Allied Telesis Support Portal

How to Use TCPDump on AW+

How do I use TCPDump on AlliedWare Plus devices?

The TCPDump utility can be used to analyze packets.  It can be manually run in the CLI to capture all packets, or used with filters to capture specific packets.  Data can be viewed in real time via a console session, or saved to a device's flash in .pcap format to be downloaded and viewed with Wireshark.  What follows are some basic commands for examples applicable in many situations.  A more comprehensive list of TCPDump commands can be found at:

http://www.tcpdump.org/tcpdump_man.html
https://danielmiessler.com/study/tcpdump/#gs.null


When issuing TCPDump commands, capture output is immediately sent to the CLI of your console session (or telnet or SSH), unless you opt to send the output to a file (explained later).  When a capture is running, the CRTL C break command stops the capture.  When a capture is stopped, make sure it is valid by verifying in the summary stats that packets were actually captured.
 
awplus#tcpdump -i vlan10 port 3389 -v
tcpdump: listening on vlan10, link-type EN10MB (Ethernet), capture size 65535 bytes
[CTRL C]
0 packets captured
0 packets received by filter

0 packets dropped by kernel

**************************************************************************************************

View all interfaces visible to the TCPDump utility:
 
awplus#tcpdump -D
1.nfqueue (Linux netfilter queue (NFQUEUE) interface)
2.vlan1
3.vlan2
4.vlan5
5.vlan10
6.vlan4093
7.vlan4094
8.any (Pseudo-device that captures on all interfaces)
9.lo

Capture all packets on all interfaces:
 
awplus#tcpdump -i any

Capture packets traversing a specific interface:
 
awplus#tcpdump -i vlan10

Capture packets traversing a specific interface and sourced from or destined to a specific IP address:
 
awplus#tcpdump -i vlan10 src 10.28.1.21

awplus#tcpdump -i vlan10 dst 10.28.1.21

Capture packets traversing a specific interface and sourced from or destined to a specific IP subnet:
 
awplus#tcpdump -i vlan10 dst net 4.2.2.0/29

awplus#tcpdump -i vlan10 src net 4.2.2.0/29

Capture packets belonging to a specific service and traversing a specific interface:
 
awplus#tcpdump -i vlan10 port 3389

awplus#tcpdump -i vlan10 dst port 3389

awplus#tcpdump -i vlan10 src port 1025

Combine multiple filters using the "and" parameter:
 
awplus#tcpdump -i vlan10 dst port 3389 and dst 4.2.2.4

By default, TCPDump sends basic debug output to the console session in real time.  You can capture increasingly more detail in this output by using the -v, -vv or -vvv parameters respectively (verbose).
 
awplus#tcpdump -i vlan10 port 3389 -v

Or, you can capture all packet detail and send it to a file rather than viewing in CLI.  Save the file in .pcap format to be downloaded and viewed with Wireshark.
 
awplus#tcpdump -i vlan10 port 3389 -w [file name].pcap

 
Previous MonthNext Month
SunMonTueWedThuFriSat