Cisco Application and Content Networking Software (ACNS) 4.2.1
introduced the tcpdump command. This command enables
you to gather a sniffer trace on the Content Engine, Content Router, or Content
Distribution Manager for the purpose of troubleshooting, when asked to gather
the data by the
Technical Support. This utility is very similar to the Linux/Unix
Readers of this document should have knowledge of these topics:
The information in this document is based on the software and hardware
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
For more information on document conventions, refer to the
Technical Tips Conventions.
The CLI on ACNS now allows the administrator (must be user admin) to
capture packets from the Ethernet. On the Content Engine 500 series, the
interface names are eth0 and eth1. On all ACNS platforms, it is recommended
that you specify a path/filename in the local1 directory.
You can do a straight packet header dump to the screen if you issue the
tcpdump command on the CLI. Press
Ctrl-C in order to stop the dump.
The tcpdump command has these
—Writes the raw
packet capture output to a file.
—Captures the first
<count> bytes of each packet.
—Allows you to
specify a specific interface to use for capturing the packets.
—Limits the capture to
This is a sample command:
tcpdump -w /local1/dump.pcap -i eth0 -s 1500 -c 10000
This command captures the first 1500 bytes of the next 10,000 packets
from interface Ethernet 0, and puts the output in a file named
dump.pcap in the local1 directory on the Content
Note: Ensure that you specify option –s to set the packet
snaplength. The default value captures only 64 bytes, and this saves only
packet headers into the capture file. For troubleshooting of redirected packets
or higher level traffic (HTTP, authentication, and so forth), a copy of
complete packets is needed.
You can also run tcpdump and filter on a
particular IP address:
Add host 10.255.1.34 to the end of the
Note: Replace 10.255.1.34 with the IP address that the
client is using.
Also, use 1600 as the size in order to catch bad packets that can be
larger than 1500 bytes.
Here is an example:
tcpdump -w /local/mydump -s 1600 -c10000 host 10.255.2.34
After the TCP dump has been collected, you need to move the file from
the Content Engine to a PC so that it can be viewed by a sniffer
ftp <ip address of the CE>
!--- Log in with the admin username and password.
get <name of the file>
!--- Using the previous example, it is dump.pcap.
Ethereal is the recommended software application for reading the TCP
dump, due to the extent of its features and their use with content networking,
including the ability to decode packets that are encapsulated into a GRE
tunnel, used by WCCP redirection. Refer to the
Note: In most cases, redirected packets captured by the
tcpdump facility available with the ACNS CLI differ
from the data received on the interface. Due to internal implementation and
handling of redirected packets, the destination IP address and TCP port number
are modified to reflect the device IP address and the port number 8999.