tcpdump
Executes the tcpdump utility. You can quickly diagnose problems and take traces for Riverbed Support.
Syntax
tcpdump [<options>] [<filter-string>]
Parameters
<options> | The tcpdump command takes the standard Linux options:
-a - Attempt to convert network and broadcast addresses to names.
-c - Exit after receiving count packets.
-d - Dump the compiled packet-matching code in a human readable form to standard output and stop.
-dd -Dump packet-matching code as a C program fragment.
-ddd - Dump packet-matching code as decimal numbers (preceded with a count).
-e - Print the link-level header on each dump line.
-E - Use secret algorithm for decrypting IPsec ESP packets.
-f - Print foreign internet addresses numerically rather than symbolically.
-F - Use file as input for the filter expression. An additional expression given on the command line is ignored.
-i - Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface.
-n - Do not convert addresses, such as host addresses and port numbers to names.
-N - Do not print domain name qualification of hostnames. For example, if you specify this flag, then tcpdump will print nic instead of nic.ddn.mil.
-m - Load SMI MIB module definitions from file module. This option can be used several times to load several MIB modules into tcpdump.
-q - Quiet output. Print less protocol information so output lines are shorter.
-r - Read packets from created with the -w option.
-S - Print absolute, not relative, TCP sequence numbers.
-v - (Slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verifying the IP and ICMP header checksum.
-w - Write the raw packets to a file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is -.
-x - Print each packet without its link level header in hexadecimal format. The smaller of the entire packet or bytes will be printed.
-X - When printing hex, print ascii too. Thus if -x is also set, the packet is printed in hex/ascii. This option enables you to analyze new protocols. For detailed information, see the Linux man page. |
Usage
The tcpdump command takes the standard Linux options. For detailed information, see the Linux man page. Make sure you take separate tcpdumps for the LAN and WAN to submit to Riverbed Support. Make sure you take the tcpdump on the in-path interface.
The most common options are:
-n - Do not resolve addresses via DNS.
-i <interface> - Capture on <interface>.
To take traces on lanX_Y and wanX_Y, not inpathX_Y:
-e - Display layer 2 headers, MAC addresses, and VLAN tags.
-s <bytes> - Capture up to <bytes> bytes per packet.
The default is 96 bytes; not enough for deep packet inspection for Riverbed Support, instead use:
-s 0 - Capture full frames.
-w <file> - Store the trace in <file> (needed when taking traces for offline analysis).
Common Packet Filters
• src host <ip> - Source IP address is <ip>.
• dst host <ip> - Destination IP address is <ip>.
• host <ip> - Either source or destination is <ip>.
• Same for src port, dst port, and port.
• Can connect multiple filters together with logical operators: and, or, and not. Use parentheses to override operator precedence. For example:
tcpdump –i lan0_0 not port 22
tcpdump –i lan0_0 host 1.1.1.1 and port 2222
tcpdump –i wan0_0 host 3.3.3.3 and (port 4444 or port 5555)
Suppose two SteelHeads are having a problem optimizing a connection:
Client IP = 10.10.10.10
Client SH IP = 10.10.10.20
Server IP = 11.11.11.11
Server SH IP = 11.11.11.21
Take traces on all LAN/WAN interfaces on both SteelHeads to diagnose:
C-SH# tcpdump –n –i lan0 host 10.10.10.10 and host 11.11.11.11
C-SH# tcpdump –n –i wan0_0 (host 10.10.10.10 and host 11.11.11.11) or (host 10.10.10.20 and host 11.11.11.21)
S-SH# tcpdump –n –i lan0 host 10.10.10.10 and host 11.11.11.11
S-SH# tcpdump –n –i wan0_0 (host 10.10.10.10 and host 11.11.11.11) or (host 10.10.10.20 and host 11.11.11.21)
Keep the tcpdump running and establish a connection.
If the problem is not obvious, use -w to capture to files, and examine in a tool like Wireshark. Sometimes you can capture very large traces of data and traffic you are interested in is a small subset of the entire trace. To work around this problem, run tcpdump through its own trace to cut down on the number of packets. Use the -r <file> option to read from a file instead of capturing on an interface.
tcpdump –n –r my_trace.cap –w my_filtered_trace.cap host 5.5.5.5 and port 2323
The following example captures both VLAN tagged and untagged traffic on destination port 7850 and ARP packets:
tcp -i lan0_0 ((port 7850 or arp) or (vlan and (port 7850 or arp)))
Example
amnesiac # tcpdump
tcpdump: listening on primary
18:59:13.682568 amnesiac.domain.com.ssh > dhcp-22.domain.com.3277: P 3290808290:3290808342(52) ack 3412262693 win 5840 (DF) [dscp 0x10]
18:59:13.692513 amnesiac.domain.com.ssh > dhcp-22.domain.com.3277: P 0:52(52) ack 1 win 5840 (DF) [dscp 0x10]
18:59:13.702482 amnesiac.domain.com.ssh > dhcp-22.domain.com.3277: P 0:52(52) ack 1 win 5840 (DF) [dscp 0x10]
Product
SCC, Interceptor, SteelHead CX, SteelHead EX, SteelHead-v, SteelHead-c, Mobile Controller
Related Commands