tcpdump
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
-
-
- AWS Transit Gateway
- Azure vWAN
- Azure vWAN with vION
- ChatBot for MS Teams
- ChatBot for Slack
- CloudBlades Integration with Prisma Access
- GCP NCC
- Service Now
- Zoom QSS
- Zscaler Internet Access
-
-
- ION 5.2
- ION 5.3
- ION 5.4
- ION 5.5
- ION 5.6
- ION 6.0
- ION 6.1
- ION 6.2
- ION 6.3
- ION 6.4
- New Features Guide
- On-Premises Controller
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
- Prisma SD-WAN CloudBlades
tcpdump
Use the tcpdump command to capture the TCP, or IP packets received or
transferred over a network on a specific interface and used for network debugging and
traffic analysis. The packet data is printed on a console or saved to a future analysis
file or transfer. The following (args) options are automatically included in the device:
"-A", "b", "-e", "-K", "-#", "-p", "-q", "-S", "-t", "-tt", "-ttt", "-tttt", "-ttttt", "-u", "-v", "-vv", "-vvv", "-x", "-xx", "-X", "-XX" "-B", "-c", "-E", "-j", "-M", "-Q", "-T", "-s" "-C"
Capturing packets using the tcpdump command is currently not supported
on sub-interfaces or SVIs for ION device software versions 6.1.x, 6.2.x, and 6.3.x.
However, traffic flow of interest on such interfaces can be captured on parent
interface, with the help of available (args) options.
- For capturing the packets:tcpdump interface args=” “ show
- For saving packets capture to a file:tcpdump interface args=” “ show | save filename
- For viewing and exporting a .pcap file:file view sample.pcap
Command
tcpdump (interface name or number <args= " " | show | save file=filename>)
Options
interface | Enter the interface to listen on. |
show | Displays TCP packet information. |
save file | Enter the name of the file in which the tcpdump is saved. |
Command Notes
Role | Super, Read Only |
Related Commands | — |
Introduced in | Release 4.4.1 |
Example
tcpdump filtering on host IP 8.8.8.8, protocol = icmp, and display ethernetframe info (-e) tcpdump controller1 args=" -e host 8.8.8.8 and icmp" show tcpdump:verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:06:13.488774 00:50:56:92:30:be > 00:50:56:92:8b:1a, ethertype IPv4 (0x0800), length 98: 192.168.30.10 > 8.8.8.8: ICMP echo request, id 12410, seq 0, length 64 14:06:13.5395143e:2d:5f:3a:be:bd > 00:50:56:92:30:be, ethertype IPv4 (0x0800),length
tcpdump controller1 args="-vvv" show tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 06:04:09.589948 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 179.19.44.2 (ff:ff:ff:ff:ff:ff) tell 179.19.44.7, length 46 06:04:09.589953 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 179.19.44.2 (ff:ff:ff:ff:ff:ff) tell 179.19.44.7, length 78
tcpdump controller1 args="-c 5" save file=tcpdump_capture.pcap Saving... Press CTR+C to stop. tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 5 packets captured