Focus

Prisma SD-WAN

tcpdump

Table of Contents

Filter

Expand All | Collapse All

Prisma SD-WAN Docs

Activation & Onboarding
Administration
CloudBlades
Version
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
Deployment
Incidents & Alerts
Reference
Release Notes
Version
- 5.6
- 6.1
- 6.2
- 6.3
- 6.4
- 6.5
- New Features Guide
- On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed

ssh interface

tcpping

tcpdump

Use the tcpdump command to capture the TCP, or IP packets received or transferred over a network on a specific interface and used for network debugging and traffic analysis. The packet data is printed on a console or saved to a future analysis file or transfer. The following (args) options are automatically included in the device:

"-A", "b", "-e", "-K", "-#", "-p", "-q", "-S", "-t", "-tt", "-ttt", "-tttt", "-ttttt", "-u", "-v", "-vv", "-vvv", "-x", "-xx", "-X", "-XX" "-B", "-c", "-E", "-j", "-M", "-Q", "-T", "-s" "-C"

Capturing packets using the tcpdump command is currently not supported on sub-interfaces or SVIs for ION device software versions 6.1.x, 6.2.x, and 6.3.x. However, traffic flow of interest on such interfaces can be captured on parent interface, with the help of available (args) options.

Args options are not supported in releases 6.4.2 and 6.5.1, it will be reintroduced in the upcoming releases 6.4.3 and 6.5.2.

For capturing the packets:

tcpdump interface= -v -vv -x -xx srcv4= dstv4= srcv6= dstv6= host= port= srcport= dstport= protocol= show

tcpdump interface args=” “ show

For saving packets capture to a file:

tcpdump interface args=” “ save filename

tcpdump interface= -v -vv -x -xx srcv4= dstv4= srcv6= dstv6= host= port= srcport= dstport= protocol= save filename

For viewing and exporting a .pcap file:
```
file view sample.pcap
```

Command

tcpdump (interface name or number <args= " " | show | save file=filename>)

tcpdump (interface name or number-v  -vv  -x  -xx  srcv4=  dstv4=  srcv6=   dstv6=  host=   port=   srcport=  dstport=  protocol= show | save file=filename>)

Options

interface	Enter the interface to listen on.
show	Displays TCP packet information.
save file	Enter the name of the file in which the tcpdump is saved.

Command Notes

Role	Super, Read Only
Related Commands	—
Introduced in	Release 4.4.1

Example

tcpdump filtering on host IP 8.8.8.8, protocol = icmp, and display
				ethernetframe info (-e)
				tcpdump controller1 args=" -e host 8.8.8.8 and icmp" show tcpdump:verbose 
				output suppressed, use -v or -vv for full protocol decode
				listening on eth0, link-type EN10MB (Ethernet), capture size 65535
				bytes 14:06:13.488774 00:50:56:92:30:be > 00:50:56:92:8b:1a,
				ethertype IPv4 (0x0800), length 98: 192.168.30.10 > 8.8.8.8: ICMP
				echo request, id 12410, seq 0, length 64
				14:06:13.5395143e:2d:5f:3a:be:bd > 00:50:56:92:30:be,
				ethertype IPv4 (0x0800),length

tcpdump controller1 args="-vvv" show
				tcpdump: listening on eth0, link-type EN10MB (Ethernet), 
				capture size 262144 bytes
				06:04:09.589948 ARP, Ethernet (len 6), IPv4 (len 4), 
				Request who-has 179.19.44.2 (ff:ff:ff:ff:ff:ff) tell 179.19.44.7, length 46
				06:04:09.589953 ARP, Ethernet (len 6), IPv4 (len 4),
				Request who-has 179.19.44.2 (ff:ff:ff:ff:ff:ff) tell 179.19.44.7, length 78

tcpdump controller1 args="-c 5" save file=tcpdump_capture.pcap
				Saving...
				Press CTR+C to stop.
				tcpdump: listening on eth0, link-type EN10MB (Ethernet), 
				capture size 262144 bytes
				5 packets captured

tcpdump any args="src 11.11.11.5" show
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
09:36:29.529452 IP 11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 377, length 64
09:36:29.529467 IP 11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 377, length 64
09:36:29.529471 IP 11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 377, length 64
09:36:30.553375 IP 11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 378, length 64
09:36:30.553383 IP 11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 378, length 64
09:36:30.553385 IP 11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 378, length 64
^C
6 packets captured
9 packets received by filter
0 packets dropped by kernel

tcpdump any srcv4=11.11.11.5 -vv show
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
09:36:37.721372 IP (tos 0x0, ttl 63, id 60721, offset 0, flags [DF], proto ICMP (1), length 84)
    11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 385, length 64
09:36:37.721380 IP (tos 0x0, ttl 62, id 60721, offset 0, flags [DF], proto ICMP (1), length 84)
    11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 385, length 64
09:36:37.721381 IP (tos 0x0, ttl 62, id 60721, offset 0, flags [DF], proto ICMP (1), length 84)
    11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 385, length 64
09:36:38.745249 IP (tos 0x0, ttl 63, id 60951, offset 0, flags [DF], proto ICMP (1), length 84)
    11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 386, length 64
09:36:38.745256 IP (tos 0x0, ttl 62, id 60951, offset 0, flags [DF], proto ICMP (1), length 84)
    11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 386, length 64
09:36:38.745258 IP (tos 0x0, ttl 62, id 60951, offset 0, flags [DF], proto ICMP (1), length 84)
    11.11.11.5 > 44.44.44.5: ICMP echo request, id 27, seq 386, length 64
^C
6 packets captured
9 packets received by filter
0 packets dropped by kernel

ssh interface

tcpping

Prisma SD-WAN Docs

tcpdump

Prisma SD-WAN Docs

tcpdump

Command

Options

Command Notes

Example

Activation & Onboarding

SASE

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

Prisma SD-WAN Integration

Prisma SD-WAN Experts Corner

Best Practices

Resources