Using TCPDump on an Arista switch is an impressive feature and can help with troubleshooting, security concerns, and much more. But if you need to watch a packet capture live using TCPDump can be tricky since you can’t use display filters, trace a packet, and use many different tools that are found in Wireshark. In this article, we will go over how we can forward our live TCPDump session to our local host computer running Wireshark.
Please refer to this article to learn the basics of TCPDump on an Arista switch.
All Arista platforms.
There are two ways we can go about forwarding TCPDump to our local computer. The first way is one command which will use
ssh from our local machine to start the TCPDump and forward the packets to our machine over
ssh. Second is a two-step process in which we start the TCPDump on the Arista switch and send the packets over
netcat and then accept the forwarded packets on our local computer and pipe them into Wireshark. You can use the one-step if your account enters into enable mode automatically. If you have to enter enable manually when you log in you will need to do the two-step.
C:\Users\AristaUser>ssh username@<switch> "bash tcpdump -s 0 -n -w - -U -i <interface> not port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -
Make sure you go back to the command prompt and enter your password.
ssh <username>@<switch> "bash tcpdump -s 0 -Un -w - -i <interface>" | wireshark -k -i -
On the Arista switch
tcpdump -s 0 -U -n -w - -i <interface> | nc <computer-ip> <port>
netcat -l -p <port> | wireshark -k -S -i -
<port> is any open port that you choose to send the traffic over, for example, you could use port