Traffic captures and how they work

You can capture network traffic data for network troubleshooting purposes. This data helps you to analyze network traffic to and from the engines.

It is also often useful to have this data available when contacting Forcepoint support.

Traffic capture creates a .zip file that contains a tcpdump CAP file, which is compatible with standard “sniffer” tools such as tcpdump, WinDump, or Wireshark. You can select whether to include full packet information or only IP address headers in the tcpdump. You can also include a free-form description and information about your configuration and trace files in the traffic capture .zip file.

The data can be archived and analyzed later, as the traffic capture .zip file is saved on the Management Server or in a directory on your local workstation.

Traffic captures can only be taken on nodes that are online and have a policy uploaded.

Note: You must have permissions to send Advanced Commands to be able to take traffic captures.
You can stop or cancel a traffic capture at any point once it has been started.
  • If you stop a traffic capture, all captured tcpdump data is compressed and sent to the Management Server or to your local workstation.
  • If you cancel a traffic capture, all captured tcpdump data is deleted.