TCP dump is a Linux native tool to trouble shoot IP traffic.
This package is not installed by default on the UCSD appliance.
This package can be installed using yum (yum install tcpdump)
(prerequisite UCSD needs to be able to resolve external DNS and have access to the internet)
Here is the install:
[root@localhost tmp]# yum install tcpdump
Loaded plugins: fastestmirror
Determining fastest mirrors
* addons: mirror.steadfast.net
* base: pubmirrors.dal.corespace.com
* extras: mirror.us.oneandone.net
* updates: dallas.tx.mirror.xygenhosting.com
addons | 1.9 kB 00:00
base | 1.1 kB 00:00
extras | 2.1 kB 00:00
updates | 1.9 kB 00:00
updates/primary_db | 518 kB 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package tcpdump.x86_64 14:3.9.4-15.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
===============================================================================================================================
Package Arch Version Repository Size
===============================================================================================================================
Installing:
tcpdump x86_64 14:3.9.4-15.el5 base 456 k
Transaction Summary
===============================================================================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 456 k
Is this ok [y/N]: y
Downloading Packages:
tcpdump-3.9.4-15.el5.x86_64.rpm | 456 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : tcpdump 1/1
Installed:
tcpdump.x86_64 14:3.9.4-15.el5
Complete!
The manual page for tcpdump can be obtained by typing
man tcpdump
Execution of tcpdump (show me everything going on eth0):
[root@localhost tmp]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:26:12.552602 IP 172.17.32.135.ssh > 192.168.32.110.54221: P 1632689526:1632689638(112) ack 1251125419 win 151 <nop,nop,timestamp 1035954528 651295310>
Looking for traffic from a specific host:
[root@localhost tmp]# tcpdump -nn src host 172.17.32.110
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
18:32:54.015905 IP 172.17.32.110.61537 > 172.17.32.111.443: P 1430747147:1430747221(74) ack 1798473513 win 256
18:32:54.015971 IP 172.17.32.110.61537 > 172.17.32.111.443: P 74:164(90) ack 1 win 256
18:32:54.026873 IP 172.17.32.110.61537 > 172.17.32.111.443: . ack 816 win 253
18:32:58.882358 arp who-has 172.17.32.111 (00:25:b5:01:a0:6f) tell 172.17.32.110
Looking for CDP packets:
[root@localhost tmp]# tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
18:35:42.695736 CDPv2, ttl: 180s, checksum: 692 (unverified), length 230
Device-ID (0x01), length: 30 bytes: 'VSM100V-1(8618679311377563319)'
Address (0x02), length: 13 bytes: IPv4 (1) 172.17.32.6
Port-ID (0x03), length: 5 bytes: 'mgmt0'
Capability (0x04), length: 4 bytes: (0x00000209): Router, L2 Switch
Version String (0x05), length: 69 bytes:
Cisco Nexus Operating System (NX-OS) Software, Version 5.2(1)SK1(1.1)
Platform (0x06), length: 10 bytes: 'Nexus1000V'
AVVID trust bitmap (0x12), length: 1 byte: 0x00
AVVID untrusted ports CoS (0x13), length: 1 byte: 0x00
Duplex (0x0b), length: 1 byte: full
MTU (0x11), length: 4 bytes: 1500 bytes
System Name (0x14), length: 9 bytes: 'VSM100V-1'
System Object ID (not decoded) (0x15), length: 14 bytes:
0x0000: 060c 2b06 0104 0109 0c03 0103 8648
Management Addresses (0x16), length: 13 bytes: IPv4 (1) 172.17.32.6
1 packets captured
4 packets received by filter
0 packets dropped by kernel
Looking for a source host and port:
tcpdump -nn src host 1.2.3.4 and 'tcp port 3389'