Welcome to the Network Engineering Domain
Pape O. Fall's Blog

Nexus 9000 – TCPDUMP

With the evolution of SDN and Network Programmability, the NX-OS has come a long way with the integration of Linux based tools to support:

  • Bash shell
  • Python shell
  • API access
  • Linux containers for custom applications

The Bash shell can be extremely powerful if you’re proficient in it. I wanted to show you today a few commands including TCP dumps via the Bash shell.

We will be working with the following setup today.

Here, we have daisy-chained three N9Ks and each N9K has a loopback address per the diagram above.

Let me show you right off the bat the authority of the dev-ops role compared to the network-admin role on the switch. This is by default defined on the switch.

N9K1# show role name dev-ops

Role: dev-ops
  Description: Predefined system role for devops access. This role
  cannot be modified.
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity                  
  -------------------------------------------------------------------
  6       permit  command                         conf t ; username *     
  5       permit  command                         attach module *         
  4       permit  command                         slot *                  
  3       permit  command                         bcm module *            
  2       permit  command                         run bash *              
  1       permit  command                         python *
N9K1# show role name network-admin

Role: network-admin
  Description: Predefined network admin role has access to all commands
  on the switch
  -------------------------------------------------------------------
  Rule    Perm    Type        Scope               Entity                  
  -------------------------------------------------------------------
  1       permit  read-write

Very well. The first thing we need to do on the switch is to enable the feature via the following command.

N9K2# conf t
Enter configuration commands, one per line. End with CNTL/Z.
N9K2(config)# feature bash-shell

Then we’ll need to run Bash via the following command.

N9K2(config)# run bash 
bash-4.2$

Here now we run Linux based commands such as checking which user is logged in, or the IP addresses configured on the interfaces. Let’s see what it looks like.

bash-4.2# whoami
root
bash-4.2# 
bash-4.2# ifconfig Eth1-1
Eth1-1    Link encap:Ethernet  HWaddr 50:00:00:02:00:07  
          inet addr:12.1.1.2  Bcast:12.1.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22291 errors:0 dropped:1118 overruns:0 frame:0
          TX packets:21740 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:1782315 (1.6 MiB)  TX bytes:2052782 (1.9 MiB)

We can also enter the Python realm by issuing the command “python”.

bash-4.2# python
Python 2.7.2 (default, Mar  9 2015, 15:52:40) 
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>>                                 
>>> print "This is a RouteLeak Post"
This is a RouteLeak Post
>>> exit()
bash-4.2#

The following command show the system statistics.

bash-4.2# cat /proc/meminfo 
MemTotal:        8160556 kB
MemFree:         3976384 kB
Buffers:          105100 kB
Cached:          2261472 kB
SwapCached:            0 kB
Active:          1672992 kB
Inactive:        1942984 kB
Active(anon):    1288524 kB
Inactive(anon):  1170640 kB
Active(file):     384468 kB
Inactive(file):   772344 kB
Unevictable:           0 kB
Mlocked:               0 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                16 kB
Writeback:             0 kB
AnonPages:       1249380 kB
Mapped:           355276 kB
Shmem:           1209784 kB
Slab:             189916 kB
SReclaimable:      60488 kB
SUnreclaim:       129428 kB
KernelStack:        4496 kB
PageTables:        39132 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:     4080276 kB
Committed_AS:   15524496 kB
VmallocTotal:   34359738367 kB
VmallocUsed:      205924 kB
VmallocChunk:   34359477368 kB
HardwareCorrupted:     0 kB
DirectMap4k:       15872 kB
DirectMap2M:     8370176 kB
bash-4.2#

Let’s now see how we can run some TCPDUMPs. I’ll ssh from N9K3 to N9K1 and see what we get from N9K2. Note that I’m running EIGRP across this network so we will most likely see control-plane traffic as well.

Packet from Specific Interface

Here we can see the SSH traffic from N9K3 to N9K1. We can also see valuable information such as the 3 way handshake which proves that the traffic is bidirectional. We can also see EIGRP hello messages. This is a powerful troubleshooting tool.

Note that the “-i” argument instruct the kernel to capture on the specified interface. Let’s see more options.

bash-4.2# tcpdump -i Eth1-2   
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Eth1-2, link-type EN10MB (Ethernet), capture size 65535 bytes
03:01:20.102577 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [S], seq 1038436184, win 16384, options [mss 536,nop,wscale 0,nop,nop,TS val 305303 ecr 0], length 0
03:01:20.110604 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [S.], seq 3036020708, ack 1038436185, win 16768, options [mss 536,nop,nop,TS val 303179 ecr 305303], length 0
03:01:20.121883 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [.], ack 1, win 16768, options [nop,nop,TS val 305303 ecr 303179], length 0
03:01:20.130863 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [P.], seq 1:27, ack 1, win 16768, options [nop,nop,TS val 305303 ecr 303179], length 26
03:01:20.243528 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [P.], seq 1:32, ack 27, win 16742, options [nop,nop,TS val 303180 ecr 305303], length 31
03:01:20.252382 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [.], seq 27:551, ack 32, win 16768, options [nop,nop,TS val 305304 ecr 303180], length 524
03:01:20.252753 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [P.], seq 551:931, ack 32, win 16768, options [nop,nop,TS val 305304 ecr 303180], length 380
03:01:20.277776 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [P.], seq 32:424, ack 551, win 16244, options [nop,nop,TS val 303180 ecr 305304], length 392
03:01:20.382800 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [.], ack 931, win 16768, options [nop,nop,TS val 303181 ecr 305304], length 0
03:01:20.399410 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [P.], seq 931:1011, ack 424, win 16768, options [nop,nop,TS val 305305 ecr 303180], length 80
03:01:20.429566 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [P.], seq 424:824, ack 1011, win 16768, options [nop,nop,TS val 303182 ecr 305305], length 400
03:01:20.450165 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [P.], seq 1011:1027, ack 824, win 16768, options [nop,nop,TS val 305306 ecr 303182], length 16
03:01:20.571640 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [.], ack 1027, win 16768, options [nop,nop,TS val 303183 ecr 305306], length 0
03:01:20.581508 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [P.], seq 1027:1079, ack 824, win 16768, options [nop,nop,TS val 305307 ecr 303183], length 52
03:01:20.593222 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [P.], seq 824:876, ack 1079, win 16768, options [nop,nop,TS val 303183 ecr 305307], length 52
03:01:20.605354 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [P.], seq 1079:1147, ack 876, win 16768, options [nop,nop,TS val 305308 ecr 303183], length 68
03:01:20.623116 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [P.], seq 876:1028, ack 1147, win 16768, options [nop,nop,TS val 303184 ecr 305308], length 152
03:01:20.633636 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [P.], seq 1147:1247, ack 1028, win 16768, options [nop,nop,TS val 305308 ecr 303184], length 100
03:01:20.646960 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [P.], seq 1028:1096, ack 1247, win 16768, options [nop,nop,TS val 303184 ecr 305308], length 68
03:01:20.758076 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [.], ack 1096, win 16768, options [nop,nop,TS val 305309 ecr 303184], length 0
03:01:21.061715 IP 23.1.1.3 > 224.0.0.10: EIGRP Hello, length: 40
03:01:23.012370 IP 23.1.1.2 > 224.0.0.10: EIGRP Hello, length: 40
03:01:23.127986 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [P.], seq 1247:1331, ack 1096, win 16768, options [nop,nop,TS val 305332 ecr 303184], length 84
03:01:23.173127 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [P.], seq 1096:1148, ack 1331, win 16768, options [nop,nop,TS val 303209 ecr 305332], length 52
03:01:23.184437 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [P.], seq 1331:1415, ack 1148, win 16768, options [nop,nop,TS val 305332 ecr 303209], length 84
03:01:23.199359 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [P.], seq 1148:1184, ack 1415, win 16768, options [nop,nop,TS val 303209 ecr 305332], length 36
03:01:23.223719 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [P.], seq 1415:1551, ack 1184, win 16768, options [nop,nop,TS val 305333 ecr 303209], length 136
03:01:23.237886 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [P.], seq 1184:1236, ack 1551, win 16768, options [nop,nop,TS val 303209 ecr 305333], length 52
03:01:23.248454 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [P.], seq 1551:1943, ack 1236, win 16768, options [nop,nop,TS val 305333 ecr 303209], length 392
03:01:23.261001 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [P.], seq 1236:1360, ack 1943, win 16768, options [nop,nop,TS val 303209 ecr 305333], length 124
03:01:23.266448 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [P.], seq 1360:1412, ack 1943, win 16768, options [nop,nop,TS val 303209 ecr 305333], length 52
03:01:23.375846 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [.], ack 1412, win 16768, options [nop,nop,TS val 305334 ecr 303209], length 0
03:01:23.773652 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [.], seq 1412:1936, ack 1943, win 16768, options [nop,nop,TS val 303214 ecr 305334], length 524
03:01:23.773756 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [.], seq 1936:2460, ack 1943, win 16768, options [nop,nop,TS val 303214 ecr 305334], length 524
03:01:23.773779 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [.], seq 2460:2984, ack 1943, win 16768, options [nop,nop,TS val 303214 ecr 305334], length 524
03:01:23.773800 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [P.], seq 2984:3128, ack 1943, win 16768, options [nop,nop,TS val 303214 ecr 305334], length 144
03:01:23.875113 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [.], ack 2984, win 16768, options [nop,nop,TS val 305338 ecr 303214], length 0
03:01:23.891058 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [.], ack 3128, win 16768, options [nop,nop,TS val 305339 ecr 303214], length 0
03:01:23.916123 IP 12.1.1.1.ssh > 23.1.1.3.59662: Flags [P.], seq 3128:3180, ack 1943, win 16768, options [nop,nop,TS val 303216 ecr 305339], length 52
03:01:24.025585 IP 23.1.1.3.59662 > 12.1.1.1.ssh: Flags [.], ack 3180, win 16768, options [nop,nop,TS val 305341 ecr 303216], length 0
03:01:25.503786 IP 23.1.1.3 > 224.0.0.10: EIGRP Hello, length: 40
^C
41 packets captured
41 packets received by filter
0 packets dropped by kernel
bash-4.2#

Capture a Limited Number of Packets

Here the “-c 6” argument only captures 6 packets.

bash-4.2# tcpdump -c 6 -i Eth1-2   
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Eth1-2, link-type EN10MB (Ethernet), capture size 65535 bytes
03:07:26.384493 IP 23.1.1.3 > 224.0.0.10: EIGRP Hello, length: 40
03:07:27.651315 IP 23.1.1.3.59755 > 12.1.1.1.ssh: Flags [S], seq 1131142731, win 16384, options [mss 536,nop,wscale 0,nop,nop,TS val 308888 ecr 0], length 0
03:07:27.670892 IP 12.1.1.1.ssh > 23.1.1.3.59755: Flags [S.], seq 3540316226, ack 1131142732, win 16768, options [mss 536,nop,nop,TS val 306763 ecr 308888], length 0
03:07:27.684352 IP 23.1.1.3.59755 > 12.1.1.1.ssh: Flags [.], ack 1, win 16768, options [nop,nop,TS val 308889 ecr 306763], length 0
03:07:27.693622 IP 23.1.1.3.59755 > 12.1.1.1.ssh: Flags [P.], seq 1:27, ack 1, win 16768, options [nop,nop,TS val 308889 ecr 306763], length 26
03:07:27.783747 IP 12.1.1.1.ssh > 23.1.1.3.59755: Flags [P.], seq 1:32, ack 27, win 16742, options [nop,nop,TS val 306764 ecr 308889], length 31
6 packets captured
6 packets received by filter
0 packets dropped by kernel

Show Available Interfaces

Here the “-D” argument displays only the available interfaces

bash-4.2# tcpdump -D
1.ps-eobc
2.ps-inb
3.veobc
4.tap-inb
5.ps-diag
6.sflow
7.pmn
8.Lo0
9.ps-sup-eth1
10.Eth1-1
11.Eth1-2
12.Eth1-3
13.Eth1-4
14.Eth1-5
15.Eth1-6
16.Eth1-7
17.eth2
18.eth3
19.eth4
20.eth5
21.eth6
22.eth7
23.eth8
24.any (Pseudo-device that captures on all interfaces)
25.lo

Capture and Save Capture as a pcap File

Here the “-w” argument is used to capture and save the file in a pcap format.

bash-4.2# tcpdump -w routeleak.pcap -i Eth1-2
tcpdump: listening on Eth1-2, link-type EN10MB (Ethernet), capture size 65535 bytes
^C51 packets captured
51 packets received by filter
0 packets dropped by kernel
bash-4.2#

Read PCAP File

Here the “-r” argument is used to read and analyze the captured packet routeleak.pcap.

bash-4.2# tcpdump -r routeleak.pcap 
reading from file routeleak.pcap, link-type EN10MB (Ethernet)
03:18:14.030612 IP 23.1.1.3 > 224.0.0.10: EIGRP Hello, length: 40
03:18:14.636635 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [S], seq 1294388881, win 16384, options [mss 536,nop,wscale 0,nop,nop,TS val 315198 ecr 0], length 0
03:18:14.640347 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [S.], seq 2455402593, ack 1294388882, win 16768, options [mss 536,nop,nop,TS val 313075 ecr 315198], length 0
03:18:14.642699 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [.], ack 1, win 16768, options [nop,nop,TS val 315199 ecr 313075], length 0
03:18:14.643994 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [P.], seq 1:27, ack 1, win 16768, options [nop,nop,TS val 315199 ecr 313075], length 26
03:18:14.689275 IP 23.1.1.2 > 224.0.0.10: EIGRP Hello, length: 40
03:18:14.714286 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 1:32, ack 27, win 16742, options [nop,nop,TS val 313076 ecr 315199], length 31
03:18:14.718448 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [.], seq 27:551, ack 32, win 16768, options [nop,nop,TS val 315199 ecr 313076], length 524
03:18:14.718624 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [P.], seq 551:931, ack 32, win 16768, options [nop,nop,TS val 315199 ecr 313076], length 380
03:18:14.722292 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 32:424, ack 551, win 16244, options [nop,nop,TS val 313076 ecr 315199], length 392
03:18:14.827989 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [.], ack 931, win 16768, options [nop,nop,TS val 313077 ecr 315199], length 0
03:18:14.830501 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [P.], seq 931:1011, ack 424, win 16768, options [nop,nop,TS val 315200 ecr 313076], length 80
03:18:14.842121 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 424:824, ack 1011, win 16768, options [nop,nop,TS val 313077 ecr 315200], length 400
03:18:14.851933 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [P.], seq 1011:1027, ack 824, win 16768, options [nop,nop,TS val 315201 ecr 313077], length 16
03:18:14.962113 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [.], ack 1027, win 16768, options [nop,nop,TS val 313078 ecr 315201], length 0
03:18:14.964916 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [P.], seq 1027:1079, ack 824, win 16768, options [nop,nop,TS val 315202 ecr 313078], length 52
03:18:14.977827 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 824:876, ack 1079, win 16768, options [nop,nop,TS val 313078 ecr 315202], length 52
03:18:14.979986 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [P.], seq 1079:1147, ack 876, win 16768, options [nop,nop,TS val 315202 ecr 313078], length 68
03:18:14.991010 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 876:1028, ack 1147, win 16768, options [nop,nop,TS val 313078 ecr 315202], length 152
03:18:14.995734 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [P.], seq 1147:1247, ack 1028, win 16768, options [nop,nop,TS val 315202 ecr 313078], length 100
03:18:15.001740 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 1028:1096, ack 1247, win 16768, options [nop,nop,TS val 313078 ecr 315202], length 68
03:18:15.134580 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [.], ack 1096, win 16768, options [nop,nop,TS val 315203 ecr 313078], length 0
03:18:18.206618 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [P.], seq 1247:1331, ack 1096, win 16768, options [nop,nop,TS val 315233 ecr 313078], length 84
03:18:18.227503 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 1096:1148, ack 1331, win 16768, options [nop,nop,TS val 313110 ecr 315233], length 52
03:18:18.235354 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [P.], seq 1331:1415, ack 1148, win 16768, options [nop,nop,TS val 315233 ecr 313110], length 84
03:18:18.240117 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 1148:1184, ack 1415, win 16768, options [nop,nop,TS val 313110 ecr 315233], length 36
03:18:18.243018 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [P.], seq 1415:1551, ack 1184, win 16768, options [nop,nop,TS val 315234 ecr 313110], length 136
03:18:18.246982 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 1184:1236, ack 1551, win 16768, options [nop,nop,TS val 313110 ecr 315234], length 52
03:18:18.250965 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [P.], seq 1551:1943, ack 1236, win 16768, options [nop,nop,TS val 315234 ecr 313110], length 392
03:18:18.256604 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 1236:1360, ack 1943, win 16768, options [nop,nop,TS val 313110 ecr 315234], length 124
03:18:18.259358 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 1360:1412, ack 1943, win 16768, options [nop,nop,TS val 313110 ecr 315234], length 52
03:18:18.368109 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [.], ack 1412, win 16768, options [nop,nop,TS val 315235 ecr 313110], length 0
03:18:18.504320 IP 23.1.1.3 > 224.0.0.10: EIGRP Hello, length: 40
03:18:18.741992 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [.], seq 1412:1936, ack 1943, win 16768, options [nop,nop,TS val 313115 ecr 315235], length 524
03:18:18.746902 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [.], seq 1936:2460, ack 1943, win 16768, options [nop,nop,TS val 313115 ecr 315235], length 524
03:18:18.749880 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 2460:2504, ack 1943, win 16768, options [nop,nop,TS val 313115 ecr 315235], length 44
03:18:18.761270 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 2504:2556, ack 1943, win 16768, options [nop,nop,TS val 313115 ecr 315235], length 52
03:18:18.761534 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 2556:2640, ack 1943, win 16768, options [nop,nop,TS val 313115 ecr 315235], length 84
03:18:18.762135 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 2640:2724, ack 1943, win 16768, options [nop,nop,TS val 313115 ecr 315235], length 84
03:18:18.762984 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 2724:2840, ack 1943, win 16768, options [nop,nop,TS val 313115 ecr 315235], length 116
03:18:18.763801 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 2840:2956, ack 1943, win 16768, options [nop,nop,TS val 313115 ecr 315235], length 116
03:18:18.764702 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 2956:3072, ack 1943, win 16768, options [nop,nop,TS val 313115 ecr 315235], length 116
03:18:18.765546 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 3072:3188, ack 1943, win 16768, options [nop,nop,TS val 313115 ecr 315235], length 116
03:18:18.766424 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 3188:3304, ack 1943, win 16768, options [nop,nop,TS val 313115 ecr 315235], length 116
03:18:18.767292 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 3304:3420, ack 1943, win 16768, options [nop,nop,TS val 313115 ecr 315235], length 116
03:18:18.768096 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 3420:3536, ack 1943, win 16768, options [nop,nop,TS val 313115 ecr 315235], length 116
03:18:18.768770 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [.], ack 2460, win 16768, options [nop,nop,TS val 315238 ecr 313115], length 0
03:18:18.808496 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [.], ack 3536, win 16768, options [nop,nop,TS val 315239 ecr 313115], length 0
03:18:18.916995 IP 12.1.1.1.ssh > 23.1.1.3.60196: Flags [P.], seq 3536:3588, ack 1943, win 16768, options [nop,nop,TS val 313116 ecr 315239], length 52
03:18:19.025147 IP 23.1.1.3.60196 > 12.1.1.1.ssh: Flags [.], ack 3588, win 16768, options [nop,nop,TS val 315241 ecr 313116], length 0
03:18:19.427295 IP 23.1.1.2 > 224.0.0.10: EIGRP Hello, length: 40
bash-4.2#

Capture only TCP Packets

Here the “tcp” argument is used to only capture TCP traffic

bash-4.2# tcpdump -i Eth1-2 tcp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Eth1-2, link-type EN10MB (Ethernet), capture size 65535 bytes
03:23:00.129047 IP 23.1.1.3.60284 > 12.1.1.1.ssh: Flags [S], seq 1367673655, win 16384, options [mss 536,nop,wscale 0,nop,nop,TS val 317983 ecr 0], length 0
03:23:00.142052 IP 12.1.1.1.ssh > 23.1.1.3.60284: Flags [S.], seq 1915848311, ack 1367673656, win 16768, options [mss 536,nop,nop,TS val 315860 ecr 317983], length 0
03:23:00.149723 IP 23.1.1.3.60284 > 12.1.1.1.ssh: Flags [.], ack 1, win 16768, options [nop,nop,TS val 317983 ecr 315860], length 0
03:23:00.156012 IP 23.1.1.3.60284 > 12.1.1.1.ssh: Flags [P.], seq 1:27, ack 1, win 16768, options [nop,nop,TS val 317983 ecr 315860], length 26
03:23:00.241932 IP 12.1.1.1.ssh > 23.1.1.3.60284: Flags [P.], seq 1:32, ack 27, win 16742, options [nop,nop,TS val 315861 ecr 317983], length 31
03:23:00.252104 IP 23.1.1.3.60284 > 12.1.1.1.ssh: Flags [.], seq 27:551, ack 32, win 16768, options [nop,nop,TS val 317984 ecr 315861], length 524
03:23:00.257969 IP 23.1.1.3.60284 > 12.1.1.1.ssh: Flags [P.], seq 551:931, ack 32, win 16768, options [nop,nop,TS val 317984 ecr 315861], length 380
03:23:00.278522 IP 12.1.1.1.ssh > 23.1.1.3.60284: Flags [P.], seq 32:424, ack 551, win 16244, options [nop,nop,TS val 315861 ecr 317984], length 392
03:23:00.378251 IP 12.1.1.1.ssh > 23.1.1.3.60284: Flags [.], ack 931, win 16768, options [nop,nop,TS val 315862 ecr 317984], length 0
03:23:00.384432 IP 23.1.1.3.60284 > 12.1.1.1.ssh: Flags [P.], seq 931:1011, ack 424, win 16768, options [nop,nop,TS val 317986 ecr 315861], length 80
03:23:00.402645 IP 12.1.1.1.ssh > 23.1.1.3.60284: Flags [P.], seq 424:824, ack 1011, win 16768, options [nop,nop,TS val 315863 ecr 317986], length 400
03:23:00.417487 IP 23.1.1.3.60284 > 12.1.1.1.ssh: Flags [P.], seq 1011:1027, ack 824, win 16768, options [nop,nop,TS val 317986 ecr 315863], length 16
03:23:00.535247 IP 12.1.1.1.ssh > 23.1.1.3.60284: Flags [.], ack 1027, win 16768, options [nop,nop,TS val 315864 ecr 317986], length 0
03:23:00.557454 IP 23.1.1.3.60284 > 12.1.1.1.ssh: Flags [P.], seq 1027:1079, ack 824, win 16768, options [nop,nop,TS val 317987 ecr 315864], length 52
03:23:00.571275 IP 12.1.1.1.ssh > 23.1.1.3.60284: Flags [P.], seq 824:876, ack 1079, win 16768, options [nop,nop,TS val 315864 ecr 317987], length 52
03:23:00.579361 IP 23.1.1.3.60284 > 12.1.1.1.ssh: Flags [P.], seq 1079:1147, ack 876, win 16768, options [nop,nop,TS val 317988 ecr 315864], length 68
03:23:00.597793 IP 12.1.1.1.ssh > 23.1.1.3.60284: Flags [P.], seq 876:1028, ack 1147, win 16768, options [nop,nop,TS val 315864 ecr 317988], length 152
03:23:00.612128 IP 23.1.1.3.60284 > 12.1.1.1.ssh: Flags [P.], seq 1147:1247, ack 1028, win 16768, options [nop,nop,TS val 317988 ecr 315864], length 100
03:23:00.626996 IP 12.1.1.1.ssh > 23.1.1.3.60284: Flags [P.], seq 1028:1096, ack 1247, win 16768, options [nop,nop,TS val 315865 ecr 317988], length 68
03:23:00.731460 IP 23.1.1.3.60284 > 12.1.1.1.ssh: Flags [.], ack 1096, win 16768, options [nop,nop,TS val 317989 ecr 315865], length 0
^C
20 packets captured
20 packets received by filter
0 packets dropped by kernel

Capture only from Specific Ports

Here the “port” argument is used to only capture traffic from the specified port. Since we’re testing with SSH, let’s capture from port 22.

bash-4.2# tcpdump -i Eth1-2 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Eth1-2, link-type EN10MB (Ethernet), capture size 65535 bytes
03:27:58.452183 IP 23.1.1.3.60464 > 12.1.1.1.ssh: Flags [S], seq 1443147406, win 16384, options [mss 536,nop,wscale 0,nop,nop,TS val 320893 ecr 0], length 0
03:27:58.466794 IP 12.1.1.1.ssh > 23.1.1.3.60464: Flags [S.], seq 4232907950, ack 1443147407, win 16768, options [mss 536,nop,nop,TS val 318770 ecr 320893], length 0
03:27:58.480000 IP 23.1.1.3.60464 > 12.1.1.1.ssh: Flags [.], ack 1, win 16768, options [nop,nop,TS val 320894 ecr 318770], length 0
03:27:58.487239 IP 23.1.1.3.60464 > 12.1.1.1.ssh: Flags [P.], seq 1:27, ack 1, win 16768, options [nop,nop,TS val 320894 ecr 318770], length 26
03:27:58.599528 IP 12.1.1.1.ssh > 23.1.1.3.60464: Flags [.], ack 27, win 16742, options [nop,nop,TS val 318771 ecr 320894], length 0
03:27:58.625617 IP 12.1.1.1.ssh > 23.1.1.3.60464: Flags [P.], seq 1:32, ack 27, win 16742, options [nop,nop,TS val 318771 ecr 320894], length 31
03:27:58.638371 IP 23.1.1.3.60464 > 12.1.1.1.ssh: Flags [.], seq 27:551, ack 32, win 16768, options [nop,nop,TS val 320895 ecr 318771], length 524
03:27:58.639100 IP 23.1.1.3.60464 > 12.1.1.1.ssh: Flags [P.], seq 551:931, ack 32, win 16768, options [nop,nop,TS val 320895 ecr 318771], length 380
03:27:58.647473 IP 12.1.1.1.ssh > 23.1.1.3.60464: Flags [P.], seq 32:424, ack 551, win 16244, options [nop,nop,TS val 318771 ecr 320895], length 392
03:27:58.748482 IP 12.1.1.1.ssh > 23.1.1.3.60464: Flags [.], ack 931, win 16768, options [nop,nop,TS val 318772 ecr 320895], length 0
03:27:58.763803 IP 23.1.1.3.60464 > 12.1.1.1.ssh: Flags [P.], seq 931:1011, ack 424, win 16768, options [nop,nop,TS val 320896 ecr 318771], length 80
03:27:58.784069 IP 12.1.1.1.ssh > 23.1.1.3.60464: Flags [P.], seq 424:824, ack 1011, win 16768, options [nop,nop,TS val 318773 ecr 320896], length 400
03:27:58.809078 IP 23.1.1.3.60464 > 12.1.1.1.ssh: Flags [P.], seq 1011:1027, ack 824, win 16768, options [nop,nop,TS val 320897 ecr 318773], length 16
03:27:58.936060 IP 12.1.1.1.ssh > 23.1.1.3.60464: Flags [.], ack 1027, win 16768, options [nop,nop,TS val 318774 ecr 320897], length 0
03:27:58.989185 IP 23.1.1.3.60464 > 12.1.1.1.ssh: Flags [P.], seq 1027:1079, ack 824, win 16768, options [nop,nop,TS val 320898 ecr 318774], length 52
03:27:59.010312 IP 12.1.1.1.ssh > 23.1.1.3.60464: Flags [P.], seq 824:876, ack 1079, win 16768, options [nop,nop,TS val 318775 ecr 320898], length 52
03:27:59.031038 IP 23.1.1.3.60464 > 12.1.1.1.ssh: Flags [P.], seq 1079:1147, ack 876, win 16768, options [nop,nop,TS val 320899 ecr 318775], length 68
03:27:59.046603 IP 12.1.1.1.ssh > 23.1.1.3.60464: Flags [P.], seq 876:1028, ack 1147, win 16768, options [nop,nop,TS val 318775 ecr 320899], length 152
03:27:59.062177 IP 23.1.1.3.60464 > 12.1.1.1.ssh: Flags [P.], seq 1147:1247, ack 1028, win 16768, options [nop,nop,TS val 320899 ecr 318775], length 100
03:27:59.136056 IP 12.1.1.1.ssh > 23.1.1.3.60464: Flags [P.], seq 1028:1096, ack 1247, win 16768, options [nop,nop,TS val 318776 ecr 320899], length 68
03:27:59.251278 IP 23.1.1.3.60464 > 12.1.1.1.ssh: Flags [.], ack 1096, win 16768, options [nop,nop,TS val 320901 ecr 318776], length 0
^C
21 packets captured
21 packets received by filter
0 packets dropped by kernel

Capture from Source IP

Here the “src” argument is used to only capture traffic from the specified source IP. In our case, it’s going to be 23.1.1.3.

bash-4.2# tcpdump -i Eth1-2 src 23.1.1.3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Eth1-2, link-type EN10MB (Ethernet), capture size 65535 bytes
03:30:18.636481 IP 23.1.1.3.60640 > 12.1.1.1.ssh: Flags [S], seq 1479480719, win 16384, options [mss 536,nop,wscale 0,nop,nop,TS val 322259 ecr 0], length 0
03:30:18.649255 IP 23.1.1.3.60640 > 12.1.1.1.ssh: Flags [.], ack 3801004733, win 16768, options [nop,nop,TS val 322259 ecr 320136], length 0
03:30:18.656980 IP 23.1.1.3.60640 > 12.1.1.1.ssh: Flags [P.], seq 0:26, ack 1, win 16768, options [nop,nop,TS val 322259 ecr 320136], length 26
03:30:18.717820 IP 23.1.1.3 > 224.0.0.10: EIGRP Hello, length: 40
03:30:18.767307 IP 23.1.1.3.60640 > 12.1.1.1.ssh: Flags [.], seq 26:550, ack 32, win 16768, options [nop,nop,TS val 322260 ecr 320137], length 524
03:30:18.774976 IP 23.1.1.3.60640 > 12.1.1.1.ssh: Flags [P.], seq 550:930, ack 32, win 16768, options [nop,nop,TS val 322260 ecr 320137], length 380
03:30:18.883683 IP 23.1.1.3.60640 > 12.1.1.1.ssh: Flags [P.], seq 930:1010, ack 424, win 16768, options [nop,nop,TS val 322262 ecr 320137], length 80
03:30:18.904762 IP 23.1.1.3.60640 > 12.1.1.1.ssh: Flags [P.], seq 1010:1026, ack 824, win 16768, options [nop,nop,TS val 322262 ecr 320138], length 16
03:30:19.015095 IP 23.1.1.3.60640 > 12.1.1.1.ssh: Flags [P.], seq 1026:1078, ack 824, win 16768, options [nop,nop,TS val 322263 ecr 320140], length 52
03:30:19.032396 IP 23.1.1.3.60640 > 12.1.1.1.ssh: Flags [P.], seq 1078:1146, ack 876, win 16768, options [nop,nop,TS val 322263 ecr 320140], length 68
03:30:19.048960 IP 23.1.1.3.60640 > 12.1.1.1.ssh: Flags [P.], seq 1146:1246, ack 1028, win 16768, options [nop,nop,TS val 322263 ecr 320140], length 100
03:30:19.168147 IP 23.1.1.3.60640 > 12.1.1.1.ssh: Flags [.], ack 1096, win 16768, options [nop,nop,TS val 322264 ecr 320140], length 0
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel

Capture from Destination IP

Here the “dst” argument is used to only capture traffic from the specified destination IP. In our case, it’s going to be 12.1.1.1.

bash-4.2# tcpdump -i Eth1-2 dst 12.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Eth1-2, link-type EN10MB (Ethernet), capture size 65535 bytes
03:32:04.187492 IP 23.1.1.3.60672 > 12.1.1.1.ssh: Flags [S], seq 1506005022, win 16384, options [mss 536,nop,wscale 0,nop,nop,TS val 323289 ecr 0], length 0
03:32:04.201134 IP 23.1.1.3.60672 > 12.1.1.1.ssh: Flags [.], ack 2395134095, win 16768, options [nop,nop,TS val 323289 ecr 321165], length 0
03:32:04.201834 IP 23.1.1.3.60672 > 12.1.1.1.ssh: Flags [P.], seq 0:26, ack 1, win 16768, options [nop,nop,TS val 323289 ecr 321165], length 26
03:32:04.301680 IP 23.1.1.3.60672 > 12.1.1.1.ssh: Flags [.], seq 26:550, ack 32, win 16768, options [nop,nop,TS val 323290 ecr 321166], length 524
03:32:04.309300 IP 23.1.1.3.60672 > 12.1.1.1.ssh: Flags [P.], seq 550:930, ack 32, win 16768, options [nop,nop,TS val 323290 ecr 321166], length 380
03:32:04.425367 IP 23.1.1.3.60672 > 12.1.1.1.ssh: Flags [P.], seq 930:1010, ack 424, win 16768, options [nop,nop,TS val 323291 ecr 321166], length 80
03:32:04.458312 IP 23.1.1.3.60672 > 12.1.1.1.ssh: Flags [P.], seq 1010:1026, ack 824, win 16768, options [nop,nop,TS val 323291 ecr 321167], length 16
03:32:04.574624 IP 23.1.1.3.60672 > 12.1.1.1.ssh: Flags [P.], seq 1026:1078, ack 824, win 16768, options [nop,nop,TS val 323292 ecr 321169], length 52
03:32:04.588415 IP 23.1.1.3.60672 > 12.1.1.1.ssh: Flags [P.], seq 1078:1146, ack 876, win 16768, options [nop,nop,TS val 323292 ecr 321169], length 68
03:32:04.608973 IP 23.1.1.3.60672 > 12.1.1.1.ssh: Flags [P.], seq 1146:1246, ack 1028, win 16768, options [nop,nop,TS val 323293 ecr 321169], length 100
03:32:04.735280 IP 23.1.1.3.60672 > 12.1.1.1.ssh: Flags [.], ack 1096, win 16768, options [nop,nop,TS val 323294 ecr 321169], length 0
^C
11 packets captured
11 packets received by filter
0 packets dropped by kernel

As you can see, this is a powerful tool that we can leverage as far as troubleshooting is concerned. This tells us right off the bat if we’re seeing a specific traffic flow coming to or transiting to the switch.

That’s all I wanted to show you today.

Classification: ADVANCED SERVICES
Posted On: 2019/02/27

Comments

  1. Yuichiro Suzuki says:
    January 21, 2020 at 8:26 pm

    Thank you for your good information!!!
    I understand how to use tcpdump on Nexus9k platform.
    Cisco’s website is complicated , so it is hard to access information I need.
    I was able to solve a problem by using tcpdump!
    Thanks!!!

  2. Pape says:
    February 21, 2020 at 8:14 pm

    I’m glad this has been useful !

  3. Basavaprabhu Badami says:
    October 22, 2021 at 12:20 am

    You made life easy mate!!!
    Thank you very much for your effort…

    Good Job!

Leave a Reply

Your email address will not be published. Required fields are marked *

A Little About Myself

Hello I'm Pape. My friends call me Pop. I'm CCIE #48357. I enjoy my field and love to share it with others. I love to write so I'm sharing my blog with you.

Sign up to receive notifications and updates whenever new topics or videos are uploaded!

RouteLeak Calendar

November 2024
M T W T F S S
 123
45678910
11121314151617
18192021222324
252627282930  
© Copyright 2024 @ RouteLeak