Perform Packet Capture on QUAD Node

cdnadmin · ‎01-24-2014

This document was generated from CDN thread

Created by: James Maudlin on 20-05-2011 09:50:55 AM
WebEx Social nodes run a customized version of CentOS, which is the
community-supported version of Red Hat Enterprise Linux (RHEL). All of
the VOS-related products (CUCM, Unity Connect, etc) run on RHEL, but at
the end of the day, most commands you can do as root on one you can do
as root on the other.

One such command is tcpdump, which allows you to take packet captures
on the WebEx Social node itself. Here is a sample of how to run that command:
<ol>
<li>
ssh to the WebEx Social node you want to perform the capture on.</li>
<li>
Login as root.</li>
<li>
When you are ready to start the capture, type "tcpdump -w
<filename.cap> -s 0", where "<filename.cap> is the name of
the file you want to create. The "-s 0" tells tcpdump to capture the
entire packet. If you fail to add this argument, you will end up with
only the first 64 bytes of each packet, which is generally not very
useful.</li>
<li>
The capture begins once you run this command.</li>
<li>
When you are done capturing packets, type crtl-c to end the tcpdump.</li>
<li>
Use SFTP or other means to get the capture off of the WebEx Social node. If you
followed the instructions above, it would be in the /root directory.
Otherwise, it will write to the directory you are currently in when you
run the tcpdump command.</li>
</ol>

The command above captures all packets, but you can also limit what
gets captured based on things like what port the traffic is using. For
example, to capture just web traffic, you can run the following:

<code>tcpdump -w mycapture.cap -s 0 port 80</code>

This will only capture traffic to/from TCP port 80 on that box.

If the traffic is light - e.g.: this is a new deployment - it is
suggested that you not employ filters, just in case you find some other
interesting traffic that passes by.

Once you have this packet capture, you can use a tool like Wireshark to analyze the output.