• TCPDUMP on an Arista switch and redirect or send output via email, SCP and TFTP

 
 
Print Friendly, PDF & Email

Sending TCPDUMP output to external servers

Objective

Perform tcpdump on switch to help with troubleshooting control-plane traffic e.g.m STP, OSPF, BGP, NTP etc. directed to CPU of the switch without impacting performance. Then redirect the output to email/tftp/ftp server.

Prerequisites

Email example

Security Considerations

Arista Networks EOS supports TLS and SMTP Authentication for email. It is important to understand that this provides security, but does not guarantee security end-to-end. For example, if you send an email from a switch with TLS and AUTH enabled you can have a reasonable expectation that the message will get to the SMTP server in a secure way. However, you cannot have a reasonable expectation that the SMTP server stores or relays the message securely. Additionally, the receiver may be using an IMAP client that is not configured for encrypted secure IMAP. For this reason, you should consider whether a given method in this article meets your specific security requirements. Consult your organization’s security practices and guidelines as tcpdump data can be sensitive. If email is to be used, encrypting the pcap file before sending is prudent.

For this example we have a server connected to switched interface ethernet 12 on an Arista 7050T-64 switch. The server’s IP address is 10.10.10.5 and is pinging its default gateway 10.10.10.1. We will capture packets on the default gateway SVI interface.

In order to do this we will drop into the bash shell, invoke tcpdump on interface vlan10, pipe the output to the “email” command with a subject line of  “tcpdump output” and send it to foo@aristanetworks.com as an attached text file.

Our switch is configured to send email using SMTP Authentication and Transport Layer Security (TLS) for additional security.

7050-02#bash

Arista Networks EOS shell

[admin@7050-02 ~]$ tcpdump -i vlan10 -c 20 | email -s "tcpdump output" foo@aristanetworks.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan10, link-type EN10MB (Ethernet), capture size 65535 bytes
20 packets captured
20 packets received by filter
0 packets dropped by kernel

[admin@7050-02 ~]$

SCP example

For this example, we will use the EOS command line directly. We will capture a specific number of packets to a file. Then we will copy the file to a workstation using secure copy from the openssh suite. Secure methods for transport are highly encouraged. The file will be in pcap format ready to be read by tcpdump or wireshark.

7050-02#tcpdump interface Vlan 10 packet-count 20 file /tmp/tcpdump.cap
tcpdump: listening on vlan10, link-type EN10MB (Ethernet), capture size 65535 bytes
20 packets captured
20 packets received by filter
0 packets dropped by kernel
7050-02#

7050-02#copy flash:tcpdump.cap scp:foo@192.168.0.10/Users/foo/Downloads/tcpdump.cap
Password:
tcpdump.cap                                                                                          100% 2206     2.2KB/s   00:00
Copy completed successfully.
7050-02#

TFTP example

Security Considerations

Please understand that TFTP is inherently an insecure cleartext protocol. Consult your security organization and adhere to your specific security rules while using this method.

For this example, we will use the the EOS command line directly. The syntax will be nearly identical to the scp example.

NOTE: If you are using the built in TFTP server with OS X you may need to create an empty file of the same name as the file being uploaded. If you receive an error “errno 107: Transport endpoint is not connected” this is likely the reason.

7050-02#copy flash:tcpdump.cap tftp://192.168.8.14/tcpdump.cap
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2206    0     0  100  2206      0   180k --:--:-- --:--:-- --:--:--  180k
100  2206    0     0  100  2206      0   177k --:--:-- --:--:-- --:--:--  177k
Copy completed successfully.
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: