Multi-blade capture (tcpdump –mcap -view)

Use this command to see TCP/IP and other packets sent and received by the 61000/41000 Security System. This release includes these 61000/41000 Security System-specific enhancements to the standard tcpdump utility:

• tcpdump –mcap - Gets packets from specified SGMs and saves them to a capture file.
• tcpdump –view Shows packets in the specified capture file, including the SGM ID from the packet captured packet.

Syntax

tcpdump [-b <sgm_ids>] -mcap -w <capture_path> [<tcpdump_ops>]

tcpdump -view -r <capture_path> [<tcpdump_ops>]

Note - To stop the capture and save the data to the capture file, enter ctl-c at the prompt.

-b <sgm_ids>

Example - Capture all SGMs

> tcpdump –mcap –w /tmp/capture

Capturing packets…

Write "stop" and press enter to stop the packets capture process.

1_01:

tcpdump: listening on eth1-Mgmt4, link-type EN10MB (Ethernet), capture size 96 bytes

stop	

Received user request to stop the packets capture process.

Copying captured packets from all SGMs...

Merging captured packets from SGMs to /tmp/capture...

Done.

Example - Capture packets from specified SGMs and interfaces

> tcpdump –b 1_1,1_3,2_1 –mcap –w /tmp/capture –nnni eth1-Mgmt4

Example - Show captured packets from file

> tcpdump -view -r /tmp/capture

Reading from file /tmp/capture, link-type EN10MB (Ethernet)

 [1_3] 14:11:57.971587 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 45

 [2_3] 14:12:07.625171 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 45

 [2_3] 14:12:09.974195 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 37

 [2_1] 14:12:09.989745 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 45

 [2_3] 14:12:10.022995 IP 0.0.0.0.cp-cluster > 172.23.9.0.cp-cluster: UDP, length 32