cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unexpected behaviour of rcon-tcpdump when working with filter-expressions (Version 12.4.5)

michael_schoet1
Participant

Hi all,

i'm struggling with tcpdump in rcon.

Doing *tcpdump 100000 "/tmp/tcp.txt* i see e.g. host 10.253.170.12 in txt-File.

Because of the huge amount of data i then like to drill down with

*tcpdump 100000 "/tmp/tcp.txt" "host 10.253.170.12"

but no packets are saved, even there is a lot of communication with this server-address.

Can someone help?

Thanks,

Michael

3 REPLIES 3

raffaele_talari
Inactive

Hi Michael,

do you have VLAN tags in your traffic?

If so, try using the following commands:

Capturing traffic with VLAN tags for a specific host:
tcpdump 0 "/tmp/vlan_host.cap" "vlan and host 1.1.1.1"

Capturing traffic with regular Ethernet frames or VLAN tagged frames for a specific host:
tcpdump 0 "/tmp/vlan_host.cap" "(host 1.1.1.1) or (vlan and host 1.1.1.1)"

Ciao, Raff

Erik_Soderquist
Dynatrace Pro
Dynatrace Pro

This is usually the result of VLAN encapsulation and how the filters work with VLANs

tcpdump 100000 "/tmp/tcp.pcap" "(host 10.253.170.12) or (vlan and host 10.253.170.12)"

Should capture packets for that host unencapsulated or inside one layer of VLAN encapsulation.

Please note that the order is important in this scenario because of how the vlan tag is processed. "(host) or (vlan and host)" is *NOT* the same as "(vlan and host) or (host)" in capture filters.

-- Erik

michael_schoet1
Participant

Hi .. with the suggested options it is working! Thank you!