My AMD and CAS is working fine, but creating cap files does not work...
It did not while running 11.x and it does not now running 12.1.2, seams like that feature has never working on this installation.
I've tried both from atscon and within rcon using tcpdump, same same...
Any clue ?
RCON-based tcpdump uses different syntax than the tcpdump program you'd download via yum. Running the command rcmd tcpdump help will show some info on syntax:
For example, if you want a 10,000 packet capture filtered on a specific host, use syntax:
tcpdump 10000 "/tmp/tcpdump_example.pcap" "host 10.10.10.10"
Hope this helps.
This reply is from Bard Erik Jacobson. It came in via email and we post it here on his behalf:
Yes - i have used that syntax but still the dump onit ends up as zero byte;)
In atscon I use " host 10.1.2.10", it starts but only produces a zero byte cap file.
I have other amd's for other customers where this works fine.
I asked support as well, but they did not have any good suggestions.
So maybe you have VLANs or MPLSes in your network ... Try the following:
tcpdump 10000 "/tmp/tcpdump_example.pcap" "vlan and host 10.10.10.10"
tcpdump 10000 "/tmp/tcpdump_example.pcap" "mpls and host 10.10.10.10"
tcpdump 10000 "/tmp/tcpdump_example.pcap" "vlan and mpls and host 10.10.10.10"
Zero byte capture file could be due to the following:
Can you verify that the traffic you're looking for is indeed present on the AMD?
In rcon vlan did the trick thanks!
However, the system does not accept that syntax in the capture packets function within atscon. Its saying "Capture command executing error on AMD(s). Possible error in capture filter"