Posted on July 3, 2017 10:56 pm
 |  Asked by Alex samad
 |  13313 views
RESOLVED
0
0
Print Friendly, PDF & Email

Hi

 

I thought tcpdump from the CLI would show me all the packets thats are coming and going on a interface, seems like it doesn’t.

 

Is there a way to get it to show me all the packets ?

 

 

0
Posted by John Tiso
Answered on July 3, 2017 11:05 pm

To mirror packets from the data plane (basically monitor an interface other than the management interface) you need 3 things:
1. A platform that supports advanced mirroring to the CPU.
2. Configure a mirror to CPU – this is configured like a normal mirror except destination is cpu (these sessions are rate limited):
monitor session session-cpu destination cpu
3. DANZ licensing. If you don’t have a DANZ license it will still work, you will just be out of compliance.

1
Posted by gad
Answered on July 3, 2017 11:19 pm

tcpdump is a linux tool that only knows about kernal interfaces. The front-panel interfaces on an Arista switch are controlled by the ASIC, and as such you will only see packets sourced from or destined to the switch if you use tcpdump on a front-panel interface. 

There are a couple of ways around this depending on your switch. First, you could use sflow and make the destination localhost, but this will not necessarily show all the packets as sflow takes a sampling of traffic. 

Some Arista switches support a feature called Advanced Mirroring or Mirror to EOS that allows you to mirror to the CPU after which you can use tcpdump to sniff the mirror0 interface (or mirror1/2/3 depending on how many you have running) which will provide what you want. Note that there is a limit of about 100Mbps when doing this, but advanced mirroring also allows you to apply ACLs to the mirror session as well as truncating packets, so the limitation is easily overcome. 

The switches that support this according to the 4.18.1F release notes are the 7500R, 7500E, 7280R, 7280E, and 7150 platforms. 

 

0
Posted by Upasana Dangi
Answered on July 3, 2017 11:20 pm

Hi Alex,

Running tcpdump on an interface/SVI only shows the traffic destined to the switch itself to be processed by the control plane. In order to capture the data plane traffic, we could try the following:

1. Port mirroring

Mirroring traffic to a port destined towards a collector/monitoring device 

https://www.arista.com/en/um-eos/eos-section-16-4-configuring-ports#ww1133898

2. Advanced mirroring to the CPU

On the 7150/7500E/7500R/7280E/7280R, we can run port mirroring on an interface and send one copy of the dataplane traffic to the CPU where the tcpdump utility can be used

https://www.arista.com/en/um-eos/eos-section-16-4-configuring-ports#ww1133898

[Section: 16.4.1.3 Filtered Mirroring to CPU]

3. Sflow

https://www.arista.com/en/um-eos/eos-section-44-1-sflow-conceptual-overview#ww1152186

0
Posted by Harshita Rastogi
Answered on July 4, 2017 1:55 am

Hello Alex,

tcpdump basically shows all the packets that are sent to the CPU.We do not see hardware switched packets in tcpdump. 

We have a feature where you can mirror all the traffic coming on the interface to CPU.  The command would be 

monitor session <session-name> destination cpu

This feature is supported on 7150S, 7280E and 7280R after a particular EOS version.

0
Posted by Andrey Nushtaev
Answered on July 4, 2017 1:02 pm

For platforms that don’t support mirroring to CPU (7050/7050X/7060X) you can mirror traffic to stateless GRE tunnel pointing to any Linux machine where you can decode traffic with Wireshark. There is one limitation though – you can mirror only ingress traffic to GRE tunnel, but if your traffic is between two Arista boxes you can mirror it from both points and receive egress traffic also.

Filters can be used to limit undesired traffic to be mirrored.

Marked as spam

Can this be the local linux machine ?

(Alex samad at July 6, 2017 12:45 am)
0
Posted by Alex samad
Answered on July 6, 2017 12:45 am

Thanks every one

Marked as spam

Post your Answer

You must be logged in to post an answer.