Verifying Captured Packets

Purpose

Verify that the packet capture file is stored under the /var/tmp directory and the packets can be analyzed offline.

Action

Take the following actions:

Disable packet capture. See Disabling Packet Capture.
Perform these steps to transfer a packet capture file (for example, 126b.fe-0.0.1), to a server where you have installed packet analyzer tools (for example, tools-server), using FTP.
1. From the CLI configuration mode, connect to tools-server using FTP:
  user@host# run ftp tools-serverConnected to tools-server.mydomain.net220 tools-server.mydomain.net FTP server (Version 6.00LS) readyName (tools-server:user):remoteuser331 Password required for remoteuser.Password:230 User remoteuser logged in.Remote system type is UNIX.Using binary mode to transfer files.ftp>
2. Navigate to the directory where packet capture files are stored on the device:
  ftp> lcd /var/tmpLocal directory now /cf/var/tmp
3. Copy the packet capture file that you want to analyze—for example, 126b.fe-0.0.1, to the server:
  ftp> put 126b.fe-0.0.1local: 126b.fe-0.0.1 remote: 126b.fe-0.0.1200 PORT command successful.150 Opening BINARY mode data connection for '126b.fe-0.0.1'.100% 1476 00:00 ETA226 Transfer complete.1476 bytes sent in 0.01 seconds (142.42 KB/s)
4. Return to the CLI configuration mode:
  ftp> bye221 Goodbye.[edit]user@host#
Open the packet capture file on the server with tcpdump or any packet analyzer that supports libpcap format.

Sample Output

root@server% tcpdump -r 126b.fe-0.0.1
-xevvvv

01:12:36.279769 Out 0:5:85:c4:e3:d1 > 0:5:85:c8:f6:d1, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl  64, id 33133, offset 0, flags [none], proto: ICMP (1), length: 84) 14.1.1.1 > 15.1.1.1: ICMP echo request seq 0, length 64
                         0005 85c8 f6d1 0005 85c4 e3d1 0800 4500
                         0054 816d 0000 4001 da38 0e01 0101 0f01
                         0101 0800 3c5a 981e 0000 8b5d 4543 51e6
                         0100 aaaa aaaa aaaa aaaa aaaa aaaa aaaa
                         aaaa aaaa 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000
01:12:36.279793 Out 0:5:85:c8:f6:d1 > 0:5:85:c4:e3:d1, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl  63, id 41227, offset 0, flags [none], proto: ICMP (1), length: 84) 15.1.1.1 > 14.1.1.1: ICMP echo reply seq 0, length 64
                         0005 85c4 e3d1 0005 85c8 f6d1 0800 4500
                         0054 a10b 0000 3f01 bb9a 0f01 0101 0e01
                         0101 0000 445a 981e 0000 8b5d 4543 51e6
                         0100 aaaa aaaa aaaa aaaa aaaa aaaa aaaa
                         aaaa aaaa 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000
root@server%

Meaning

Verify that the output shows the intended packets.