Tips on EOS tcpdump

Since Arista EOS is based on Linux kernel, it inherits the tcpdump, the powerful debug tool. Here is some tips on how to use it in EOS.

Reference (most contents from) : Using tcpdump for troubleshooting @ Arista.com. A refresh post of old blog. 

1. Use "bash ifconfig" to find out interface names

bn303.jhm.mlagA.profA0.w.16:01:14#bash ifconfig | grep mtu
et10_10_1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9214
et10_10_2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9214
....
vlan200: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
vlan201: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

2. dump pkts on vlan interface

bn303.jhm.mlagA.profA0.w.16:02:34#bash tcpdump -i vlan200
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan200, link-type EN10MB (Ethernet), capture size 262144 bytes
16:11:35.518187 de:ad:be:ef:ba:11 (oui Unknown) > 33:33:00:00:00:01 (oui Unknown), ethertype IPv6 (0x86dd), length 86: 2000:22:0:c8::fd > ff02::1: ICMP6, neighbor advertisement, tgt is 2000:22:0:c8::fd, length 32

3. dump pkts on ethernet interface with more info

bn303.jhm.mlagA.profA0.w.16:11:41#bash tcpdump -i et10_10_1 -v -vv
tcpdump: listening on et10_10_1, link-type EN10MB (Ethernet), capture size 262144 bytes
16:12:58.382825 28:99:3a:10:3b:90 (oui Arista Networks) > 01:80:c2:00:00:0e (oui Unknown), ethertype LLDP (0x88cc), length 324: LLDP, length 310
Chassis ID TLV (1), length 7
  Subtype MAC address (4): 44:4c:a8:a5:11:40 (oui Arista Networks)
  0x0000:  0444 4ca8 a511 40
Port ID TLV (2), length 16
  Subtype Interface Name (5): Ethernet10/10/1
  0x0000:  0545 7468 6572 6e65 7431 302f 3130 2f31

4. Run tcpdump directly in EOS

bn303.jhm.mlagA.profA0.w.15:35:13#tcpdump int eth3/1/1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on et3_1_1, link-type EN10MB (Ethernet), capture size 262144 bytes
15:54:45.654907 44:4c:a8:97:8c:52 > 01:80:c2:00:00:02, ethertype Slow Protocols (0x8809), length 124: LACPv1, length 110

bn303.jhm.mlagA.profA0.w.15:56:37#tcpdump int vlan 2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan2, link-type EN10MB (Ethernet), capture size 262144 bytes
15:57:05.393026 de:ad:be:ef:ba:11 > Broadcast, ethertype ARP (0x0806), length 56: Reply 22.0.2.253 is-at de:ad:be:ef:ba:11, length 42

5. dump ospf packets

# bash tcpdump -ni vlan1224 proto ospf

yo411.15:24:18#bash tcpdump -ni vlan1224 proto ospf
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan1224, link-type EN10MB (Ethernet), capture size 262144 bytes
15:24:31.110294 00:1c:73:c6:b0:0d > 01:00:5e:00:00:05, ethertype IPv4 (0x0800), length 82: 110.2.13.10 > 224.0.0.5: OSPFv2, Hello, length 48

15:24:35.394905 00:1c:73:44:58:d0 > 01:00:5e:00:00:05, ethertype IPv4 (0x0800), length 82: 110.2.13.2 > 224.0.0.5: OSPFv2, Hello, length 48

6. dump mlag udp KA 

[admin@bn302 ~]$ tcpdump -i ma1_1 udp 4432 -vv -X
tcpdump: syntax error in filter expression: syntax error
[admin@bn302 ~]$ tcpdump -i ma1_1 udp port 4432 -vv -X
tcpdump: listening on ma1_1, link-type EN10MB (Ethernet), capture size 262144 bytes
15:03:22.707628 44:4c:a8:34:cc:d0 (oui Arista Networks) > 00:1c:73:ac:36:09 (oui Arista Networks), ethertype IPv4 (0x0800), length 121: (tos 0xe0, ttl 255, id 41931, offset 0, flags [DF], proto UDP (17), length 107)
    bn302-1.sjc.aristanetworks.com.4432 > bn303.sjc.aristanetworks.com.4432: UDP, length 79
0x0000:  45e0 006b a3cb 4000 ff11 715a ac1e 871e  E..k..@...qZ....
0x0010:  ac1e 8620 1150 1150 0057 65e4 0224 7688  .....P.P.We..$v.
0x0020:  ecb6 2000 7564 7048 6561 7274 6265 6174  ....udpHeartbeat
0x0030:  80c0 8000 0000 0100 0000 08ff f000 0000  ................
0x0040:  0000 00ff f000 0000 0000 0040 b24f ef05  ...........@.O..
0x0050:  4984 c84d 0100 0869 6e61 6374 6976 654d  I..M...inactiveM

0x0060:  0200 0800 0001 7900 0000 02              ......y....

7. Other useful options and samples

bash tcpdump -nevvi et1 ether dst host 01:80:c2:00:00:0e
bash tcpdump -nevvi any host 10.1.1.1


[admin@wa466 ~]$ tcpdump -vv ip6 -i et56_1   -w /mnt/flash/bgp.cap
tcpdump: listening on et56_1, link-type EN10MB (Ethernet), capture size 262144 bytes
2 packets captured
...

[admin@wa466 ~]$ tcpdump -vvv -r /mnt/flash/bgp.cap -n | more
reading from file /mnt/flash/v6.bgp.cap, link-type EN10MB (Ethernet)
22:17:32.070318 44:4c:a8:97:72:b7 > 00:12:01:00:00:01, ethertype IPv6 (0x86dd), length 94: (hlim 255, next-header TCP (6) payload length: 40) 2000:88:88
::1.48744 > 2000:88:88::2.bgp: Flags [S], seq 4088296625, win 28800, options [mss 1440,sackOK,TS val 3863837 ecr 0,nop,wscale 7], length 0
22:17:32.070466 00:12:01:00:00:01 > 44:4c:a8:97:72:b7, ethertype IPv6 (0x86dd), length 94: (class 0xc0, hlim 64, next-header TCP (6) payload length: 40)
 2000:88:88::2.bgp > 2000:88:88::1.48744: Flags [S.], seq 3002335018, ack 4088296626, win 14280, options [mss 1440,sackOK,TS val 8967227 ecr 3863837,nop
,wscale 9], length 0
22:17:32.070489 44:4c:a8:97:72:b7 > 00:12:01:00:00:01, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header TCP (6) payload length: 32) 2000:88:88
::1.48744 > 2000:88:88::2.bgp: Flags [.], seq 1, ack 1, win 225, options [nop,nop,TS val 3863837 ecr 8967227], length 0
22:17:32.070661 44:4c:a8:97:72:b7 > 00:12:01:00:00:01, ethertype IPv6 (0x86dd), length 141: (class 0xc0, hlim 255, next-header TCP (6) payload length: 8
7) 2000:88:88::1.48744 > 2000:88:88::2.bgp: Flags [P.], seq 1:56, ack 1, win 225, options [nop,nop,TS val 3863837 ecr 8967227], length 55: BGP
Open Message (1), length: 55
  Version 4, my AS 23456, Holdtime 180s, ID 5.5.5.5
  Optional parameters, length: 26
    Option Capabilities Advertisement (2), length: 24
      Multiprotocol Extensions (1), length: 4
AFI IPv6 (2), SAFI Unicast (1)
0x0000:  0002 0001
      Route Refresh (2), length: 0
      Graceful Restart (64), length: 2
Restart Flags: [none], Restart Time 300s
0x0000:  012c
      32-Bit AS Number (65), length: 4
 4 Byte AS 4264492530
0x0000:  fe2e fdf2
      Multiple Paths (69), length: 4
AFI IPv6 (2), SAFI Unicast (1), Send/Receive: Receive
0x0000:  0002 0101