To work with and discover the nature of the data you intend to utilize a traffic capture file will likely be necessary to generate a .pcap file to ingest with the stub function of Zentral. In Zentral this is possible utilizing Datumize Data Dumper (DDD) , however it is possible to generate a .pcap in Windows and in Linux. Once the .pcap is generated, please see the Zentral user guide for more in-depth information about working with stubs and pipelines.

Generate a .pcap in Windows

  1. Install Wireshark
  2. Execute this command as administrator, where C:\Program Files\Wireshark\tshark is the tshark directory (depends on machine's installation).
"C:\Program Files\Wireshark\tshark" -b "duration:60" -B 65535 -f "tcp and  http.request.uri != ‘/services/hotelsendpoint’” -ni 1 -w C:\Users\%username%\Desktop\output.pcap


  • -b duration:60 generates one file every minute.
  • -B capture Buffer Size: 65535 increase the packet buffer size
  • -ni 1 capture from the interface number one (windows is numbering interfaces).
  • -f "tcp" captures http traffic. -f indicates the filtering. For example could filter URL or services that we don’t want with the following: http.request.uri != "/services/hotelsendpoint"
  • -w output.pcap the output will be in the form.

Generate a .pcap in Linux

  1. Install tcpdump if is not installed
  2. Run the following command as sudo:
sudo tcpdump -U -nOB 65535 -i <device-name> tcp -G 60 -s 20480 -w %d_%m-%H_%M_%S.pcap


  • device_name is the interface where we will capture. -i any to capture from everyone.
  • tcp is the filter. Will capture just tcp traffic.
  • -G 60 it will generate a file every 60 seconds.
  • -s snaplength: 20480 adjust snaplength.
  • -w <path_file.pcap> location and filename of the capture.

Type CTRL+C to stop any of the above commands when running.

Using the .pcap in Zentral

To utilize the newly created stub, please see the following page for more information: Testing a Pipeline