 10.1.1.1 or 10.4.4.4"
You can also combine the operators to create more complex filters, for example:
Select traffic between
10.1.1.1 and either
$ nfdump start "host 10.1.1.1 and (10.2.2.2 or 10.4.4.4)"
Select traffic for the host
10.1.1.1 on ports
$ nfdump start "host 10.1.1.1 and (port 20 or port 21)"
Select traffic for the host
10.1.1.1 and on
21, and traffic for the host
10.2.2.2 on port
$ nfdump start "host 10.1.1.1 and (port 20 or port 21) and host 10.2.2.2 and port 80"
For more information on filter patterns see the official pcap documentation (http://www.tcpdump.org/manpages/pcap-filter.7.html).
When indicating a host in the filter pattern, the
nfdump utility, unlike the
tcpdump system utility, captures and filters based on the innermost IP header which in terms includes any VLAN traffic that may occur.
Because every capture is assigned its own unique filter ID, you can start multiple captures at the same time. Check the
nfdump status command for currently active captures.
The default location for the capture files is
/var/spool/adlex/spc/ Note that each capture results in a number of
pcap files, one per each CPU worker thread. To learn more, see Merging capture files below.
Displays status of all
$ nfdump status OK, There are 3 filters OK, Filter 32 "host 10.1.1.1"; 0 packets captured; 0/10240 bytes (captured/limit); time limit: 1481890113; standard; saving; active; OK, Filter 33 "host 10.1.1.2"; 0 packets captured; 0/10240 bytes (captured/limit); time limit: 1481890123; standard; saving; finished; OK, Filter 34 "host 10.1.1.3"; 0 packets captured; 0/10240 bytes (captured/limit); time limit: 1481890138; standard; saving; active;
Each of the filters lists the status of the parameters used for capturing and whether the filter is
finished . Only active filters can be stopped and only finished filters can be removed.
nfdump stop + [parameters]
Stops capturing traffic based on additional parameters provided in the command line where the parameters indicate a specific filter to be stopped, or all active filters to stop (
Use nfdump status to find out which filters are active.
$ nfdump stop 33 OK, filter 33 stopped
Capturing with filter ID number 33 has been stopped.
$ nfdump stop all OK, all out of 4 filters stopped
All four active filters have been stopped.
nfdump remove + [parameters]
Removes finished captures based on additional parameters provided in the command line where the parameters indicate a specific filter to be removed, or all finished filters to be removed (
Only filters that have status finished can be removed. Use nfdump status to find out which filters have finished capturing.
$ nfdump remove 33 OK, filter 33 removed
Capturing with filter ID number 33 has been removed.
$ nfdump remove all OK, all out of 4 removed
All four finished filters have been removed.
Merging capture files
The result of nfdump traffic capture is a number of pcap files, one per CPU worker thread involved in the capture. The
pcap filename contains a unique filter ID assigned to each capture.
To start your diagnostics, you should merge your capture files into one convenient file. While you can use various third-party software to perform the merge, we recommend the use of
mergecap application is part of the open source Wireshark software installed with your NAM Probe.
To use mergecap to merge multiple pcap files into one, run mergecap with the input files and output file as a parameter from the location of the saved pcap files (
[root@AMD ~]# mergecap -v spc.pcap.id.0000000043.*.pcap -w merged_output_file.pcap
-vindicates verbose status to the screen
*in the input file name specifies all captures with a filter ID
-windicates the merged filename
For more information on mergecap, see the mergecap documentation (https://www.wireshark.org/docs/man-pages/mergecap.html).