> For the complete documentation index, see [llms.txt](https://documentation.hak5.org/packet-squirrel/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://documentation.hak5.org/packet-squirrel/default-payloads/logging-network-traffic.md). # Logging Network Traffic The built-in tcpdump payload from switch position 1 will save standard pcap files to a loot folder on a USB flash drive. This payload doesn’t require any configuration to use, other than having a properly formatted USB flash drive. The USB flash drive must be formatted in either the **NTFS** (Windows, Mac OSX) or **EXT4** (Linux) file system. This is of particular importance since most USB drives come formatted with a FAT32 or exFAT file system. 1. Plug a USB drive formatted in NTFS or EXT4 into the USB host port on the right side of the Packet Squirrel. 2. Flip the switch to position 1 to select the built-in tcpdump payload. Position one is on the far left, closest to the Micro USB power port. 3. Plug the device you want to capture packets from into the Ethernet In port. It’s the Ethernet port on the left side above the Micro USB power port. This could be a computer, a network printer, an IP camera, or similar. 4. Plug the network into the Ethernet Out port. That’s the one on the side with the USB type A female port. 5. Power on the Packet Squirrel with a Micro USB cable and any ordinary USB power adapter like a smartphone charger, a computer’s USB port, USB battery bank, etc… 6. Wait 40 seconds while the Packet Squirrel boots up, indicated by a flashing green LED. Once booted, tcpdump will begin saving pcap files containing the packets between the two Ethernet links to a loot folder on the inserted USB disk, indicated by a single flashing yellow LED. 7. When you’re ready to stop capturing packets, press the button atop the Packet Squirrel. The LED will flash red to indicate that the file has completed writing to the USB flash drive. It is now safe to unplug the Packet Squirrel, remove the USB flash drive, and inspect the stored pcap file with a protocol analyzer such as Wireshark. The `tcpdump` payload will write a pcap file to a connected USB disk until the disk is full. A full disk will be indicated by a solid green LED. If the Packet Squirrel is powered off before pressing the button, the file may be corrupt or unreadable. If the Packet Squirrel is unable to read the USB disk (for example if the disk has not been formatted as NTFS or EXT4) the payload will fail, indicated by a blinking red LED. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://documentation.hak5.org/packet-squirrel/default-payloads/logging-network-traffic.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.