nfdump command is one of the methods to capture and filter the specific traffic on a particular AMD. For more information on capturing methods, see Selecting a traffic capture method.
Capturing and filtering the traffic on a specific AMD has the following traits:
It allows you to capture traffic regardless of AMD sampling mode, while other capturing methods disallow capturing when sampling is in effect. For more information on sampling, see AMD sampling.
It lessens the performance impact of such capture limiting the strain only to the AMD where this command was used.
nfdump is an rcon command that is executed from the rcon console or system command prompt. For more information on executing rcon commands, see RCON commands.
With nfdump, you can start a number of simultaneous captures. We assign a unique filter ID to each capture, so that you can indicate which to stop or remove.
You can quickly refer to nfdump manpages with
nfdump syntax is:
nfdump action can be:
nfdump start + [parameters]
Begins capturing traffic based on additional parameters provided in the command line. The parameters are:
- (optionally) Force capturing to begin even if the AMD sampling is in effect.
A filter pattern in pcap format expressed as a quoted string (refer to tcpdump manpages for examples).
A capture file size limit expressed in bytes, kilobytes (k), megabytes (M) and gigabytes (G).
A capture duration expressed in seconds.
The following example indicates that this AMD will perform capture and filter the traffic from the
host located at
10.1.1.1, the capture file cannot be larger than
10k, the capture will be active for
200 seconds, and the capture will occur regardless of AMD sampling mode.
You can specify the port of your traffic filter. For example, to filter traffic on port
137, use this filter pattern:
Use operators to combine and group your filters:
For example, capture and filter the traffic between the
10.1.1.1, and any host except
For example, capture and filter the traffic that is observed on port
10.3.3.3, and any other host.
For example, capture and filter the traffic that is observed on the
hostlocated either at
You can also combine the operators to create more complex filters, for example:
Select traffic between
10.1.1.1 and either
Select traffic for the host
10.1.1.1 on ports
Select traffic for the host
10.1.1.1 and on
21, and traffic for the host
10.2.2.2 on port
For more information on filter patterns see the official pcap documentation (http://www.tcpdump.org/manpages/pcap-filter.7.html).
When indicating a host in the filter pattern, the
nfdump utility, unlike the
tcpdump system utility, captures and filters based on the innermost IP header which in terms includes any VLAN traffic that may occur.
Because every capture is assigned its own unique filter ID, you can start multiple captures at the same time. Check the
nfdump status command for currently active captures.
The default location for the capture files is
/var/spool/adlex/spc/ Note that each capture results in a number of
pcap files, one per each CPU worker thread. To learn more, see Merging capture files.
Displays status of all
Each of the filters lists the status of the parameters used for capturing and whether the filter is
finished. Only active filters can be stopped and only finished filters can be removed.
nfdump stop + [parameters]
Stops capturing traffic based on additional parameters provided in the command line where the parameters indicate a specific filter to be stopped, or all active filters to stop (
Use nfdump status to find out which filters are active.
Capturing with filter ID number 33 has been stopped.
All four active filters have been stopped.
nfdump remove + [parameters]
Removes finished captures based on additional parameters provided in the command line where the parameters indicate a specific filter to be removed, or all finished filters to be removed (
Only filters that have status finished can be removed. Use nfdump status to find out which filters have finished capturing.
Capturing with filter ID number 33 has been removed.
All four finished filters have been removed.
Merging capture files
The result of nfdump traffc capture is a number of pcap files, one per each CPU worker thread involved in the capture. The
pcap filename contains a unique filter id assigned to each capture. To start your diagnostics, you should merge your capture files into one convenient file. While you can use various third-party software to perform the merge, we recommend the use of
mergecap application is part of an open source Wireshark software that is installed with your AMD. To merge multiple pcap files into one run the mergecap with the input files and output file as a parameter from the location of the saved pcap files (
-v indicates a verbose status to the screen, the input file uses the wildcard to include all captures with a filter ID
43 and the
-w indicates the merged filename. For more information on mergecap parameters, see official mergecap documentation (https://www.wireshark.org/docs/man-pages/mergecap.html).