https://community.cisco.com/t5/network-security/tcpdump-with-nac/m-p/1145098#M774183 <P>How can I use TCPdump with the CAS? When specifying a physical interface while using TCPdump, it only picks up broadcast traffic. For example tcpdump -vv -nn -i eth1. Is there special options to look at all traffic through the CAS in my L3 deployment. Do I need to use the fake interfaces?</P> Fri, 21 Feb 2020 11:21:54 GMT hillegas 2020-02-21T11:21:54Z https://community.cisco.com/t5/network-security/tcpdump-with-nac/m-p/1145098#M774183 <P>How can I use TCPdump with the CAS? When specifying a physical interface while using TCPdump, it only picks up broadcast traffic. For example tcpdump -vv -nn -i eth1. Is there special options to look at all traffic through the CAS in my L3 deployment. Do I need to use the fake interfaces?</P> Fri, 21 Feb 2020 11:21:54 GMT https://community.cisco.com/t5/network-security/tcpdump-with-nac/m-p/1145098#M774183 hillegas 2020-02-21T11:21:54Z https://community.cisco.com/t5/network-security/tcpdump-with-nac/m-p/1145099#M774188 <HTML><HEAD></HEAD><BODY><P>I use eth0 and fake0 dumps together. 1 is the inbound and one seems to represent an outbound. It may also be that it represents the internal routing within the cas.</P><P>However, to me it was easier to get a real picture by spanning the switch ports connected to the cas off to a wireshark device. Then perform the capture on the wireshark device.</P><P>Keep in mind if you are spanning from a remote switch your capture will not include vlan tags so if possible consider spanning to a port on the same switch connected to the CAS.</P></BODY></HTML> Thu, 19 Mar 2009 13:38:48 GMT https://community.cisco.com/t5/network-security/tcpdump-with-nac/m-p/1145099#M774188 greg.washburn 2009-03-19T13:38:48Z