TCPDUMP

This is a very useful tool for capturing traffic destined for the leaf, spine or APIC i.e. within fabric.

This method can be used also for traffic reaching CPU (Ping to/from the switch, ARP of pervasive gateway, NTP, SNMP)

LEAF/SPINE

Interface to be used:

1) inband traffic use kpm_inb

2) For OOB traffic use eth0

Note: ARP for kpm_inb only shows traffic in one direction

leaf1# tcpdump -D (Specify the available interfaces to capture on)

Icmp (capture only ping packets)

3) leaf# tcpdump -D

1.eth0 For OOB traffic

2.inband_lo

3.inband_hi

4.mgmt0

5.psdev0

6.kpm_inb for most inband traffic

7.kpm_mgmt

8.tahoe0

9.psdev2

10.any (Pseudo-device that captures on all interfaces)

11.lo

4) leaf# tcpdump -i eth0

5) leaf# tcpdump -i eth0 -f icmp

5) leaf# tcpdump -i kpm_inb

6) leaf# tcpdump -i kpm_inb icmp

7) Writing output to a file

leaf# tcpdump -i kpm_inb icmp -w /tmp/capture.pcap

8)Reading output from a capture file

leaf# tcpdump -r /tmp/capture.pcap

9)Reading the output without resolving the names, displaying only IPs, using “-n”

leaf1# tcpdump -n -r /tmp/capture.pcap

10) tcpdump filters

The filter can either be applied when collecting the packet capture, or when reading the capture file.

Example:

host 192.168.1.10

dst host 33.33.33.1 and src host 172.16.4.3

net 10.0.0.0/24

port 53

ether host 00:50:56:63:e1:99

11) Adding host filter

leaf# tcpdump -i any icmp and src host 192.168.3.254

leaf# tcpdump -i any icmp and dst host 192.168.3.254

12) Adding src/dst host filter

leaf# tcpdump -i eth0 icmp and src host 192.168.3.254

leaf# tcpdump -i eth0 icmp and dst host 192.168.3.254

leaf# tcpdump -i kpm_inb icmp and src host 192.168.3.254

leaf# tcpdump -i kpm_inb icmp and dst host 192.168.3.254

13) Adding verbose option

leaf# tcpdump -vvi kpm_inb icmp and host 192.168.3.254

14) tcpdump on knet or tahoe0 interface

knet interface on Gen-1 and tahoe0 interface on Gen-2 Hardware show all packet but they have an internal header so not fully readable.

In Gen-2 Hardware you can use tcpdump2 which is script decoding internal header on the top of tcpdump.

leaf1# tcpdump2 -i tahoe0  host 1.1.1.1

15) Tcpdump on basis of port

leaf# tcpdump -i eth0 -f port 162 -vv

leaf# tcpdump -i any port 179

Tcpdump on APIC

Need root access

Command syntax:

[root@apic1 ~]# tcpdump -h (help)

[root@apic1 ~]# tcpdump -D     

1.bond0      > Traffic from APIC-to-APIC and APIC-to-switches (inband)

2.oobmgmt > Packets entering/leaving via the APIC out-of-band management interface.

3.bond0.3932

4.lxcbr0

5.ifb0

6.docker0

7.tep0

8.bond0.101

9.nflog (Linux netfilter log (NFLOG) interface)

10.eth1-1

11.eth1-2

12.bond1

13.tep1

14.teplo-1

15.usbmon1 (USB bus number 1)

16.eth2-1

17.eth2-2

18.tep2

19.usbmon2 (USB bus number 2)

20.tep3

21.tep4

22.tep5

23.tep6

24.tep7

25.veth3866601

26.any (Pseudo-device that captures on all interfaces)

27.lo [Loopback]

tcpdump on oobmgmt, with icmp toggle

1) tcpdump on oobmgmt

[root@apic1 ~]# tcpdump -i oobmgmt

[root@apic1 ~]# tcpdump -i oobmgmt icmp

2) tcpdump on port

[root@apic1 ~]# tcpdump -i oobmgmt port 22

3) tcpdump on bond0, with a host filter

[root@apic1 ~]# tcpdump -i bond0 host spine1