tcpdump vni-0/2
tcpdump vni-0/2 filter icmp
tcpdump vni-0/2 filter "host 8.8.8.8"
tcpdump vni-0/2 filter "port 4790"
tcpdump vni-0/0 filter "host 172.16.95.95 and greater 180"
tcpdump vni-0/0 filter "host 172.16.95.95 and less 200"
tcpdump vni-0/0 filter "host 172.16.95.95 and greater 1000 and less 1200"
To capture traffic for specific host and port in both direction(RX/TX) on vni-0/x
tcpdump vni-0/200 filter " port 4790 and host 172.16.95.95"
tcpdump vni-0/200 timeout 5
To capture traffic for port 67 or 68 in both directions on vni-0/x and dump output as verbose.
tcpdump vni-0/200 filter "'port 67 or 68 -v'"
To capture traffic from a specific subnet
tcpdump vni-0/200 filter "'net 10.10.10.0/24'"
To capture traffic for port 80 or 8080 in both direction on vni-0/x and save the pcaps to a file.
tcpdump vni-0/200 filter "'port 80 or 8080 -v -w http.pcap'"
To capture all the fragmented packets on vni-0/x.
tcpdump vni-0/x filter "''((ip[6:2] > 0) and (not ip[6] = 64))' -vv'”
To capture ip packets inside pppoe encap, incase wan link is pppoe. Host ip will be of inside ip packet
tcpdump vni-0/0 filter “'pppoes and ip and host 10.242.242.29'"
To capture tcpdump in the background please use the below
Considering that vni-0/6 is your concerned interface, you would just need to execute the below on the cli – please have this enabled on priority to have some valid captures during the next crash
admin@Branch-3-HA1-cli> request diagnostics tcpdump start interface vni-0/6 filter "-W 10 -C 100" timeout 864000
status success
result Started capturing on vni-0/0
handle 9510
file /var/tmp/versa-pcaps/103-20221129-212425.pcap
It will create the pcap files in /var/tmp/versa-pcaps directory, the files will rotate for every 100 Megs of data and 10 such files would be maintained
[admin@Lab: ~] $ cd /var/tmp/versa-pcaps/
[admin@Lab: versa-pcaps] $ ll
total 542M
-rw-r--r-- 1 admin versa 96M Dec 3 12:24 120-20211203-122145.pcap0
-rw-r--r-- 1 admin versa 96M Dec 3 12:24 120-20211203-122145.pcap1
-rw-r--r-- 1 admin versa 96M Dec 3 12:24 120-20211203-122145.pcap2
The timeout of 864000 will cause the tcpdump to terminate on its own after 10 days, it would also terminate if there is a vsmd crash
You can check if the tcpdump is running as below using the handle id (highlighted above)
[admin@Lab: versa-pcaps] $ ps -aux | grep 9510
root 9510 0.0 0.5 76792 24012 ? S 20:20 0:00 /usr/bin/python /opt/versa/scripts/tcpdump.py vni-0/0 FILTER='-W 10 -C 1 -w /var/tmp/versa-pcaps/101-20221117-202030.pcap ' TIMEOUT='1000000000'
admin 5166 0.0 0.0 12000 2256 pts/6 S+ 20:34 0:00 grep --color=auto 4906
[admin@Lab: versa-pcaps] $
A means of performing a "rolling" tcpdump is as below
Example LAN packet capture:
=======================
admin@Branch-cli>tcpdump vni-0/1 filter “ -s 0 -W 5 -C 10 -w LAN”
The above will create a rotating buffer of 5 files [-W 5] and tcpdump should switch to another file once the current file reaches 10,000,000 bytes, about 10MB (-C works in units of 1,000,000 bytes, so -C 10 = 10,000,000 bytes).
The prefix of the files will be LAN (-w LAN), and a one-digit integer will be appended to each. So your default directory [home/admin] will have 5 files rotating with constant capture data:
LAN0
LAN1
LAN2
LAN3
LAN4
Each will be approximately 10,000,000 bytes, but will probably be slightly larger (depending on the space remaining and the size of the last packet received).
If you want to have a larger rolling data set your -W to a higher count (-W 50).