Introduction

The TCPDump utility can be used to analyze packets. It can be manually run in the CLI to capture all packets, or used with filters to capture specific packets. Data can be viewed in real time via a console session, or saved to a device's flash in PCAP format to be downloaded and viewed with Wireshark. What follows are some basic commands for examples applicable in many situations. A more comprehensive list of TCPDump commands can be found at:

http://www.tcpdump.org/tcpdump_man.html
https://danielmiessler.com/study/tcpdump/#gs.null

 

Using TCPDump

When issuing TCPDump commands, capture output is immediately sent to the CLI of your console session (or Telnet or SSH), unless you opt to send the output to a file (explained later). When a capture is running, the CRTL + C break command stops the capture. When a capture is stopped, make sure it is valid by verifying in the summary stats that packets were actually captured.

NOTE: It is important to keep in mind that running TCPDump on an AlliedWare Plus switch will only show the packets that get copied or forwarded to the CPU of that switch. It will not show hardware-switched packets. To get a view of the packets on the wire, a port has to be mirrored to a different port and that other port connected to a PC that is running Wireshark to capture the traffic and create a PCAP file.

Send the output to the monitor so the information can be viewed:

awplus#terminal monitor

To break out of the session perform the following tasks:

1. CTRL + C [this will break out of the capture and cancel it]
2. awplus#terminal no monitor

View all interfaces visible to the TCPDump utility:

Capture all packets on all interfaces:

awplus#tcpdump -i any

Capture packets traversing a specific interface:

awplus#tcpdump -i vlan201

Capture packets traversing a specific interface and sourced from or destined to a specific IP address:

awplus#tcpdump -i vlan201 src 10.51.201.21
awplus#tcpdump -i vlan201 dst 10.52.201.21

Capture packets traversing a specific interface and sourced from or destined to a specific IP subnet:

awplus#tcpdump -i vlan201 dst net 4.2.2.0/29
awplus#tcpdump -i vlan201 src net 4.2.2.0/29

Capture packets belonging to a specific service and traversing a specific interface:

awplus#tcpdump -i vlan201 port 3389
awplus#tcpdump -i vlan201 dst port 3389
awplus#tcpdump -i vlan201 src port 1025

Combine multiple filters using the "and" parameter:

awplus#tcpdump -i vlan201 dst port 3389 and dst 4.2.2.4

By default, TCPDump sends basic debug output to the console session in real time. You can capture increasingly more detail in this output by using the -v, -vv or -vvv parameters respectively (verbose).

awplus#tcpdump -i vlan10 port 3389 -v

Or, you can capture all packet detail and send it to a file rather than viewing in CLI.  Save the file in .pcap format to be downloaded from flash and viewed with Wireshark. A "dir" will show the newly created PCAP file wrote to flash.

awplus#tcpdump -i vlan201 port 3389 -w [file name].pcap

awplus#tcpdump -n -v -i vlan201 -w Test_1.pcap
16:04:15 S2-X908 IMISH[21694]: tcpdump -n -v -i vlan201 -w Test_1.pcap
Got 10
13 packets captured
15 packets received by filter
0 packets dropped by kernel

awplus#dir
16:04:26 S2-X908 IMISH[21694]: dir
     1040 -rw- Nov 19 2020 16:04:21  Test_1.pcap
     1688 -rw- May 18 2020 13:41:28  S2-X908_base.cfg
     1688 -rw- May 18 2020 13:18:02  ai3g-x908-amf-master-rstp.cfg
 19238557 -rwx Oct 10 2013 20:52:05  SBx908-5.4.3-2.5.rel
 19055109 -rw- Jan 21 2013 21:39:59  SBx908-5.4.2-3.10.rel
awplus#

 

TCPDump common flags

Below are some commonly used flags:

-i Listen on <interface>, .e.g. “-i igb0”
-n Do not perform reverse DNS resolution on IP addresses
-w Save capture in pcap format to <filename>, e.g. “-w /tmp/wan.pcap”
-s Snap length: Amount of data to be captured from each frame
-c Exit after receiving a specific number of packets
-p Do not put the interface in promiscuous mode
-v Verbose output
-e Print link-layer header on each line

TCPDump Logical Operators

&& or and   Combines filtering options. [AND operator]
|| or or    Either condition can match. [OR operator]
! or not    Negates the condition. [NOT operator]
<           Less than.  [LESS operator]

Simple Filtering Examples:

Find Traffic by IP:

awplus#tcpdump -n -v host 1.1.1.1

Filtering by Source IP:

awplus#tcpdump -n -v src 1.1.1.1

Filtering by Destination IP:

awplus#tcpdump -n -v dst 1.0.0.1

Filtering by Network:

awplus#tcpdump -n -v net 1.2.3.0/24

Filtering by Interface:

awplus#tcpdump -n -v -i eth1

Filtering by Port Number

awplus#tcpdump -n -v port 3389

Filtering by Port Range:

awplus#tcpdump -n -v portrange 21-23

Filtering by Protocol:

awplus#tcpdump -n -v icmp

Complex Filtering Examples:

Filtering by Source and destination IP:

awplus#tcpdump -n -v src 1.1.1.1 and dst 2.2.2.2

Filtering by Source IP and Destination port:

awplus#tcpdump -n -v src 1.1.1.1 and dst port 3389

Filtering from one network to two specific destination networks:

awplus#tcpdump -n -v src net 192.168.0.0/16 and dst net 10.0.0.0/8 or 172.16.0.0/16

Non ICMP Traffic Going to a Specific IP:

awplus#tcpdump -n -v dst 192.168.0.2 and src 1.1.1.1 and not icmp

Traffic From a Host That Isn’t on a Specific Port:

awplus#tcpdump -n -v src 1.1.1.1 and not dst port 22

Isolate TCP RST flags:

awplus#tcpdump 'tcp[13] & 4 != 0'

Isolate TCP ACK flags:

awplus#tcpdump 'tcp[13] & 16 != 0'

Isolate TCP SYN flags:

awplus#tcpdump 'tcp[13] & 2 != 0'

Isolate TCP FIN flags:

awplus#tcpdump 'tcp[13] & 1 != 0'

Capture any packets from or to port range x to y:

awplus#tcpdump -n -v dst(or src) portrange x-y

Capture any packets with dst ip x.x.x.x and dst ports x, z:

awplus#tcpdump -n -v 'dst host x.x.x.x and (dst port x or dst port z)'