'\" t
.\"     Title: dumpcalls
.\"    Author: [see the "AUTHOR(S)" section]
.\" Generator: Asciidoctor 2.0.26
.\"      Date: 2026-06-10
.\"    Manual: \ \&
.\"    Source: \ \&
.\"  Language: English
.\"
.TH "DUMPCALLS" "1" "2026-06-10" "\ \&" "\ \&"
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.ss \n[.ss] 0
.nh
.ad l
.de URL
\fI\\$2\fP <\\$1>\\$3
..
.als MTO URL
.if \n[.g] \{\
.  mso www.tmac
.  am URL
.    ad l
.  .
.  am MTO
.    ad l
.  .
.  LINKSTYLE blue R < >
.\}
.SH "NAME"
dumpcalls \- Dump system calls to a file.
.SH "SYNOPSIS"
.sp
.B Options
.br
\fBdumpcalls\fP
[\~\fB\-\-help\fP\~]
[\~\fB\-\-version\fP\~]
[\~\fB\-\-extcap\-interfaces\fP\~]
[\~\fB\-\-extcap\-dlts\fP\~]
[\~\fB\-\-extcap\-interface\fP=<interface>\~]
[\~\fB\-\-extcap\-config\fP\~]
[\~\fB\-\-extcap\-capture\-filter\fP=<capture\~filter>\~]
[\~\fB\-\-capture\fP\~]
[\~\fB\-\-fifo\fP=<path\~to\~file\~or\~pipe>\~]
[\~\fB\-\-log\-level\fP=<log\~level>\~]
[\~\fB\-\-log\-file\fP=<path\~to\~file>\~]
[\~\fB\-\-include\-capture\-processes\fP=<TRUE\~or\~FALSE>\~]
[\~\fB\-\-include\-switch\-calls\fP=<TRUE\~or\~FALSE>\~]
.SH "DESCRIPTION"
.sp
\fBdumpcalls\fP is an extcap tool that allows one to capture system calls on a Linux system.
.SH "OPTIONS"
.sp
\-\-help
.RS 4
Print program arguments.
This will also list the configuration arguments for each plugin.
.RE
.sp
\-\-version
.RS 4
Print the program version.
.RE
.sp
\-\-extcap\-interfaces
.RS 4
List the available interfaces.
.RE
.sp
\-\-extcap\-interface=<interface>
.RS 4
Use the specified interface.
.RE
.sp
\-\-extcap\-dlts
.RS 4
List the DLTs of the specified interface.
.RE
.sp
\-\-extcap\-config
.RS 4
List the configuration options of specified interface.
.RE
.sp
\-\-extcap\-capture\-filter=<capture filter>
.RS 4
The capture filter.
Must be a valid Sysdig / Falco filter.
.RE
.sp
\-\-capture
.RS 4
Start capturing from the source specified by \-\-plugin\-source via the specified interface and write raw packet data to the location specified by \-\-fifo.
.RE
.sp
\-\-fifo=<path to file or pipe>
.RS 4
Save captured packet to file or send it through pipe.
.RE
.sp
\-\-log\-level
.RS 4
Set the log level
.RE
.sp
\-\-log\-file
.RS 4
Set a log file to log messages in addition to the console
.RE
.sp
\-\-include\-capture\-processes
.RS 4
Include system calls for capture processes (dumpcalls, dumpcap, and Stratoshark) if TRUE.
Defaults to FALSE.
.RE
.sp
\-\-include\-switch\-calls
.RS 4
Include "switch" calls if TRUE.
Defaults to FALSE.
.RE
.SH "EXAMPLES"
.sp
To see program arguments:
.sp
.if n .RS 4
.nf
.fam C
dumpcalls \-\-help
.fam
.fi
.if n .RE
.sp
To see program version:
.sp
.if n .RS 4
.nf
.fam C
dumpcalls \-\-version
.fam
.fi
.if n .RE
.sp
To see interfaces:
.sp
.if n .RS 4
.nf
.fam C
dumpcalls \-\-extcap\-interfaces
.fam
.fi
.if n .RE
.sp
Only one interface (dumpcalls) is supported.
.sp
.B Example output
.br
.sp
.if n .RS 4
.nf
.fam C
interface {value=dumpcalls}{display=Falco plugin}
.fam
.fi
.if n .RE
.sp
To see interface DLTs:
.sp
.if n .RS 4
.nf
.fam C
dumpcalls \-\-extcap\-interface=cloudtrail \-\-extcap\-dlts
.fam
.fi
.if n .RE
.sp
.B Example output
.br
.sp
.if n .RS 4
.nf
.fam C
dlt {number=147}{name=cloudtrail}{display=USER0}
.fam
.fi
.if n .RE
.sp
To see interface configuration options:
.sp
.if n .RS 4
.nf
.fam C
dumpcalls \-\-extcap\-interface=cloudtrail \-\-extcap\-config
.fam
.fi
.if n .RE
.sp
.B Example output
.br
.sp
.if n .RS 4
.nf
.fam C
arg {number=0}{call=\-\-plugin\-source}{display=Plugin source}{type=string}{tooltip=The plugin data source. This us usually a URL.}{placeholder=Enter a source URL…}{required=true}{group=Capture}
arg {number=1}{call=cloudtrail\-s3downloadconcurrency}{display=s3DownloadConcurrency}{type=integer}{default=1}{tooltip=Controls the number of background goroutines used to download S3 files (Default: 1)}{group=Capture}
arg {number=2}{call=cloudtrail\-sqsdelete}{display=sqsDelete}{type=boolean}{default=true}{tooltip=If true then the plugin will delete sqs messages from the queue immediately after receiving them (Default: true)}{group=Capture}
arg {number=3}{call=cloudtrail\-useasync}{display=useAsync}{type=boolean}{default=true}{tooltip=If true then async extraction optimization is enabled (Default: true)}{group=Capture}
.fam
.fi
.if n .RE
.sp
To capture AWS CloudTrail events from an S3 bucket:
.sp
.if n .RS 4
.nf
.fam C
dumpcalls \-\-extcap\-interface=cloudtrail \-\-fifo=/tmp/cloudtrail.pcap \-\-plugin\-source=s3://aws\-cloudtrail\-logs.../CloudTrail/us\-east\-2/... \-\-capture
.fam
.fi
.if n .RE
.sp
or:
.sp
.if n .RS 4
.nf
.fam C
dumpcalls \-\-capture \-\-extcap\-interface cloudtrail \-\-fifo ~/cloudtrail.pcap \-\-plugin\-source s3://my\-cloudtrail\-bucket/AWSLogs/o\-abc12345/123456789012/ \-\-cloudtrail\-s3downloadconcurrency 32 \-\-cloudtrail\-s3interval 5d\-2d \-\-cloudtrail\-aws\-region eu\-west\-1
.fam
.fi
.if n .RE
.if n .sp
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
.B Note
.ps -1
.br
.sp
\f(CRCTRL\0+\0C\fP should be used to stop the capture in order to ensure clean termination.
.sp .5v
.RE
.SH "SEE ALSO"
.sp
stratoshark(1), strato(1), dumpcap(1), extcap(4)
.SH "NOTES"
.sp
\fBdumpcalls\fP is part of the \fBStratoshark\fP distribution.
The latest version of \fBStratoshark\fP can be found at \c
.URL "https://www.wireshark.org" "" "."
.sp
HTML versions of the Wireshark project man pages are available at
.URL "https://www.wireshark.org/docs/man\-pages" "" "."
.SH "AUTHORS"
.sp
.B Original Author
.br
Gerald Combs <gerald[AT]wireshark.org>