Sending TCPDUMP output to external servers
Perform tcpdump on switch to help with troubleshooting control-plane traffic e.g.m STP, OSPF, BGP, NTP etc. directed to CPU of the switch without impacting performance. Then redirect the output to email/tftp/ftp server.
- Email server
- SSH server
- TFTP server
- DNS Resolution
- Arista switch configured to send email: (read all about it here)
Arista Networks EOS supports TLS and SMTP Authentication for email. It is important to understand that this provides security, but does not guarantee security end-to-end. For example, if you send an email from a switch with TLS and AUTH enabled you can have a reasonable expectation that the message will get to the SMTP server in a secure way. However, you cannot have a reasonable expectation that the SMTP server stores or relays the message securely. Additionally, the receiver may be using an IMAP client that is not configured for encrypted secure IMAP. For this reason, you should consider whether a given method in this article meets your specific security requirements. Consult your organization’s security practices and guidelines as tcpdump data can be sensitive. If email is to be used, encrypting the pcap file before sending is prudent.
For this example we have a server connected to switched interface ethernet 12 on an Arista 7050T-64 switch. The server’s IP address is 10.10.10.5 and is pinging its default gateway 10.10.10.1. We will capture packets on the default gateway SVI interface.
In order to do this we will drop into the bash shell, invoke tcpdump on interface vlan10, pipe the output to the “email” command with a subject line of “tcpdump output” and send it to email@example.com as an attached text file.
Our switch is configured to send email using SMTP Authentication and Transport Layer Security (TLS) for additional security.
7050-02#bash Arista Networks EOS shell [admin@7050-02 ~]$ tcpdump -i vlan10 -c 20 | email -s "tcpdump output" firstname.lastname@example.org tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vlan10, link-type EN10MB (Ethernet), capture size 65535 bytes 20 packets captured 20 packets received by filter 0 packets dropped by kernel [admin@7050-02 ~]$
For this example, we will use the EOS command line directly. We will capture a specific number of packets to a file. Then we will copy the file to a workstation using secure copy from the openssh suite. Secure methods for transport are highly encouraged. The file will be in pcap format ready to be read by tcpdump or wireshark.
7050-02#tcpdump interface Vlan 10 packet-count 20 file /tmp/tcpdump.cap tcpdump: listening on vlan10, link-type EN10MB (Ethernet), capture size 65535 bytes 20 packets captured 20 packets received by filter 0 packets dropped by kernel 7050-02# 7050-02#copy flash:tcpdump.cap scp:email@example.com/Users/foo/Downloads/tcpdump.cap Password: tcpdump.cap 100% 2206 2.2KB/s 00:00 Copy completed successfully. 7050-02#
Please understand that TFTP is inherently an insecure cleartext protocol. Consult your security organization and adhere to your specific security rules while using this method.
For this example, we will use the the EOS command line directly. The syntax will be nearly identical to the scp example.
NOTE: If you are using the built in TFTP server with OS X you may need to create an empty file of the same name as the file being uploaded. If you receive an error “errno 107: Transport endpoint is not connected” this is likely the reason.
7050-02#copy flash:tcpdump.cap tftp://192.168.8.14/tcpdump.cap % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2206 0 0 100 2206 0 180k --:--:-- --:--:-- --:--:-- 180k 100 2206 0 0 100 2206 0 177k --:--:-- --:--:-- --:--:-- 177k Copy completed successfully.