DUMPCALLS(1)   DUMPCALLS(1)

dumpcalls - Dump system calls to a file.

Options
dumpcalls--help ] [ --version ] [ --extcap-interfaces ] [ --extcap-dlts ] [ --extcap-interface=<interface> ] [ --extcap-config ] [ --extcap-capture-filter=<capture filter> ] [ --capture ] [ --fifo=<path to file or pipe> ] [ --log-level=<log level> ] [ --log-file=<path to file> ] [ --include-capture-processes=<TRUE or FALSE> ] [ --include-switch-calls=<TRUE or FALSE> ]

dumpcalls is an extcap tool that allows one to capture system calls on a Linux system.

--help

Print program arguments. This will also list the configuration arguments for each plugin.

--version

Print the program version.

--extcap-interfaces

List the available interfaces.

--extcap-interface=<interface>

Use the specified interface.

--extcap-dlts

List the DLTs of the specified interface.

--extcap-config

List the configuration options of specified interface.

--extcap-capture-filter=<capture filter>

The capture filter. Must be a valid Sysdig / Falco filter.

--capture

Start capturing from the source specified by --plugin-source via the specified interface and write raw packet data to the location specified by --fifo.

--fifo=<path to file or pipe>

Save captured packet to file or send it through pipe.

--log-level

Set the log level

--log-file

Set a log file to log messages in addition to the console

--include-capture-processes

Include system calls for capture processes (dumpcalls, dumpcap, and Stratoshark) if TRUE. Defaults to FALSE.

--include-switch-calls

Include "switch" calls if TRUE. Defaults to FALSE.

To see program arguments:

dumpcalls --help

To see program version:

dumpcalls --version

To see interfaces:

dumpcalls --extcap-interfaces

Only one interface (dumpcalls) is supported.

Example output

interface {value=dumpcalls}{display=Falco plugin}

To see interface DLTs:

dumpcalls --extcap-interface=cloudtrail --extcap-dlts

Example output

dlt {number=147}{name=cloudtrail}{display=USER0}

To see interface configuration options:

dumpcalls --extcap-interface=cloudtrail --extcap-config

Example output

arg {number=0}{call=--plugin-source}{display=Plugin source}{type=string}{tooltip=The plugin data source. This us usually a URL.}{placeholder=Enter a source URL…}{required=true}{group=Capture}
arg {number=1}{call=cloudtrail-s3downloadconcurrency}{display=s3DownloadConcurrency}{type=integer}{default=1}{tooltip=Controls the number of background goroutines used to download S3 files (Default: 1)}{group=Capture}
arg {number=2}{call=cloudtrail-sqsdelete}{display=sqsDelete}{type=boolean}{default=true}{tooltip=If true then the plugin will delete sqs messages from the queue immediately after receiving them (Default: true)}{group=Capture}
arg {number=3}{call=cloudtrail-useasync}{display=useAsync}{type=boolean}{default=true}{tooltip=If true then async extraction optimization is enabled (Default: true)}{group=Capture}

To capture AWS CloudTrail events from an S3 bucket:

dumpcalls --extcap-interface=cloudtrail --fifo=/tmp/cloudtrail.pcap --plugin-source=s3://aws-cloudtrail-logs.../CloudTrail/us-east-2/... --capture

or:

dumpcalls --capture --extcap-interface cloudtrail --fifo ~/cloudtrail.pcap --plugin-source s3://my-cloudtrail-bucket/AWSLogs/o-abc12345/123456789012/ --cloudtrail-s3downloadconcurrency 32 --cloudtrail-s3interval 5d-2d --cloudtrail-aws-region eu-west-1

Note

CTRL + C should be used to stop the capture in order to ensure clean termination.

stratoshark(1), strato(1), dumpcap(1), extcap(4)

dumpcalls is part of the Stratoshark distribution. The latest version of Stratoshark can be found at https://www.wireshark.org.

HTML versions of the Wireshark project man pages are available at https://www.wireshark.org/docs/man-pages.

Original Author
Gerald Combs <gerald[AT]wireshark.org>

2026-06-10