DUMPCALLS(1) DUMPCALLS(1) NAME dumpcalls - Dump system calls to a file. SYNOPSIS Options dumpcalls [ --help ] [ --version ] [ --extcap-interfaces ] [ --extcap-dlts ] [ --extcap-interface= ] [ --extcap-config ] [ --extcap-capture-filter= ] [ --capture ] [ --fifo= ] [ --log-level= ] [ --log-file= ] [ --include-capture-processes= ] [ --include-switch-calls= ] DESCRIPTION dumpcalls is an extcap tool that allows one to capture system calls on a Linux system. OPTIONS --help Print program arguments. This will also list the configuration arguments for each plugin. --version Print the program version. --extcap-interfaces List the available interfaces. --extcap-interface= Use the specified interface. --extcap-dlts List the DLTs of the specified interface. --extcap-config List the configuration options of specified interface. --extcap-capture-filter= The capture filter. Must be a valid Sysdig / Falco filter. --capture Start capturing from the source specified by --plugin-source via the specified interface and write raw packet data to the location specified by --fifo. --fifo= Save captured packet to file or send it through pipe. --log-level Set the log level --log-file Set a log file to log messages in addition to the console --include-capture-processes Include system calls for capture processes (dumpcalls, dumpcap, and Stratoshark) if TRUE. Defaults to FALSE. --include-switch-calls Include "switch" calls if TRUE. Defaults to FALSE. EXAMPLES To see program arguments: dumpcalls --help To see program version: dumpcalls --version To see interfaces: dumpcalls --extcap-interfaces Only one interface (dumpcalls) is supported. Example output interface {value=dumpcalls}{display=Falco plugin} To see interface DLTs: dumpcalls --extcap-interface=cloudtrail --extcap-dlts Example output dlt {number=147}{name=cloudtrail}{display=USER0} To see interface configuration options: dumpcalls --extcap-interface=cloudtrail --extcap-config Example output arg {number=0}{call=--plugin-source}{display=Plugin source}{type=string}{tooltip=The plugin data source. This us usually a URL.}{placeholder=Enter a source URL}{required=true}{group=Capture} arg {number=1}{call=cloudtrail-s3downloadconcurrency}{display=s3DownloadConcurrency}{type=integer}{default=1}{tooltip=Controls the number of background goroutines used to download S3 files (Default: 1)}{group=Capture} arg {number=2}{call=cloudtrail-sqsdelete}{display=sqsDelete}{type=boolean}{default=true}{tooltip=If true then the plugin will delete sqs messages from the queue immediately after receiving them (Default: true)}{group=Capture} arg {number=3}{call=cloudtrail-useasync}{display=useAsync}{type=boolean}{default=true}{tooltip=If true then async extraction optimization is enabled (Default: true)}{group=Capture} To capture AWS CloudTrail events from an S3 bucket: dumpcalls --extcap-interface=cloudtrail --fifo=/tmp/cloudtrail.pcap --plugin-source=s3://aws-cloudtrail-logs.../CloudTrail/us-east-2/... --capture or: dumpcalls --capture --extcap-interface cloudtrail --fifo ~/cloudtrail.pcap --plugin-source s3://my-cloudtrail-bucket/AWSLogs/o-abc12345/123456789012/ --cloudtrail-s3downloadconcurrency 32 --cloudtrail-s3interval 5d-2d --cloudtrail-aws-region eu-west-1 Note CTRL + C should be used to stop the capture in order to ensure clean termination. SEE ALSO stratoshark(1), strato(1), dumpcap(1), extcap(4) NOTES dumpcalls is part of the Stratoshark distribution. The latest version of Stratoshark can be found at . HTML versions of the Wireshark project man pages are available at . AUTHORS Original Author Gerald Combs 2026-06-10 DUMPCALLS(1)