Capturing Trace Files for IDS Signature Matches 
When the IDS feature is enabled in a Modular Sensor's profile, the sensor detects malicious activity in network traffic based on matches of known signatures from third-party threat intelligence rule sets. You specify which rule sets to use in the Modular Sensor Profile.
To assist your troubleshooting, Stellar Cyber Modular Sensors can also capture trace files in PCAP format for the network flows on which an IDS signature match was detected. You can copy saved trace files from the sensor for further analysis in third-party tools.
See the following sections for more information on how to enable and configure IDS PCAP capture:
System Requirements for IDS PCAP Capture
The IDS PCAP feature has the following system requirements:
-
Only supported on virtual Modular Sensors installed in Ubuntu 22.04.
-
Minimum sensor software version of 6.0.0.
-
IDS feature must be enabled in Modular Sensor profile.
-
Sensor must have a minimum data partition of 74 GB to ensure space for saved PCAP files.
If your sensor does not have the minimum space in its data partition, the CLI will report an error message in response to the set ids pcap enable command.
CLI Commands for IDS PCAP Capture
The sections below describes the CLI commands used to manage the IDS PCAP capture feature.
set ids pcap
You use the set ids pcap command to configure and enable the IDS PCAP feature. The full syntax is as follows:
|
Command |
Argument |
Description |
|---|---|---|
set ids pcap
|
?
|
Shows the arguments and syntax for the Copy
|
enable/disable
|
Use these arguments to enable or disable the IDS PCAP feature. Note that disabling the feature does not reset the configuration of the feature; it just turns it off. You can use the |
|
|
|
total_size {num}
|
Use this argument to specify the maximum disk space to be used for all PCAP files.
You can always redeploy the sensor with more disk space if you require more than is allowed according to |
unset ids pcap
You use the unset ids pcap command to clear all IDS PCAP configuration settings on the sensor. The change takes effect in real time without restarting the IDS service.
show ids
The show ids command reports the configuration of the IDS PCAP feature and, if enabled, lists the PCAP files currently stored on the sensor. The table below shows sample output for the command both when the feature is disabled and when it is enabled:
|
Command |
IDS PCAP Status |
Sample Output |
|---|---|---|
show ids
|
Disabled
|
In this example, the IDS PCAP feature is disabled and there are no PCAP files stored on the sensor. Copy
|
Enabled
|
In this example, the IDS PCAP feature is enabled. You can also see that a maximum of 50 PCAP files can be stored given the setting for the Copy
|
copy captured_pcap
The copy captured_pcap command lets you copy a specified trace file to an external host for further analysis. The syntax is as follows:
copy captured_pcap <pcap filename> scp://user@server[:/path]
-
Start by using the
show idscommand to see the filenames for the PCAPs available for copying. For example:Sensor> show ids
PCAP: enabled
Each pcap file max size: 100mb
Max pcap file number: 50
File Name: 1744823631.pcap Date: (2025-04-15 17:13:51)
File Name: pcap.log.1744823601 Date: (2025-04-15 17:13:21) -
Let's copy 1744823631.pcap to the host at 10.16.11.123:
Sensor> copy captured_pcap 1744823631.pcap scp://root@10.16.11.123:/home/aella
root@10.16.11.123's password:
1744823631.pcap
Substitute your own filenames and destination hosts for those shown in the example above to copy your own PCAP files to external hosts.
show maltrace
In addition to the show ids command, the existing show maltrace command has also been updated to include information on the status of the IDS PCAP feature.
About PCAP File Rotation
Stored PCAP files are rotated out of storage every hour or whenever the maximum total_size for storage configured with the set ids pcap command is reached.
