Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1745
Views
0
Helpful
0
Comments

UCSD - TCPDUMP for trouble shooting

Orf Gelbrich
Cisco Employee
Cisco Employee

‎09-22-2015 11:48 AM - edited ‎03-01-2019 06:37 AM

TCP dump is a Linux native tool to trouble shoot IP traffic.

This package is not installed by default on the UCSD appliance.

This package can be installed using yum (yum install tcpdump)

(prerequisite UCSD needs to be able to resolve external DNS and have access to the internet)

Here is the install:

[root@localhost tmp]# yum install tcpdump

Loaded plugins: fastestmirror

Determining fastest mirrors

* addons: mirror.steadfast.net

* base: pubmirrors.dal.corespace.com

* extras: mirror.us.oneandone.net

* updates: dallas.tx.mirror.xygenhosting.com

addons                                                                                                  | 1.9 kB     00:00   

base                                                                                                    | 1.1 kB     00:00   

extras                                                                                                  | 2.1 kB     00:00   

updates                                                                                                 | 1.9 kB     00:00   

updates/primary_db                                                                                      | 518 kB     00:00   

Setting up Install Process

Resolving Dependencies

--> Running transaction check

---> Package tcpdump.x86_64 14:3.9.4-15.el5 set to be updated

--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================================================

Package                      Arch                        Version                              Repository                 Size

===============================================================================================================================

Installing:

tcpdump                      x86_64                      14:3.9.4-15.el5                      base                      456 k

Transaction Summary

===============================================================================================================================

Install      1 Package(s)       

Update       0 Package(s)       

Remove       0 Package(s)       

Total download size: 456 k

Is this ok [y/N]: y

Downloading Packages:

tcpdump-3.9.4-15.el5.x86_64.rpm                                                                               | 456 kB     00:00   

Running rpm_check_debug

Running Transaction Test

Finished Transaction Test

Transaction Test Succeeded

Running Transaction

  Installing     : tcpdump                                                                                                       1/1

Installed:

  tcpdump.x86_64 14:3.9.4-15.el5                                                                                                   

Complete!

The manual page for tcpdump can be obtained by typing

     man tcpdump

Execution of tcpdump (show me everything going on eth0):

[root@localhost tmp]# tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

18:26:12.552602 IP 172.17.32.135.ssh > 192.168.32.110.54221: P 1632689526:1632689638(112) ack 1251125419 win 151 <nop,nop,timestamp 1035954528 651295310>

Looking for traffic from a specific host:

[root@localhost tmp]# tcpdump -nn src host 172.17.32.110

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

18:32:54.015905 IP 172.17.32.110.61537 > 172.17.32.111.443: P 1430747147:1430747221(74) ack 1798473513 win 256

18:32:54.015971 IP 172.17.32.110.61537 > 172.17.32.111.443: P 74:164(90) ack 1 win 256

18:32:54.026873 IP 172.17.32.110.61537 > 172.17.32.111.443: . ack 816 win 253

18:32:58.882358 arp who-has 172.17.32.111 (00:25:b5:01:a0:6f) tell 172.17.32.110

Looking for CDP packets:

[root@localhost tmp]# tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes

18:35:42.695736 CDPv2, ttl: 180s, checksum: 692 (unverified), length 230

  Device-ID (0x01), length: 30 bytes: 'VSM100V-1(8618679311377563319)'

  Address (0x02), length: 13 bytes: IPv4 (1) 172.17.32.6

  Port-ID (0x03), length: 5 bytes: 'mgmt0'

  Capability (0x04), length: 4 bytes: (0x00000209): Router, L2 Switch

  Version String (0x05), length: 69 bytes:

    Cisco Nexus Operating System (NX-OS) Software, Version 5.2(1)SK1(1.1)

  Platform (0x06), length: 10 bytes: 'Nexus1000V'

  AVVID trust bitmap (0x12), length: 1 byte: 0x00

  AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00

  Duplex (0x0b), length: 1 byte: full

  MTU (0x11), length: 4 bytes: 1500 bytes

  System Name (0x14), length: 9 bytes: 'VSM100V-1'

  System Object ID (not decoded) (0x15), length: 14 bytes:

    0x0000:  060c 2b06 0104 0109 0c03 0103 8648

  Management Addresses (0x16), length: 13 bytes: IPv4 (1) 172.17.32.6

1 packets captured

4 packets received by filter

0 packets dropped by kernel

Looking for a source host and port:

tcpdump -nn src host 1.2.3.4 and 'tcp port 3389'

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
Discussions
Customers Also Viewed These Support Documents