tcpdump

Control-Plane

Running tcpdump directly on an Interface captures control-plane traffic to/from that interface (this example shows an asymmetric routing problem because ICMP echo replies are missing):

r1#tcpdump interface Ethernet 28/1 verbose packet-count 10 filter icmp

tcpdump: listening on et28_1, link-type EN10MB (Ethernet), snapshot length 262144 bytes

16:09:41.782428 c4:ca:2b:11:11:11 > c4:ca:2b:22:22:22, ethertype IPv4 (0x0800), length 114: (tos 0x0, ttl 64, id 22230, offset 0, flags [none], proto ICMP (1), length 100)
    10.0.0.4 > 192.168.1.1: ICMP echo request, id 30, seq 1, length 80

16:09:42.806276 c4:ca:2b:11:11:11 > c4:ca:2b:22:22:22, ethertype IPv4 (0x0800), length 114: (tos 0x0, ttl 64, id 22321, offset 0, flags [none], proto ICMP (1), length 100)
    10.0.0.4 > 192.168.1.1: ICMP echo request, id 30, seq 2, length 80

 

One can capture all control-plane traffic by capturing on the interface "txfwd":

bash tcpdump -nnlASX -s 0 -vvv -e -i txfwd

 

Forwarding-Plane

To capture forwarding plane traffic, set up a mirror session which mirrors to the destination "cpu". This creates a "mirrorX" interface in Linux (multiple mirror sessions can be running simultaneously, each with the destination interface "cpu", each mirror sessions creates a new "mirrorX" interface). Then drop into bash and tcpdump on the relevant "mirrorX" interface:

 

r4#configure
r4(config)#monitor session j1 source po1 rx 
r4(config)#monitor session j1 destination cpu 
r4(config)#end
r4#show monitor session j1 

Session j1 
------------------------

Sources:

Rx Only Interfaces:     Po1

Destination Ports:

    Cpu :  active (mirror0)

r4#bash

Arista Networks EOS shell

[user@r4 ~]$ tcpdump -nlASX -s 0 -vvv -e -i mirror0 icmp
tcpdump: listening on mirror0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

---