Example Uses of TCPdump - NCOS-CLI-Introduction-to-TCPdump/Example-Uses-of-TCPdump

Introduction to TCPdump
ft:locale
en-US
ft:sourceName
Paligo_Prod
Document Type
Article

Capture All Packets for a Specific Host

[admin@DeskRouter: /]$ tcpdump -i eth0.1 host 172.16.4.122

Verify That Packets Are Being Port-Forwarded Correctly

Port forwarding has been configured and the Windows PC has been set up to accept RDP connections. Everything appears to be configured correctly, but you are unable to reach the end device. TCPdump can help determine whether the router is forwarding packets correctly.

To capture the traffic, specify an interface. Since the name of an interface can change from one device to the next, use the devices command to display a list of interfaces.

[administrator@AER1600-d59: /]$ devices                                                                                 
Device UID       Type       Iface        SubIface     Zone ID  Network Info                                             
wan              ethernet   eth0.1       None         3        state: disabled, ip: fe80::230:44ff:fe1f:dd59 
4aa26359         mdm        pmip399      pmip399      3         state: connected, ip: 173.1**.2*.1*/30, 2***:1:9616:****
4ad02a62         mdm        pmip398      pmip398      3        state: available                                         
lan              ethernet   eth0.2       None         0        network: Primary LAN, ip: fe80::2830:44ff:fe1f:dd59
wireless0_1      wlan       eth2         None         0        network: Primary LAN, ip: fe80::230:44ff:fe1f:dd5b
primarylan       ethernet   primarylan3  None         4        ip: 192.168.16.1/20                                      
guestlan         ethernet   guestlan4    None         5        ip: 192.168.10.1/24, fe80::f8ef:3cff:fe84:df13, 2600:1:9616:26f5::1/64

Since there is port forwarding, a LAN-side interface should be chosen. The IP address of our host is known, and it falls within the address range of the primarylan. However, the physical interface that the host is connected on is unknown, so primarylan3 is selected. If the tcpdump command were executed with no additional parameters, the CLI would be flooded with packets and the output difficult to interpret. To prevent returning too much information, use a port number as a filter:

tcpdump -n -i primarylan3 port 3389
[administrator@AER1600-d59: /]$ tcpdump -n -i primarylan3 port 3389 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on primarylan3, link-type EN10MB (Ethernet), capture size 262144 bytes
16:15:32.461607 IP 216.64.128.1.61732 > 192.168.23.38.3389: Flags [.], ack 979876388, win 63 276, length 0 
16:15:32.764281 IP 216.64.128.1.61732 > 192.168.23.38.3389: Flags [.], ack 51, win 257, length 0

The output from the TCPdump shows the packets are being forwarded correctly, but the PC is not responding. With this information, the router's configuration can be ruled out and troubleshooting can be focused on the PC side.