Packet captures
Packet captures record network traffic flowing through Cloudflare's network so you can analyze individual packets for troubleshooting or security investigations. The output is contained within one or more files in PCAP format, which you can open in tools like Wireshark ↗.
There are two capture types:
- Sample captures query historical traffic data that has already passed through Cloudflare's network. They complete immediately and can be downloaded directly from the API, or from the Cloudflare dashboard.
- Full captures actively monitor for new traffic matching your filters and write the complete packet data to a cloud storage bucket you own. Before starting a full capture, you must first configure a bucket.
Currently, when a packet capture is requested, packets flowing through Cloudflare's global network via the Magic Transit system are captured. The default API field for this is "system": "magic-transit", both for the request and response.
Sample and full
time_limit: The minimum value is1second and maximum value is300seconds.packet_limit: The minimum value is1packet and maximum value is10000packets.
Full
byte_limit: The minimum value is1byte and maximum value is1000000000bytes (1 GB).
-
In the Cloudflare dashboard, go to the Network health page.
Go to Network health -
Go to the Diagnostics tab.
-
In Network packet captures, select Start a capture.
-
Choose the type of capture you want to perform, and select Next.
-
Fill out the required fields to begin the capture and then select Start.
The Network packet captures page displays a list of captures.
The PCAPs API needs both system and type to be specified to start a capture. A PCAP's system is the product or logical subsystem where packets are captured, and a PCAP's type is how the captured packets are built into a PCAP file.
Currently, you can only send one collect request per minute for sample PCAPs, and you can only have one running or pending full PCAP at a time.
Full PCAP
For full PCAP requests, refer to the required parameters listed at Create full PCAP requests. Note that full packet captures require two more parameters than sample packets.
The full PCAP request endpoint also contains optional fields you can use to limit the amount of packets captured. Both full and sample packet requests contain an optional filter_v1 parameter you can use to filter packets by IPv4 Source address, for example. For a full list of the filter options, refer to the API reference.
Leave filter_v1 empty to collect all packets without any filtering.
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "filter_v1": {}, "time_limit": 300, "packet_limit": 10000, "byte_limit": 100000000, "type": "full", "colo": "ORD", "system": "magic-transit", "destination_conf": "${BUCKET}"}'While the collection is in progress, the response returns the status field as pending. You must wait for the PCAP collection to complete before downloading the file. When the PCAP is ready to download, the status changes to success.
{ "result": { "id": "7d7c88382f0b4d5daa9587aa45a1a877", "submitted": "2022-06-02T18:38:22.269047Z", "filter_v1": {}, "time_limit": 300, "status": "pending", "type": "full", "system": "magic-transit", "packet_limit": 10000, "byte_limit": 100000000, "colo": "ORD", "destination_conf": "gs://<bucket-name>" // Ensure you use a bucket that you created and registered in the Cloudflare dashboard }, "success": true, "errors": [], "messages": []}Sample PCAP
To create a sample PCAP request, send a JSON body with the required parameter listed at Create sample PCAP request.
Leave filter_v1 empty to collect all packets without any filtering.
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>" \--header "Content-Type: application/json" \--data '{ "filter_v1": { "source_address": "1.2.3.4", "source_port": 123, "destination_address": "5.6.7.8", "destination_port": 80, "protocol": 6 }, "time_limit": 300, "packet_limit": 10000, "type": "simple", "system": "magic-transit"}'The response is a JSON body that contains the details of the job running to build the packet capture. The response contains a unique identifier for the packet capture request along with the details sent in the request.
{ "result": { "id": "6d1f0aac13cd40e3900d29f5dd0e8a2b", "submitted": "2021-12-20T17:29:20.641845Z", "filter_v1": { "source_address": "1.2.3.4", "source_port": 123, "destination_address": "5.6.7.8", "destination_port": 80, "protocol": 6 }, "time_limit": 60, "status": "pending", "packets_remaining": 0, "type": "simple", "system": "magic-transit" }, "success": true, "errors": [], "messages": []}- In the Cloudflare dashboard, go to Network health ↗.
- Go to the Diagnostics tab.
- Locate your capture under Network packet captures.
To check the status of a running job, send a request to the endpoint and specify the PCAP identifier. The PCAP identifier is received in the response of a collect request as shown in the previous step.
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/{pcap_id} \--header 'X-Auth-Email: <EMAIL>' \--header 'X-Auth-Key: <API_KEY>'The response will be similar to the one received when requesting a PCAP collection.
{ "result": { "id": "6d1f0aac13cd40e3900d29f5dd0e8a2b", "submitted": "2021-12-20T17:29:20.641845Z", "filter_v1": { "source_address": "1.2.3.4", "source_port": 123, "destination_address": "5.6.7.8", "destination_port": 80, "protocol": 6 }, "time_limit": 120, "status": "success", "packets_remaining": 0, "type": "simple", "system": "magic-transit" }, "success": true, "errors": [], "messages": []}The capture status displays one of the following options:
- Complete (API:
success): The capture is done and ready for download. - In progress (API:
pending): Packets have been captured but the PCAP file is still being assembled. - Failure: The capture failed. For full captures, verify that your bucket is correctly configured and that Cloudflare has write access to it. For sample captures, verify your filter configuration.
After your request finishes processing, you can download your packet captures.
- In the Cloudflare One ↗ dashboard, go to Network visibility > Diagnostics.
- In Packet captures, select Start a capture.
- Locate your packet capture you want to download, and select Download.
Packet captures are available to download when the Status displays Success.
Full captures can produce multiple PCAP files per capture because the capture can run across multiple machines at the data center. To merge these into a single file for analysis, refer to Wireshark's mergecap documentation ↗.
Full PCAPs
To obtain full PCAPs, download the files from the bucket specified in destination_conf after the PCAP's status is success. You may find multiple files named pcap_<pcap_id>.pcap per capture as captures can occur across multiple machines.
Sample PCAPs
Once the sample PCAP collection is complete, you can download the PCAP by specifying the PCAP identifier used earlier.
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps/{pcap_id}/download \--header 'X-Auth-Email: <EMAIL>' \--header 'X-Auth-Key: <API_KEY>' \--output download.pcap-
In the Cloudflare dashboard, go to the Network health page.
Go to Network health -
Go to the Diagnostics tab.
The list of packet captures associated with your account displays under Network packet captures.
To view a list of sent requests, use the following command:
curl https://api.cloudflare.com/client/v4/accounts/{account_id}/pcaps \--header "X-Auth-Email: <EMAIL>" \--header "X-Auth-Key: <API_KEY>"The response returns an array that includes up to 50 sent requests, which includes completed and ongoing requests.
{ "result": [ { "id": "43adab5adeca4dab9c51f4b7f70f2ec3", "submitted": "2021-12-15T03:04:09.277394Z", "filter_v1": {}, "time_limit": 120, "status": "success", "packets_remaining": 0, "type": "simple", "system": "magic-transit" } ], "success": true, "errors": [], "messages": []}