Vyatta 5600 provides Tshark as the packet capture tool. To capture your interested traffic and remove unnessary nosiy traffic, you need to use the capture filter when you perform the packet capture. Here I show you a few real world example for tshark capture filter, which hope can save you a bit of time.

• Capture packet based on source or destination IP

tshark -f “host 10.42.131.120” -i dp0p224p1 -w /tmp/capture.pcap

• Capture packets based on Protocol/Port

tshark -f “tcp port 1401” -i  dp0p224p1 -w /tmp/capture.pcap

tshark -f “udp port 53” -i  dp0p224p1 -w /tmp/capture.pcap

• Capture packets based on IP and Protocol/Port

tshark -f “tcp port 1401 and host 10.15.72.34” -i  dp0p224p1 -w /tmp/capture.pcap

• Capture packets based on multilpe IPs and Protocol/Port

tshark -f “tcp port 1401 and host 10.15.72.34 or host 10.15.72.36” -i  dp0p224p1 -w /tmp/capture.pcap

You can use tshark to read your packet capture:

• tshark -r capture.pcap

Note1: dp0p224p1 is the interface on which we capture the traffic.

Note2: In some cases (GRE tunnel traffic, VXLAN traffic), the above filter possibly won’t really work for you as the filter can only apply the source/destination of tunnel IP.

Another way to control the size of capture file is stopping the packet capture when captures a specfici number of the packet.

• Capture 50000 Packets and save them to a trace file called 1000test.pcap

tshark -c 50000  -i dp0p192p1 -w /tmp/1000test.pcap

or

tshark -f “host 10.42.131.120”  -c 50000  -i dp0p192p1 -w /tmp/1000test.pcap