• Using tcpdump for troubleshooting

 
 
Print Friendly, PDF & Email

tcpdump is a command line packet sniffer (built into Linux) that is used to assist in troubleshooting network problems.

Any traffic coming to or from the control plane of the Arista is visible when running the tcpdump utility on the Arista.  This does not include data plane traffic transiting the Arista – for capturing this type of traffic, Arista Aristaes support Monitor / SPAN ports which can be used to copy traffic to a sniffer or to other suitable capture device for analysis.

tcpdump allows users to instantly analyse important traffic such as Spanning Tree and routing protocols, as well as any other traffic that is destined to the Arista itself (via an SVI or management IP address). In order to make full use of it, follow the directions from below.

  1. The first step is to access the BASH shell:
Arista#bash
Arista Networks EOS shell
[admin@Arista ~]$

Once in enable mode, all that is required is to type bash and you will be presented with a bash shell prompt.  At this point you have initiated a bash shell and any commands you type will be directly within Linux and not within the EOS CLI.

2.  The next step is find the appropriate interface that you wish to monitor:

The Linux ifconfig command can be used to see the available interfaces in the Linux kernel.

[admin@Arista~]$ifconfig

cpu      Link encap:Ethernet   HWaddr 02:00:00:00:00:00
UP BROADCAST RUNNING MULTICAST MTU:9216 Metric:1
RX packets:19 errors:0 dropped:0 overruns:0 frame:0
TX packets:372 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1140 (1.1 KiB) TX bytes:26802 (26.1 KiB)

et1      Link encap:Ethernet   HWaddr 02:00:00:00:00:00
UP BROADCAST RUNNING MULTICAST MTU:9216 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:47891 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:240 (240.0 b) TX bytes:3683975 (3.5 MiB)

et2      Link encap:Ethernet   HWaddr 02:00:00:00:00:00
UP BROADCAST RUNNING MULTICAST MTU:9216 Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:1125577 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:180 (180.0 b) TX bytes:86586365 (82.5 MiB)
...

ma1      Link encap:Ethernet   HWaddr 00:1C:73:0B:1D:13
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b)TX bytes:0 (0.0 b)
Interrupt:31 Base address:0×2000

ma2      Link encap:Ethernet   HWaddr 00:1C:73:0B:1D:14
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:30 Base address:0×6000

vlan1026      Link encap:Ethernet   HWaddr 00:1C:73:0B:1D:15
inet addr:172.22.26.1 Bcast:255.255.255.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:9212 Metric:1
RX packets:1614852 errors:0 dropped:0 overruns:0 frame:0
TX packets:386542 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:721138049 (687.7 MiB) TX bytes:42279526 (40.3 MiB)

The list of interfaces will reflect each of the physical interfaces on the Arista, as well as the virtual interfaces.  Any VLAN which has been assigned an IP address (SVI) will show up as a VLAN interface.  The Management interfaces show up as ma1/ma2 etc …  The interface name shown in the left-most column represents the Linux interface that we will use with the tcpdump utility.

3.  And here is an example of how to run tcpdump for a VLAN interface.

[admin@Arista ~]$sudo tcpdump -i vlan1026
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan1026, link-type EN10MB (Ethernet), capture size 65535 bytes

It is important to note that the tcpdump utility must be run as root (hence, the command must be preceded by sudo). As of EOS 4.6, when the tcpdump command is called, it is actually called via a script which inserts sudo automatically.

The ‘-v’ and ‘-vv’ flags can be used to provide more detailed output.

[admin@Arista ~]$sudo tcpdump -i vlan1026 –v –vv

4.  Once you know the Linux name associated with a given interface, you can also call the tcpdump command directly from inside the EOS CLI, without having to drop into a BASH shell first.

 Arista#bash sudo tcpdump -i et12 -v -vv

5.  Another common option includes filtering more specific traffic. This can include traffic on a specific destination port number.

Arista#bash sudo tcpdump –n dst port 23 -i et12 -v –vv

6.  It is also common to redirect the output from a tcpdump command to a file.

[admin@Arista ]sudo tcpdump -n dst port 80 -i vlan1026 -v > /tmp/dump.txt

Note: It is important to ensure that the filesystem has enough space available and it is always a good idea to eventually remove capture files from the Arista, in order to to ensure that space is not needlessly being consumed (which could eventually lead to a space shortage).

7.  The tcpdump command has many available options for tailoring the output. For a complete listing of the available options refer to the tcpdump manual page.

The tcpdump utility is powerful and supports some complex filtering options. The examples given here are just starting points, experiment and find the options that you find to be the most useful for your needs!

More tcpdump examples

1.  How do I see LLDP packets coming from an interface?

Arista(config)#bash tcpdump -nevvvi et1 ether dst host 01:80:c2:00:00:0e

2.  My server is port-channeled to my Arista and it is not coming up. How do I troubleshoot LACP packets coming from the server to form port-channel?

Arista(config)#bash tcpdump -nevvvi et1 ether dst host 01:80:c2:00:00:0e

3.  I am trying to ping a Arista, but it is not responding. How do I know whether it is receiving the ping packets or not?

Arista(config)#bash tcpdump -nevvvi ma1 icmp

4.  How do I troubleshoot packets arriving from a specific host?

Arista(config)#bash tcpdump -nevvvi any host 172.22.26.209

5.  How do I troubleshoot packets arriving on specific port and from a specific host?

Arista(config)#bash tcpdump -nevvvi any '((port 22) and (host 172.22.26.209))'

6.  How do I redirect tcpdump output to flash so that I can email it to someone?

Arista(config)#bash tcpdump -nevvvi any port 22 > /mnt/flash/tcpdump-test

7.  How do I troubleshoot OSPF routing LSA updates between neighbors?

Arista(config)#bash tcpdump -nevvvi et37 pro to ospf

More tcpdump command-line options

-i any        : Listen on all interfaces just to see if you’re seeing any traffic.
-n            : Don’t resolve hostnames.
-e            : Get the ethernet header as well.
-v, -vv, -vvv : Increase the amount of packet information you get back.
-nn           : Don’t resolve hostnames or port names.
-X            : Show the packet’s contents in both hex and ASCII.
-XX           : Same as -X, but also shows the ethernet header.
-c            : Only get x number of packets and then stop.
-S            : Print absolute sequence numbers.
-q            : Show less protocol information.
-E            : Decrypt IPSEC traffic by providing an encryption key.
-s            : Set the snaplength, i.e. the amount of data that is being captured (in bytes)

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: