Vyatta 5600 provides Tshark as the packet capture tool. To capture your interested traffic and remove unnessary nosiy traffic, you need to use the capture filter when you perform the packet capture. Here I show you a few real world example for tshark capture filter, which hope can save you a bit of time.
- Capture packet based on source or destination IP
tshark -f “host 10.42.131.120” -i dp0p224p1 -w /tmp/capture.pcap
- Capture packets based on Protocol/Port
tshark -f “tcp port 1401” -i dp0p224p1 -w /tmp/capture.pcap
tshark -f “udp port 53” -i dp0p224p1 -w /tmp/capture.pcap
- Capture packets based on IP and Protocol/Port
tshark -f “tcp port 1401 and host 10.15.72.34” -i dp0p224p1 -w /tmp/capture.pcap
- Capture packets based on multilpe IPs and Protocol/Port
tshark -f “tcp port 1401 and host 10.15.72.34 or host 10.15.72.36” -i dp0p224p1 -w /tmp/capture.pcap
You can use tshark to read your packet capture:
- tshark -r capture.pcap
Note1: dp0p224p1 is the interface on which we capture the traffic.
Note2: In some cases (GRE tunnel traffic, VXLAN traffic), the above filter possibly won’t really work for you as the filter can only apply the source/destination of tunnel IP.
Another way to control the size of capture file is stopping the packet capture when captures a specfici number of the packet.
- Capture 50000 Packets and save them to a trace file called 1000test.pcap
tshark -c 50000 -i dp0p192p1 -w /tmp/1000test.pcap
or
tshark -f “host 10.42.131.120” -c 50000 -i dp0p192p1 -w /tmp/1000test.pcap