This document describes the use of the tcpdump CLI command in order to capture the desired packets from a Cisco Prime Infrastructure (PI) server.
Use the tcpdump Command
This section provides examples that illustrate the way in which the tcpdump command is used.
nms-pi/admin# tech dumptcp ?
<0-3> Gigabit Ethernet interface number
The output of the show interface command provides precise information about the interface name and number that is currently in use.
nms-pi/admin# tech dumptcp 0 ?
count Specify a max package count, default is continuous (no limit)
<cr> Carriage return.
nms-pi/admin# tech dumptcp 0 | ?
Output modifier commands:
begin Begin with line that matches
count Count the number of lines in the output
end End with line that matches
exclude Exclude lines that match
include Include lines that match
last Display last few lines of the output
nms-pi/admin# tech dumptcp 0 > test-capture.pcap
Copy the Captured Files to an Outside Location
Here are two examples that illustrate the manner in which captured files are copied to a location that is outside of the server:
Capture Packets as a Root User
If you desire more granular captures, log into the CLI as a root user after you have logged in as an admin user.
test$ ssh email@example.com
Enter root password :
Starting root bash shell ...
ade # su -
Example Root User Captures
Here are three examples of captures that are taken by a root user:
- In this example, all of the packets that are destined to port 162 on the PI server are captured:
[root@nms-pi~]# tcpdump -i eth0 -s0 -n dst port 162
- In this example, all of the packets that are destined to port 9991 are captured and written to a file called test.pcap in the /localdisk/ftp/ directory:
[root@nms-pi~]# tcpdump -w /localdisk/ftp/test.pcap -s0 -n dst port 9991
- In this example, any packets with a source IP address of 126.96.36.199 are captured:
[root@nms-pi~]# tcpdump -n src host 188.8.131.52