Additional tcpdump commands

There are several tcpdump commands that you can use to gather additional information about PCA processing.

Extended tcpdump Details

To get the expanded details for tcpdump, run man tcpdump on the PCA server or get it from the http://www.tcpdump.org/ website. The short form is:

tcpdump -ni NIC -s0 -w dumpfile filter_string

where

  • NIC is the sniffer/capture NIC's device name. To see a list of NIC device names, use the ifconfig command or the Interface page of the PCA's Web UI, which is located by default at http://<PCA>:8080/interface.php or https://<PCA>:8443/interface. <PCA> is the host name or IP address of the PCA.
  • dumpfile is the name of the file to which the dump is written.
  • filter string is the IP/port expression that you want to capture.

If you want to run a test to validate, remove the -w option and its argument; output is then printed to the console.

Test capture sniffer ports for traffic

To use tcpdump to determine if capture sniffer ports are receiving traffic:

tcpdump -ni eth1 | more

To look for specific traffic:

tcpdump -ni bge0 host <IP address> and port <IP port number> | more

Where <IP address> and <IP port number> might be 10.10.10.2 and 80, for
example.

Manual Capture of tcpdump to a File

The manual method of using tcpdump to capture HTTP(S) traffic to a dump file is the following:

tcpdump -ni bge0 -s0 -w dumpfile host ipAddr and port \(80 or 443\)
tcpdump -ni bge0 -s0 -w dumpfile host ipAddr and port '('80 or 443')'
tcpdump -ni bge0 -s0 -w dumpfile net xxx.xxx.xxx.0/24 and port 80

Using existing tcpdump file to extract specific traffic to another dump file:

tcpdump -nr <dumpfile> -s0 -w <new_file_name> host <ip address> and \
port <port number>

Display tcpdump Extra Header

If tcpdump is unable to filter any traffic, whereas running tcpdump unfiltered does show traffic, then the problem may be due to an extra Ethernet header being added, which is typically a VLAN header: 802.1Q VLAN. Use the tcpdump -e option to see this extra header information, which should look like the following:

. . . ethertype 802.1Q, length 64: vlan 128, p 0, ethertype IPv4,
IP 192.168.128.42.8001 > 192.168.128.90.20700:

Port Filtering

Trying to filter using tcpdump fails. An example is to filter on a known port number, such as the following:

tcpdump -ni eth2 port 8001

If tcpdump is unable to provide a filtered output, then the passive capture software is not able to do so either.

If it is VLAN-type traffic, use the vlan expression operator as part of the filter expression:

tcpdump -ni eth2 vlan and port 8001

Other examples of filtering with VLAN packets:

tcpdump -nr tst.dmp 'ether[12:2] = 0x8100'
tcpdump -nr tst.dmp vlan and ip and port 8001

To show both types of traffic:

tcpdump -nr tst.dmp ip or vlan

Display client side traffic only for specific IP address

The following command only displays traffic from the client side, which are requests made from browser to web server from the specified IP address.

tcpdump -nieth1 src host ipAddr and port #nmbr

Display All Client-Side Traffic

The following command displays all client side traffic that attempts to connection on the specified port number. All requests from all clients on the specified port are reported.

tcpdump -nieth1 dst port #nmbr

Display only SYN and FIN Packets

The following command only displays the SYN and FIN packets in the tst.dmp file. This command can be used to verify that in addition to both directions of traffic being present, the PCA is also seeing the successful start and stop of the tcp connections.

Valid output that is expected for each connection would be a SYN packet in each direction at the start of the connection and a FIN packet in each direction at the end of the connection.

tcpdump -nr tst.dmp 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'

Using tcpdump to determine if traffic is not bidirectional

Execute the following or similar tcpdump command:

tcpdump -ni <NIC> -s0 host 192.168.149.201 and port 443

Where:

  • -s0 - do not truncate large packets. Without this option, unidirectional traffic recording does not occur.
  • <NIC> - the device name of one of the PCA's capture NIC's.

The command should generate output similar to the following:

16:10:37.271214 IP 12.130.155.248.4863 > 192.168.149.201.https:
S 4007169894:4007169894(0) win 64512 <mss 1460,nop,nop,sackOK>

There are columns for each line representing a packet:

  • timestamp
  • network protocol
  • source IP address.IP port
  • destination IP address.IP port
  • TCP flags
  • selected information about the packet

The preceding example is a TCP/IP connection handshake packet showing the client-to-server initial SYN handshake.

There should be a second packet with the two IP.port columns reversed to indicate the server to client SYN handshake packet. If there is no second packet, then the SPAN port is not providing bidirectional traffic to the PCA's capture NIC.