Posted on December 2, 2021 6:20 pm
 |  Asked by Brent Goodman
Print Friendly, PDF & Email

I want to forward TCPDump to Wireshark as described in; however, I think VRF is preventing packets from reaching the remote host that is running Wireshark.

To give some background, we have applied a VRF to the switch’s management port (m1). As a consequence, we have to use the VRF instance name when transferring files from the switch to a remote host as follows: “copy running-config t vrf MGT”. In the case of tcpdump-to-wireshark failing to work, my suspicion is that, from bash, tcpdump is prevented from forwarding packets to the remote host since there is no route to the remote host in the default VRF. In the following example from the article cited above, is there a way to forward tcpdump to Wireshark on a remote host via the management VRF, as with the above “copy” command example?

Forward-tcpdump-to-wireshark example (


On the Arista switch

tcpdump -s 0 -U -n -w - -i <interface> | nc <computer-ip> <port>


netcat -l -p <port> | wireshark -k -S -i -

The <port> is any open port that you choose to send the traffic over, for example, you could use port 5555


Posted by Keerthi Bharathi
Answered on December 6, 2021 6:26 am

Hello Brent,

On the Arista switch, you could do the following to forward tcpdump to wireshark via vrf:

1. Change the vrf context to management before entering the bash. In this way netcat will be run in the management vrf.

From my lab switch:

Switch#cli vrf management
 [admin@Switch ~]$ tcpdump -s 0 -U -n -w - -i ma1 | nc 5555
 tcpdump: listening on ma1, link-type EN10MB (Ethernet), capture size 262144 bytes 

2. Use the netns exec command:

From my lab switch:

 [admin@Switch ~]$ tcpdump -s 0 -U -n -w - -i ma1 | sudo ip netns exec ns-management nc 5555
 tcpdump: listening on ma1, link-type EN10MB (Ethernet), capture size 262144 bytes  

Note: To check what namespaces are present on the device, you could do the following:

[admin@Switch ~]$ sudo ip netns list

Running netcat -l -p 5555 | wireshark -k -S -i - on my laptop shows the packets.

Alternatively, as mentioned in the link, using the single step command on your Mac/linux is easier and you wouldn't need to add the vrf.

For reference the command is:

ssh <username>@<switch> "bash tcpdump -s 0 -Un -w - -i <interface>" | wireshark -k -i - 

Hope this helps.


Post your Answer

You must be logged in to post an answer.