SYNOPSIS

Options

dumpcalls [ --help ] [ --version ] [ --extcap-interfaces ] [ --extcap-dlts ] [ --extcap-interface=<interface> ] [ --extcap-config ] [ --extcap-capture-filter=<capture filter> ] [ --capture ] [ --fifo=<path to file or pipe> ] [ --log-level=<log level> ] [ --log-file=<path to file> ] [ --include-capture-processes=<TRUE or FALSE> ] [ --include-switch-calls=<TRUE or FALSE> ]

DESCRIPTION

dumpcalls is an extcap tool that allows one to capture system calls on a Linux system.

OPTIONS

--help

Print program arguments. This will also list the configuration arguments for each plugin.

--version

Print the program version.

--extcap-interfaces

List the available interfaces.

--extcap-interface=<interface>

Use the specified interface.

--extcap-dlts

List the DLTs of the specified interface.

--extcap-config

List the configuration options of specified interface.

--extcap-capture-filter=<capture filter>

The capture filter. Must be a valid Sysdig / Falco filter.

--capture

Start capturing from the source specified by --plugin-source via the specified interface and write raw packet data to the location specified by --fifo.

--fifo=<path to file or pipe>

Save captured packet to file or send it through pipe.

--log-level

Set the log level

--log-file

Set a log file to log messages in addition to the console

--include-capture-processes

Include system calls for capture processes (dumpcalls, dumpcap, and Stratoshark) if TRUE. Defaults to FALSE.

--include-switch-calls

Include "switch" calls if TRUE. Defaults to FALSE.

EXAMPLES

To see program arguments:

dumpcalls --help

To see program version:

dumpcalls --version

To see interfaces:

dumpcalls --extcap-interfaces

Only one interface (dumpcalls) is supported.

Example output
interface {value=dumpcalls}{display=Falco plugin}

To see interface DLTs:

dumpcalls --extcap-interface=cloudtrail --extcap-dlts
Example output
dlt {number=147}{name=cloudtrail}{display=USER0}

To see interface configuration options:

dumpcalls --extcap-interface=cloudtrail --extcap-config
Example output
arg {number=0}{call=--plugin-source}{display=Plugin source}{type=string}{tooltip=The plugin data source. This us usually a URL.}{placeholder=Enter a source URL…}{required=true}{group=Capture}
arg {number=1}{call=cloudtrail-s3downloadconcurrency}{display=s3DownloadConcurrency}{type=integer}{default=1}{tooltip=Controls the number of background goroutines used to download S3 files (Default: 1)}{group=Capture}
arg {number=2}{call=cloudtrail-sqsdelete}{display=sqsDelete}{type=boolean}{default=true}{tooltip=If true then the plugin will delete sqs messages from the queue immediately after receiving them (Default: true)}{group=Capture}
arg {number=3}{call=cloudtrail-useasync}{display=useAsync}{type=boolean}{default=true}{tooltip=If true then async extraction optimization is enabled (Default: true)}{group=Capture}

To capture AWS CloudTrail events from an S3 bucket:

dumpcalls --extcap-interface=cloudtrail --fifo=/tmp/cloudtrail.pcap --plugin-source=s3://aws-cloudtrail-logs.../CloudTrail/us-east-2/... --capture

or:

dumpcalls --capture --extcap-interface cloudtrail --fifo ~/cloudtrail.pcap --plugin-source s3://my-cloudtrail-bucket/AWSLogs/o-abc12345/123456789012/ --cloudtrail-s3downloadconcurrency 32 --cloudtrail-s3interval 5d-2d --cloudtrail-aws-region eu-west-1
Note
 CTRL+C should be used to stop the capture in order to ensure clean termination.

SEE ALSO

stratoshark(1), strato(1), dumpcap(1), extcap(4)

NOTES

dumpcalls is part of the Stratoshark distribution. The latest version of Stratoshark can be found at https://www.wireshark.org.

HTML versions of the Wireshark project man pages are available at https://www.wireshark.org/docs/man-pages.

AUTHORS

Original Author

Gerald Combs <gerald[AT]wireshark.org>