Chapter 25. tcpdump and Advanced Mirroring

tcpdump is an open source packet-capture and analyzer tool that’s been around since the late 1980s. tcpdump is useful because it allows pretty powerful packet capture sessions from the command line. Even better, you can use it from either Bash or the command-line interface (CLI). Let’s take a look. First I show you how it works from within Bash, and then I’ll show you what it’s like from within EOS.


tcpdump will capture only packets destined to or sourced from the CPU. It will not capture data-plane traffic because the CPU couldn’t possibly keep up with it all. Well, that’s the case on most switches. On some Arista switches you can actually see front-panel interface traffic with tcpdump! See the end of this chapter for how to use Advanced Mirroring.

tcpdump in Linux

If you have Linux experience and already know how to use tcpdump, you might feel more at home using it from Bash. Plus, you’ll find that sometimes you need to use it from Bash. To do so, just drop into Bash, and have at it:


Arista Networks EOS shell

[admin@Arista-Z ~]$ tcpdump -h tcpdump version 4.9.2 libpcap version 1.8.1 OpenSSL 1.0.2k-fips 26 Jan 2017 Usage: tcpdump [-aAbdDefhHIJKlLnNOPpqStuUvxX#] [ -B size ] [ -c count ] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ] [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ] [ -Q in|out|inout ] [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ] [ --immediate-mode ] [ ...

Get Arista Warrior, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.