How to use dump_slot_pcap to export raw pcap data
search cancel

How to use dump_slot_pcap to export raw pcap data

book

Article ID: 217091

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

There may be times when the Security Analytics appliance has captured raw packet data, but the index data is corrupted and a PCAP cannot be downloaded from the UI.  Using dump_slot_pcap, you can export the data into raw PCAP files.  This method will create PCAP files that are roughly 64 MB in size.  There is not a way to create filters for this export. It will export ALL data within the time range specified.

Environment

Security Analytics version 8.x

Resolution

  • Log in as root at the command line
  • Identify the time range you are interested in.  All times are specified in the timezone that the appliance is configured for.
  • Time format is:  <mmm> <dd> <hh>:<mm>:<ss>
  • For example:  Jun 09 14:25:00
  • Create a directory on the server to store the completed pcap files:  mkdir /home/slotpcaps
  • Copy and paste the code below exactly including the ' \ ' at the end of each line for line wrapping
  • Change the beginning and end times (highlighted in yellow below) to match the time range you would like
dump_slot_pcap -d /home/slotpcaps \
$(walk_space_table_journal \
| tr -d '()' \
| awk -v bt=$(date +%s -d 'May 09 13:32:00') \
-v et=$(date +%s -d 'May 09 13:42:00') \
'$9 <= et && $16 >= bt {printf("/pfs/create/*/slot_%s\n", $2)}')

The above example will create PCAP files for all capture data between 13:32 and 13:42 on May 09 (10 minutes of data).  Depending on how much data you specified, this can take quite some time to complete.  There is no progress indicator.  Once it is finished, it will automatically return you to the # prompt.  If it is taking a long time, you can log in via another SSH session and monitor the files being created in the /home/slotpcaps directory.

Run ls -al /home/slotpcaps to confirm that the pcap files were created successfully

The files will be named by slot number as seen below. 

ls -al
total 1061392
drwxr-xr-x   2 root root     4096 Jun 10 14:24 .
drwxr-xr-x. 33 root root     4096 Jun 10 14:04 ..
-rw-r--r--   1 root root 63780636 Jun 10 14:24 slot_504067.pcap
-rw-r--r--   1 root root 63867223 Jun 10 14:24 slot_504068.pcap
-rw-r--r--   1 root root 63929027 Jun 10 14:24 slot_504069.pcap
-rw-r--r--   1 root root 64327630 Jun 10 14:24 slot_504070.pcap
-rw-r--r--   1 root root 64621278 Jun 10 14:24 slot_504071.pcap
-rw-r--r--   1 root root 64688469 Jun 10 14:24 slot_504072.pcap
Powered by Wolken Software