[j-nsp] tcpdump

Paul Goyette pgoyette at juniper.net
Mon Jan 21 13:32:56 EST 2008 

First, put all your command line switches (ie, -w <file>) BEFORE
the list of packet-match-criteria.  Instead of

'tcpdump -c 1000 -nvi ge-0/3/0.694 host 10.66.94.35 -w
/var/tmp/test.log'

use

'tcpdump -c 1000 -nvi ge-0/3/0.694 -w /var/tmp/test.log host
10.66.94.35'


Second, tcpdump cannot capture transit traffic.  You need to use
a firewall filter with the sample action.

Paul Goyette
Juniper Networks Customer Service
JTAC Senior Escalation Engineer
PGP Key ID 0x53BA7731 Fingerprint:
  FA29 0E3B 35AF E8AE 6651
  0786 F758 55DE 53BA 7731 

> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net 
> [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of 
> Thompson, Jerrold
> Sent: Monday, January 21, 2008 10:26 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] tcpdump
> Importance: High
> 
> 
> Hi,
> 
> I'm trying to capture unicast traffic from a subinterface on an m10i
> router running 8.0 code.
> 
> Started out with a "start shell user root" and then ran a
> 
> 'tcpdump -c 1000 -nvi ge-0/3/0.694 -w /var/tmp/test.log'
> 
> And it kind of worked, but only caught slow path traffic 
> destined to the
> cpu exactly like a monitor command.
> 
> Can anybody tell me how to catch the unicast traffic with an IP host
> filter?  I've tried:
> 
> 'tcpdump -c 1000 -nvi ge-0/3/0 host 10.66.94.35 -w /var/tmp/test.log'
> 'tcpdump -c 1000 -nvi ge-0/3/0 ip host 10.66.94.35 -w 
> /var/tmp/test.log'
> 'tcpdump -c 1000 -nvi ge-0/3/0.694 host 10.66.94.35 -w
> /var/tmp/test.log'
> 'tcpdump -c 1000 -nvi ge-0/3/0.694 ip host 10.66.94.35 -w
> /var/tmp/test.log'
> 'tcpdump -c 1000 -nvi ge-0/3/0 'host 10.66.94.35' -w 
> /var/tmp/test.log'
> 'tcpdump -c 1000 -nvi ge-0/3/0.694 'host 10.66.94.35' -w
> /var/tmp/test.log'
> 'tcpdump -c 1000 -i ge-0/3/0 'host 10.66.94.35' -w /var/tmp/test.log'
> 'tcpdump -c 1000 -i ge-0/3/0.694 'host 10.66.94.35' -w
> /var/tmp/test.log'
> 
> And kept getting a 'syntax' error.
> 
> Here is a 'show interface terse of 0/3/0'
> 
> ge-0/3/0                up    up
> ge-0/3/0.676            up    up   inet     10.66.76.2/24
> ge-0/3/0.677            up    up   inet     10.66.77.1/24
>                                             10.66.77.2/24
> ge-0/3/0.690            up    up   inet     10.66.90.1/24
>                                             10.66.90.2/24
> ge-0/3/0.694            up    up   inet     10.66.94.1/24
>                                             10.66.94.2/24
> ge-0/3/0.695            up    up   inet     10.66.95.2/24
> ge-0/3/0.697            up    up   inet     10.66.97.2/24
> ge-0/3/0.698            up    up   inet     10.66.98.1/24
>                                             10.66.98.2/24
> ge-0/3/0.699            up    up   inet     10.66.99.2/24
> 
> 
> 
> 
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list