nfdump command

The nfdump command is one of the methods to capture and filter the specific traffic on a particular NAM Probe.

Capturing and filtering the traffic on a specific NAM Probe has the following traits:

  • It allows you to capture traffic regardless of NAM Probe sampling mode, while other capturing methods disallow capturing when sampling is in effect.
  • It lessens the performance impact of such capture limiting the strain only to the NAM Probe where this command was used.

With nfdump, you can start a number of simultaneous captures. We assign a unique filter ID to each capture, so you can indicate which to stop or remove.

The nfdump command is an rcon command executed from the rcon console or system command prompt. For information on executing rcon commands, see RTM console (rcon).

Running nfdump

The basic nfdump syntax is:

nfdump [action] [parameters]

where [action] can be:

Merging capture files

The result of nfdump traffic capture is a number of pcap files, one per CPU worker thread involved in the capture. The pcap  filename contains a unique filter ID assigned to each capture.

To start your diagnostics, you should merge your capture files into one convenient file. While you can use various third-party software to perform the merge, we recommend the use of mergecap. The mergecap application is part of the open source Wireshark software installed with your NAM Probe.

To use mergecap to merge multiple pcap files into one, run mergecap with the input files and output file as a parameter from the location of the saved pcap files (/var/spool/adlex/spc/):

[root@AMD ~]# mergecap -v spc.pcap.id.0000000043.*.pcap -w merged_output_file.pcap

where:

  • -v indicates verbose status to the screen
  • * in the input file name specifies all captures with a filter ID 43
  • -w indicates the merged filename

For more information on mergecap, see the mergecap documentation (https://www.wireshark.org/docs/man-pages/mergecap.html).