tcpdump
Focus
Focus

tcpdump

Table of Contents

tcpdump

Use the tcpdump command to capture the TCP, or IP packets received or transferred over a network on a specific interface and used for network debugging and traffic analysis. The packet data is printed on a console or saved to a future analysis file or transfer. The following (args) options are automatically included in the device:
"-A", "b", "-e", "-K", "-#", "-p", "-q", "-S", "-t", "-tt", "-ttt", "-tttt", "-ttttt", "-u", "-v", "-vv", "-vvv", "-x", "-xx", "-X", "-XX" "-B", "-c", "-E", "-j", "-M", "-Q", "-T", "-s" "-C"
Capturing packets using the tcpdump command is currently not supported on sub-interfaces or SVIs for ION device software versions 6.1.x, 6.2.x, and 6.3.x. However, traffic flow of interest on such interfaces can be captured on parent interface, with the help of available (args) options.
  • For capturing the packets:
    tcpdump interface args=” “ show
  • For saving packets capture to a file:
    tcpdump interface args=” “ show | save filename
  • For viewing and exporting a .pcap file:
    file view sample.pcap

Command

tcpdump (interface name or number <args= " " | show | save file=filename>)

Options

interfaceEnter the interface to listen on.
showDisplays TCP packet information.
save fileEnter the name of the file in which the tcpdump is saved.

Command Notes

RoleSuper, Read Only
Related Commands
Introduced inRelease 4.4.1

Example

tcpdump filtering on host IP 8.8.8.8, protocol = icmp, and display ethernetframe info (-e) tcpdump controller1 args=" -e host 8.8.8.8 and icmp" show tcpdump:verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:06:13.488774 00:50:56:92:30:be > 00:50:56:92:8b:1a, ethertype IPv4 (0x0800), length 98: 192.168.30.10 > 8.8.8.8: ICMP echo request, id 12410, seq 0, length 64 14:06:13.5395143e:2d:5f:3a:be:bd > 00:50:56:92:30:be, ethertype IPv4 (0x0800),length
tcpdump controller1 args="-vvv" show tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 06:04:09.589948 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 179.19.44.2 (ff:ff:ff:ff:ff:ff) tell 179.19.44.7, length 46 06:04:09.589953 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 179.19.44.2 (ff:ff:ff:ff:ff:ff) tell 179.19.44.7, length 78
tcpdump controller1 args="-c 5" save file=tcpdump_capture.pcap Saving... Press CTR+C to stop. tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 5 packets captured