juniper EX系列交换机tcpdump命令

SUMMARY:

This article provides information for administrators on how to use the TCPdump utility, based on certain filtering, to capture 'control plane' traffic on EX switches.

SYMPTOMS:

  • TCPdump is a very powerful command line interface packet sniffer.


  • This utility shows the contents of the packets on network interface, which match the boolean expression.


  • The output of the TCPdump shows the total number of packets being received by the filter and total number of packets dropped by the kernel, if any.


  • The default packet capture size is 96 bytes.  

CAUSE:

SOLUTION:

Usage:

tcpdump [-abdeflnNOpqStUvxX] [-c count] [ -F file ]
[ -i interface ] [ -r file ] [ -s snaplen ]
[ -T type ] [ -w file ] [ expression ]
[ -Jt resolve_tmo ]

TCPDUMP syntax:

SyntaxProtocolDirectionHost (s)ValueLogical OperationsOther Expressions
ExampleTcpDst10.1.1.180AndTcp dst 10.2.2.2 8888

Protocol:


Values: ether, ip, arp, rarp, decnet, tcp, and udp. If no protocol is specified, all the protocols are used.

Direction:

Values: src, dst, src and dst, src, or dst. If no source or destination is specified, the src or dst keyword is applied. For example, host 10.2.2.2 is equivalent to src or dst host 10.2.2.2.

Host(s):

Values: net, port, host, and portrange. If no host is specified, the host keyword is used. For example, src 10.1.1.1 is equivalent to src host 10.1.1.1.

Logical Operators:

  • Values: not (!) , and (&&) , or.


  • Negation ("not") has highest precedence.


  • Alternation ("or") and concatenation ("and") have equal precedence and associate left to right.


  • For example, not tcp port 3128 and tcp port 23.


TCPDUMP examples:

  • tcpdump: This provides the output for all the protocols with source or destination.


  • tcpdump -v: This provides the verbose output for all the protocols with source or destination.


  • tcpdump -vv: This provides the detailed output for all the protocols with source or destination.


  • tcpdump -i <interface name>: This will provide the output for specific interface.


  • tcpdump - c <number of packets> (for example, tcpdump –c 20): TCPDUMP will stop after the required number of packets.


  • tcpdump –F <file-name> (for example, tcpdump –F arpcap. Where the arpcap file contains the ARP keyword for capture): This will make tcpdump use the capture parameters from the specified file. You can also define the port number in the file to capture; for example,  port 80.


  • tcpdump udp: This will capture the UDP traffic.


  • tcpdump port http:This will capture traffic for TCP port 80. Use this filter to capture traffic from different ports.


  • tcpdump –w capture.pcap: This will capture the output in a file; instead of directly on the screen. This file can be opened in Wireshark.


  • tcpdump –r capture.log: This will allow the user to read the capture file with tcpdump. You can use Wireshark or any other packet capture to read outputs.


  • tcpdump src 192.168.1.100 and dst 192.168.1.200 and port ftp:This will display the FTP packets, which are coming from source 192.168.1.100 to destination 192.168.1.200.


  • tcpdump src net 192.168.1.0/24 and dst net 192.168.1.0/24 and port http: This will display the HTTP packet, which is coming from network 192.168.1.0 to destination 192.168.2.0.


  • tcpdump –s snaplen E.g. tcpdump –s 1500: This will define the length in bytes of the packet to capture. By default, tcpdump only captures the first 96 bytes.


  • tcpdump –T type (for example, tcpdump –T rcp): This will Force packets, which are selected by the expression, to be interpreted as the specified type.


  • tcpdump -Jt <resolve timout> (for example, tcpdump -Jt 2): This will define the address resolution timeout in seconds.


  • tcpdump –e: This will display the Layer 2 headers of the packet.


采集自:https://kb.juniper.net/InfoCenter/index?page=content&id=KB23313

添加新评论 »