Packet capture files are stored in libpcap format in the /var/tmp directory. You can specify user or administrator privileges for the files.
Packet capture files can be opened and analyzed offline with tcpdump or any packet analyzer that recognizes the libpcap format. You can also use FTP or the Session Control Protocol (SCP) to transfer the packet capture files to an external device.
Note: Disable packet capture before opening the file for analysis or transferring the file to an external device with FTP or SCP. Disabling packet capture ensures that the internal file buffer is flushed and all the captured packets are written to the file. To disable packet capture on an interface, see Disabling Packet Capture.
For more details about analyzing packet capture files, see Verifying Captured Packets.