Packet captures
Cloudflare supports two types of packet captures (PCAPs): full and sample. A packet capture records raw network traffic data so you can inspect it offline in tools like Wireshark. Full packet captures are the default.
Use sample packet captures when you want to inspect recent traffic quickly. Packet captures query historical traffic that has already passed through Cloudflare's network — not new traffic — so they complete immediately after you start them.
You can view sample captures in the Cloudflare dashboard. They only include the first 160 bytes of each packet, which is useful for capturing packet headers but will not provide detailed packet data. Cloudflare collects this data across all of its data centers and assembles it into a PCAP file, giving you a global view of traffic across the network.
Use full packet captures instead if you need complete packet payloads, or if the traffic you want to capture occurs infrequently.
Full packet captures actively monitor Cloudflare's network for new traffic that matches filters you configure. Unlike sample captures, they capture packets that arrive after the capture starts, not historical data.
Full captures include the complete packet data, not just headers. The matching packet data is saved directly to a cloud storage bucket that you own and configure. You cannot view it in the Cloudflare dashboard. You can download the resulting PCAP file and analyze it in Wireshark or another packet capture tool.
Before starting a full packet capture, make sure you have a cloud storage bucket set up and configured. Refer to the articles in this section for setup instructions.