automateyournetwork/cml-packet-capture
workspace/skills/cml-packet-capture/SKILL.md
CML packet capture — start, stop, download pcaps from CML lab links, integrate with Packet Buddy for analysis. Use when capturing packets in a CML lab, troubleshooting BGP or OSPF with packet analysis, or downloading pcap files for Wireshark review.
$ install --global
skillsauthnpx skillsauth add automateyournetwork/netclaw cml-packet-captureInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 3:29 AM4.6s1 file scanned
SKILL.md
- name:
- cml-packet-capture
- description:
- CML packet capture — start, stop, download pcaps from CML lab links, integrate with Packet Buddy for analysis. Use when capturing packets in a CML lab, troubleshooting BGP or OSPF with packet analysis, or downloading pcap files for Wireshark review.
- version:
- 1.0.0
- license:
- Apache-2.0
- tags:
- [cml, pcap, capture, troubleshooting, wireshark]
CML Packet Capture
MCP Server
- Command:
cml-mcp(pip-installed, stdio transport) - Requires:
CML_URL,CML_USERNAME,CML_PASSWORDenvironment variables
Available Tools
Packet Capture Operations
| Tool | Parameters | What It Does |
|------|-----------|-------------|
| start_capture | lab_id/lab_title, link_id, max_packets?, pcap_filter? | Start capturing packets on a link |
| stop_capture | lab_id/lab_title, link_id | Stop an active capture |
| get_capture_status | lab_id/lab_title, link_id | Check capture status (running, packet count) |
| download_capture | lab_id/lab_title, link_id, file_path? | Download the captured pcap file |
| list_captures | lab_id/lab_title | List all active and completed captures in a lab |
Workflow: Capture and Analyze (Full Pipeline)
When a user says "capture traffic between R1 and R2 and analyze it":
- Find the link: Use
get_links(from cml-topology-builder) to find the link ID between R1 and R2 - Start capture:
start_capturewith optional filter (e.g., "icmp", "tcp port 179") - Generate traffic: Tell the user to generate traffic (or use
execute_commandto ping) - Stop capture:
stop_captureafter sufficient traffic is collected - Download pcap:
download_captureto save the pcap file locally - Analyze with Packet Buddy: Hand off to the packet-analysis skill:
pcap_summary— overviewpcap_protocol_hierarchy— protocol breakdownpcap_conversations— who talked to whompcap_expert_info— errors, retransmissionspcap_filter— drill into specific traffic
- Report findings: Summarize the analysis in plain English
Workflow: Targeted Protocol Capture
When troubleshooting a specific protocol:
BGP Troubleshooting
1. start_capture with pcap_filter="tcp port 179"
2. Wait for BGP events (or trigger with clear ip bgp)
3. stop_capture
4. download_capture
5. Analyze: Look for OPEN, KEEPALIVE, UPDATE, NOTIFICATION messages
6. Check for: hold timer expiry, capability mismatch, prefix limit exceeded
OSPF Troubleshooting
1. start_capture with pcap_filter="ospf"
2. Wait for OSPF events (or trigger with clear ip ospf process)
3. stop_capture
4. download_capture
5. Analyze: Look for Hello, DBD, LSR, LSU, LSAck packets
6. Check for: area mismatch, auth failure, MTU mismatch, dead timer expiry
ICMP / Connectivity
1. start_capture (no filter, or pcap_filter="icmp")
2. execute_command on source node: "ping {destination}"
3. stop_capture
4. download_capture
5. Analyze: Look for echo request/reply, unreachable, TTL exceeded
6. Check for: asymmetric routing, ACL drops, MTU issues
Spanning Tree
1. start_capture with pcap_filter="stp"
2. Wait for STP convergence or trigger topology change
3. stop_capture
4. download_capture
5. Analyze: BPDUs, topology change notifications, root bridge elections
Capture Filters
CML uses BPF (Berkeley Packet Filter) syntax for capture filters:
| Filter | Captures |
|--------|----------|
| icmp | ICMP (ping) traffic |
| tcp port 179 | BGP traffic |
| ospf | OSPF traffic |
| tcp port 22 | SSH traffic |
| udp port 53 | DNS traffic |
| arp | ARP requests/replies |
| stp | Spanning Tree BPDUs |
| tcp port 80 or tcp port 443 | HTTP/HTTPS traffic |
| host 10.0.0.1 | Traffic to/from specific host |
| net 10.0.0.0/24 | Traffic to/from specific subnet |
| vlan 100 | Traffic on VLAN 100 |
Workflow: Compare Before/After
When verifying a configuration change:
- Capture before: Start capture, collect baseline traffic
- Stop and download: Save as
before.pcap - Make the change: Apply configuration via cml-node-operations
- Capture after: Start new capture, collect post-change traffic
- Stop and download: Save as
after.pcap - Compare: Analyze both pcaps with Packet Buddy
- Report: Document the differences (e.g., "BGP converged in 3s after route-map change")
Integration with Packet Buddy
After downloading a pcap from CML, use these Packet Buddy tools for analysis:
| Step | Packet Buddy Tool | Purpose |
|------|-------------------|---------|
| 1 | pcap_summary | Big picture: packet count, duration, size |
| 2 | pcap_protocol_hierarchy | What protocols are present |
| 3 | pcap_conversations | Who is talking to whom |
| 4 | pcap_expert_info | Errors, warnings, retransmissions |
| 5 | pcap_filter | Focus on specific traffic |
| 6 | pcap_packet_detail | Deep dive into a single packet |
| 7 | pcap_dns_queries | DNS resolution analysis |
| 8 | pcap_http_requests | HTTP traffic analysis |
Important Rules
- Lab must be running — captures only work on links in a started lab
- One capture per link — stop an existing capture before starting a new one
- Use filters for busy links — unfiltered captures on high-traffic links can be large
- Set max_packets — prevent runaway captures; 10000 packets is usually enough
- Download before stopping — some CML versions clear the capture buffer on link state change
- File naming: Save pcaps with descriptive names like
r1-r2-bgp-capture.pcap - Record in GAIT — log captures and findings for audit trail
Related Skills
automateyournetwork/humanrail-escalation
testing
VerifiedTrustedCommunity
Human-in-the-loop escalation via HumanRail — route low-confidence agent decisions, pre-destructive operation approvals, and ambiguous incident tickets to real human engineers. Human answers are verified and returned as structured output. Workers are paid via Lightning Network. Use when the agent is uncertain, when a destructive change needs explicit human sign-off beyond a ServiceNow CR, or when an ambiguous ticket requires human triage before automated handling.
491SKILL.mdUpdated May 12, 2026
automateyournetwork/eve-ng-node-operations
testing
VerifiedTrustedCommunity
Manage EVE-NG node lifecycle. Use when listing nodes, checking runtime state, creating or deleting nodes, starting or stopping nodes or whole labs, verifying node details, or wiping node NVRAM back to factory defaults.
491SKILL.mdUpdated May 12, 2026
automateyournetwork/eve-ng-lab-management
development
VerifiedTrustedCommunity
Manage EVE-NG labs and platform inventory. Use when listing labs, checking lab metadata, creating or deleting labs, importing or exporting lab archives, checking EVE-NG health or auth, or verifying available node images before build work.
491SKILL.mdUpdated May 12, 2026
automateyournetwork/eve-ng-console-ops
tools
VerifiedTrustedCommunity
Execute live CLI commands on running EVE-NG nodes over telnet console. Use when running show commands, making live config changes, verifying protocol state, testing connectivity, checking console readiness, or interacting with IOS, Junos, VPCS, EOS, or NX-OS nodes.
491SKILL.mdUpdated May 12, 2026