tcpdump filters

December 21, 2021February 8, 2023 ~ dnzydn ~ Leave a comment

Useful flags:

From the manual;
-l: line-readable output. Also usefull when redirecting tcpdump to grep e.t.c, reading data while capturing it. -e: Print link layer, layer 2 MAC address -n: Do not name look up.It can be -nn, -nnn for disabling ip, port and Mac lookup. -t: Don’t print timestamp, print human-readable output. -tt: Print timestamp -ttt: Print the delta between current an previous line -ttttt: Print the delta between current an first line -vvv: Extreme verbose. It can be v, vv and vvv depending on the required detail level. --immediate-mode:Capture in "immediate mode". In this mode, packets are delivered to tcpdump as soon as they arrive, rather than being buffered for efficiency. This is the default when printing packets rather than saving packets to a ``savefile'' if the packets are being printed to a terminal rather than to a file or pipe. -A: Print each packet (minus its link level header) in ASCII. Handy for capturing web pages. For example; tcpdump -nn -A -s1500 -l | grep "User-Agent:"
– Adding -A to the command line will have the output include the ascii strings from the capture. This allows easy reading and the ability to parse the output using grep or other commands. Another option that shows both hexadecimal output and ASCII is the -X option. – Filter TCP flags: You can filter by pointing the byte number of field according to the its position in the header. Like tcp[13]=8 (both SYN and ACK bits). Some well known fields are predefined for TCP. (more details in the manual)

Filter	Description
tcp[tcpflags] == tcp-rst	Just connection resets
tcp[tcpflags] == tcp-syn	Just SYNS
tcp[tcpflags] == tcp-ack	Just acknowledgements
tcp[tcpflags] == tcp-fin	Just Fin

Example: tcpdump “host 10.222.2.201 and not (port 22 or port 80) and tcp[tcpflags] == tcp-rst”

Filter ARP:

You need to define which field to would like to filter and its value.

For request and reply filter, you must use option field which are number 6-7 in arp header.

request filter: You may chouse field 6 and 7 with offset value, but simply field 7 will be enough for filtering value which is 1 for request and 2 for reply.

example: tcpdump -i eth0 -e arp and ‘arp[7]=1’ -n

reply filter:

example: tcpdump -i eth0 -e arp and ‘arp[7]=2’ -n

filter for sender ip:

example: (10.11.12.13)

tcpdump -i eth0 -e ‘arp[14]=10 and arp[15]=11 and arp[16]=12 and arp[17]=13‘ -nnn -vvvv

filter for target ip:

example: (10.11.12.13)

tcpdump -i eth0 -e ‘arp[24]=10 and arp[25]=11 and arp[26]=12 and arp[27]=13‘ -nnn -vvvv

Filter ICMP:

sudo tcpdump -i ens3 -l icmp[icmptype] == icmp-echo

Good examples:

https://hackertarget.com/tcpdump-examples/

IOSXR – ASR9K BGP BFD bundle-interface

October 30, 2020 ~ dnzydn ~ Leave a comment

BFD session for BGP neighbor which is routed over bundle-interface can not be established without using below command ;

bfd multipath include location 0/0/CPU0

Before that for bfd session following error can be seen on show bfd session detail;

BFD_MP_DOWNLOAD_NO_LC.

BFD session must be tied to a specific location, Line card. With bundle configured and without that command BFD can not bind interface for the session as IOSXR uses LC for BFD sessions.

Below is nicely explanation for the behavior by Xander Thuijs ;

This I think is maybe nicely explained with this: Implementation of various BFD flavours over bundle interfaces in IOS XR was carried out in 3 phases:

IPv4 BFD session over individual bundle sub-interfaces. This feature was called “BFD over VLAN over bundle”.
IOS XR releases 4.0.1 and beyond: “BFD Over Bundle (BoB)” feature was introduced.
IOS XR releases 4.3.0 and beyond: full support for IPv4 and IPv6 BFD sessions over bundle interfaces and sub-interfaces. For disambiguation from the BoB feature, this implementation is called BLB, and sessions are often referred to as native BFD sessions over bundle interfaces and/or sub-interfaces. BFD multipath must be enabled for any of these BFD flavours to work.

Due to the introduction of BLB (bfd over logical bundle) in XR43 this was necessary, I agree that you may have been mislead by the nomenclature of that multipath location keyword which suggests multihop, but it was meant to also include multipath as in multiple members of a bundle..

https://community.cisco.com/t5/xr-os-and-platforms/bfd-on-asr9k-cluster/td-p/2477664

Silent Host, vEOS

October 2, 2020December 20, 2021 ~ dnzydn ~ Leave a comment

If you do have silent host on your EVPN fabric that may be problem for some the applications.

With a silent the first initial request can be generally lost towards the host. If you using application which discovers host on the network like nmap, e.t.c they may report least number host on the network than expected. And when you run a second discovery just after the first one, it may report much more hosts than the first one.

By using arp aging timeout command under SVI with a lower value than default like 180, 240 seconds switch will send arp for the host to refresh arp entries. This seems an internal knowledge may in defined in RFC, I do not have time to check.

Entries are refreshed and expired at a random time that is in the range of 80%-100% of the cache expiry time.
The refresh is tried 3 times at an interval of 2% of the configured timeout.

Arista switches refresh its timers when a its control plane, cpu receives arp packet, or any other control plane related traffic like ICMP packet for default gateway from the hosts. Check the value for the host side arp timeout and do not get below it.