If you experience issues with PCA or its host server that you aren't able to resolve, collect the following information before contacting Support.
- What version of the PCA is running?
- What NICs are being listened on?
- Did this problem appear as part of a new install or an upgrade? If this occurred during an upgrade, was this problem also available before the upgrade?
- Run
tcpdump
. Was the memory dump filtering for anything or was it just on the listening NICs? - Provide root access or personnel who have root access to the PCA.
tcpdump commands
There are several tcpdump
commands that you can use to gather additional
information about PCA processing.
Extended tcpdump Details
To get the expanded details for tcpdump, run man tcpdump
on the PCA server or
get it from the http://www.tcpdump.org/ website. The
short form is:
tcpdump -ni NIC -s0 -w dumpfile filter_string
where
NIC
is the sniffer/capture NIC device name. To see a list of NIC device names, use theifconfig
command or the Interface page of the PCA Web UI, which is located by default athttp://<PCA>:8080/interface.php
orhttps://<PCA>:8443/interface
.<PCA>
is the host name or IP address of the PCA.dumpfile
is the name of the file to which the dump is written.filter string
is the IP/port expression that you want to capture.
If you want to run a test to validate, remove the -w
option and its argument;
output is then printed to the console.
Test capture sniffer ports for traffic
To use tcpdump to determine if capture sniffer ports are receiving traffic:
tcpdump -ni eth1 | more
To look for specific traffic:
tcpdump -ni bge0 host <IP address> and port <IP port number> | more
Where <IP address>
and <IP port number>
might be
10.10.10.2 and 80, for example.
Manual capture of tcpdump to a File
The manual method of using tcpdump to capture HTTP(S) traffic to a dump file is the following:
tcpdump -ni bge0 -s0 -w dumpfile host ipAddr and port \(80 or 443\)
tcpdump -ni bge0 -s0 -w dumpfile host ipAddr and port '('80 or 443')'
tcpdump -ni bge0 -s0 -w dumpfile net xxx.xxx.xxx.0/24 and port 80
Using existing tcpdump file to extract specific traffic to another dump file:
tcpdump -nr <dumpfile> -s0 -w <new_file_name> host <ip address> and \
port <port number>
Display tcpdump extra header
If tcpdump is unable to filter any traffic, whereas running tcpdump unfiltered does show traffic,
then the problem may be due to an extra Ethernet header being added, which is typically a VLAN
header: 802.1Q VLAN. Use the tcpdump -e
option to see this extra header
information, which should look like the following:
. . . ethertype 802.1Q, length 64: vlan 128, p 0, ethertype IPv4,
IP 192.168.128.42.8001 > 192.168.128.90.20700:
Port filtering
Trying to filter using tcpdump fails. An example is to filter on a known port number, such as the following:
tcpdump -ni eth2 port 8001
If tcpdump is unable to provide a filtered output, then the passive capture software is not able to do so either.
If it is VLAN-type traffic, use the vlan
expression operator as part of the
filter expression:
tcpdump -ni eth2 vlan and port 8001
Other examples of filtering with VLAN packets:
tcpdump -nr tst.dmp 'ether[12:2] = 0x8100'
tcpdump -nr tst.dmp vlan and ip and port 8001
To show both types of traffic:
tcpdump -nr tst.dmp ip or vlan
Display client side traffic only for specific IP address
The following command only displays traffic from the client side, which are requests made from browser to web server from the specified IP address.
tcpdump -nieth1 src host ipAddr and port #nmbr
Display all client-side traffic
The following command displays all client side traffic that attempts to connection on the specified port number. All requests from all clients on the specified port are reported.
tcpdump -nieth1 dst port #nmbr
Display only SYN and FIN packets
The following command only displays the SYN and FIN packets in the tst.dmp
file.
This command can be used to verify that in addition to both directions of traffic being present, the
PCA is also seeing the successful start and stop of the tcp connections.
Valid output that is expected for each connection would be a SYN packet in each direction at the start of the connection and a FIN packet in each direction at the end of the connection.
tcpdump -nr tst.dmp 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'
Using tcpdump to determine if traffic is not bidirectional
Execute the following or similar tcpdump command:
tcpdump -ni <NIC> -s0 host 192.168.149.201 and port 443
Where:
-s0
- do not truncate large packets. Without this option, unidirectional traffic recording does not occur.<NIC>
- the device name of one of the PCAs capture NICs.
The command should generate output similar to the following:
16:10:37.271214 IP 12.130.155.248.4863 > 192.168.149.201.https:
S 4007169894:4007169894(0) win 64512 <mss 1460,nop,nop,sackOK>
There are columns for each line representing a packet:
- timestamp
- network protocol
- source IP address.IP port
- destination IP address.IP port
- TCP flags
- selected information about the packet
The preceding example is a TCP/IP connection handshake packet showing the client-to-server initial SYN handshake.
There should be a second packet with the two IP.port columns reversed to indicate the server to client SYN handshake packet. If there is no second packet, then the SPAN port is not providing bidirectional traffic to the PCA capture NIC.