Using tcpdump for troubleshooting

The tcpdump utility is built into Linux.  Given the leverage of Linux Fedora 12 as the foundation upon which the Arista EOS is built this utility comes bundled with every Arista switch.  In short tcpdump is a software based packet sniffer that comes with Linux and can be a highly useful tool for troubleshooting network issues.

Any traffic coming To or From the Control Plane of the switch is visible when running the tcpdump utility on the switch.  This does not include data plane traffic transiting the switch, for capturing this data Arista switches support Monitor / SPAN ports which can be used to copy traffic to a sniffer or other suitable capture device for analysis.

With tcpdump one can readily analyze important traffic such as Spanning Tree, Routing Protocols and any other traffic that is either destined to the switch itself (SVI or Management IP address), Switch CPU (EOS extensions) or other Control Plane protocols.

1.  The first step is to access the BASH shell:

Lab-Switch#bash
Arista Networks EOS shell
[admin@Lab-Switch ~]$

Once in ‘enable’ mode all that is required is to type ‘bash’ and you will be presented with a bash shell prompt.  At this point you have initiated a bash shell and any commands you type will be directly within Linux and not within the EOS CLI.

2.  The next step is find the appropriate interface that you wish to monitor:

The Linux ‘ifconfig’ command can be used to see the available interfaces as the Linux kernel views them.

[admin@p1-bismuth ~]$ ifconfig

cpu         Link encap:Ethernet  HWaddr 02:00:00:00:00:00
UP BROADCAST RUNNING MULTICAST  MTU:9216  Metric:1
RX packets:19 errors:0 dropped:0 overruns:0 frame:0
TX packets:372 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1140 (1.1 KiB)  TX bytes:26802 (26.1 KiB)
et1         Link encap:Ethernet  HWaddr 02:00:00:00:00:00
UP BROADCAST RUNNING MULTICAST  MTU:9216  Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:47891 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:240 (240.0 b)  TX bytes:3683975 (3.5 MiB)
et2         Link encap:Ethernet  HWaddr 02:00:00:00:00:00
UP BROADCAST RUNNING MULTICAST  MTU:9216  Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:1125577 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:180 (180.0 b)  TX bytes:86586365 (82.5 MiB)
et3         Link encap:Ethernet  HWaddr 02:00:00:00:00:00
UP BROADCAST RUNNING MULTICAST  MTU:9216  Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:447950 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:360 (360.0 b)  TX bytes:34459456 (32.8 MiB)
<Output Truncated>

et24         Link encap:Ethernet  HWaddr 02:00:00:00:00:00
UP BROADCAST RUNNING MULTICAST  MTU:9216  Metric:1
RX packets:79677 errors:0 dropped:0 overruns:0 frame:0
TX packets:79695 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:19042803 (18.1 MiB)  TX bytes:17373510 (16.5 MiB)
<Output Truncated>

ma1         Link encap:Ethernet  HWaddr 00:1C:73:0B:1D:13
UP BROADCAST MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b)TX bytes:0 (0.0 b)
Interrupt:31 Base address:0×2000
ma2        Link encap:Ethernet  HWaddr 00:1C:73:0B:1D:14
UP BROADCAST MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
Interrupt:30 Base address:0×6000
vlan1026  Link encap:Ethernet  HWaddr 00:1C:73:0B:1D:15
inet addr:172.22.26.1  Bcast:255.255.255.255  Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST  MTU:9212  Metric:1
RX packets:1614852 errors:0 dropped:0 overruns:0 frame:0
TX packets:386542 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:721138049 (687.7 MiB)  TX bytes:42279526 (40.3 MiB)
[admin@Lab-Switch ~]$

The list of interfaces will reflect each of the physical interfaces in the switch as well as the virtual interfaces.  Any VLAN which has been assigned an IP address (SVI) will show up as a vlanX interface.  The Management interfaces show up as ma1/ma2 etc …  The interface name show in the Left most column represents the Linux interface that we will use with the tcpdump utility.

3. Simple example of running tcpdump on a VLAN interface:

[admin@Lab-Switch ~]$ sudo tcpdump -i vlan1026
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan1026, link-type EN10MB (Ethernet), capture size 65535 bytes

 

It’s important to note that the tcpdump utility must be root as the root / superuser.  As a result the command must be preceded by the ‘sudo’ command.  The ‘sudo’ command runs the command that follows the ‘sudo’ keyword as the user root.  As of EOS 4.6, when the tcpdump command is called it is actually called via a script which inserts ‘sudo’.  As a result one can now run the tcpdump command in more recent EOS releases without preceeding it with ‘sudo’.

The ‘-i’ flag indicates that the value which follows it is the interface that you wish to run tcpdump on.   The ‘-v’ and ‘-vv’ flags can be used to provide more detailed output.  (Ex: [admin@Lab-Switch ~]$ sudo tcpdump -i vlan1026 –v –vv).

4.  Once you know the Linux name associated with a given interface, you can also call the tcpdump command directly from inside EOS without the need to drop into a BASH shell first

(Ex: Lab-Switch#bash sudo tcpdump -i et12 -v -vv ).

5.  Another common option includes filtering more specific traffic.  This can include traffic on a specific destination port number.

(Ex: Lab-Switch#bash sudo tcpdump –n dst port 23 -i et12 -v –vv)

6.  It’s common to redirect the output from a tcpdump command to a file where it can more readily be viewed and analyzed versus a terminal window capture buffer.

(Ex: admin@Lab-Switch sudo tcpdump -n dst port 80 -i vlan1026 -v > /tmp/dump.txt)

Note: It’s important to ensure that the filesystem has space available and it’s always a good idea to remove capture files when done to ensure space isn’t needlessly being consumed, which could eventually lead to a space shortage (The ‘df’ or diskfree command is an easy way to view available space).

7.  The tcpdump command has many options available that allow the user to tailor the output.  For a complete listing of the available options refer to the tcpdump manual page (Ex: bash man tcpdump).

The tcpdump utility is powerful and supports some complex filtering options.  The examples given here are just starting points, experiment and find the options that you find to be the most useful for your needs!

 

 

 

 

 

 

 

This entry was posted in techtips. Bookmark the permalink.