Capturing TCP traffic from the command line interface

You can start and stop the capture of TCP traffic. You can also see if the tracing task is running.

About this task

Use the packet_tracing command of the tools command group with one of the following options:
start
Starts capturing traffic data after prompting you to make the following choices:
Interface
Select the type of network interface through which the traffic that you want to capture travels.
All
If you want to capture the data that travels through both management and application interfaces, enter index 1.
M.1
The management interface. The local management interface (LMI) of the virtual appliance runs on this interface. If you want to capture only the data that travels through this interface, enter index 2.
P.1
The application interface. The administration console and the Identity Manager Service Center run on this interface. If you want to capture only the data that travels through this interface, enter index 3.
Filter type
Select a filter to restrict the type of internet traffic that is to be captured.
No Filter
Captures all traffic. Enter index 1.
Host Filter
Captures only the traffic to and from a selected computer. Enter index 2. Enter also the host ID of the partner computer in FQDN, IPv4, or IPv6 format at the following Enter host prompt.
TCP Only
Captures only the traffic coming through the TCP interface. Enter index 3.
UDP Only
Captures only the traffic coming through the UDP interface. Enter index 4.
Enter file label
Enter a string of your choice that begins the name of the files where the captured data is recorded. The complete file name is compounded by the following elements:
  • The string that you entered.
  • A value that corresponds to the interface you selected (any, eth0, or eth2).
  • The timestamp that records the start time.

The file extension is pcap and is followed by a digit from 0 to 9. The maximum file size is set to 10 MB and the file roll over number is 10.

stop
Stops the current packet tracing process.
Attention: Also the Ctrl+C key sequence stops the process, if you started it from the command line. Refrain from pressing these keys while the process is running. Enter the tools>packet_tracing>start commands again to start over.
status
Declares if there is a running packet tracing process.

System events are generated for all start and stop operations in the event log of the virtual appliance.

Start packet tracing from the virtual appliance command line if you know that you might have to restart the virtual appliance during the tracing session.

Procedure

  1. From the command line interface, log on to the Identity Manager virtual appliance.
  2. To start capturing traffic data, enter the tools>packet_tracing>start commands at the prompt.
    1. Enter an index number for the interface.
    2. Enter an index number for the filter, and eventually a host name.
    3. Enter the file label.
    Tracing begins and the following message is displayed (the filename value is an example):
    The network packet tracing has been started.

The network tracing will be captured in
tcpdumpexample_any_20171114-153057.pcap (0 to 9)

You can download the support package to get the file.

    The process might create several 10MB files before you stop it. After it reaches the roll over number limit, it starts overwriting the older files and numbers them from 0 again.

  3. To stop capturing, enter the tools>packet_tracing>stop commands at the prompt. Enter YES to confirm.
    Tracing is ended.
    Create and then download the file by using the command line interface.
    1. Create the file. Use the support>create command.
    2. Download the file. Use the support>download command.

      The downloaded support.zip file includes all the currently stored pcap files in the /var/log/packet_tracing subdirectory.

  4. To find whether packet tracing is running, enter the tools>packet_tracing>status commands at the prompt.
    The command returns either 
    Packet tracing is running
    or
    Packet tracing is not running