1 Rookie
•
11 Posts
0
4795
November 25th, 2021 03:00
tcpdump on S-Series OS10 switches
I'm trying to analyse application traffic between 2 VMs on VMware stack connected to the Dell switches. The VMs are on 2 different VLAN/subnets and the routing is done upstream. When I run tcpdump, I can see IP packets for traffic TO the switch but only see ARP and IGMP for traffic going THROUGH the switch (i.e. between the VMs). What am I missing?
Commands run:
sudo tcpdump -nn -i any icmp
sudo tcpdump -nn -i any ip host 10.x.x.x
This is the only Dell guide I've found: https://www.dell.com/support/manuals/en-uk/dell-emc-smartfabric-os10/smartfabric-os-user-guide-10-5-1/packet-analysis?guid=guid-5eed1cdd-4aea-4e3e-951b-d7f825612ea0&lang=en-us
No Events found!
DiegoLopez
4 Operator
•
2.7K Posts
1
November 26th, 2021 02:00
Hello @wanatkinson,
Sadly there is not much official documentation regarding the tcpdump command to analyze network packets. Besides of the document you found, here you have also a few examples including the "tcpdump": https://dell.to/3cRgJl2 and here the Command-Line Reference Guide for C-series https://dell.to/3xnEgDE
Regards.
DELL-Tim G
3 Apprentice
•
73 Posts
0
December 23rd, 2021 06:00
Just for reference: running tcpdump in a switch operating system will only catch packets destined to the switch operating system (control packets, ARP and so on).
This is because you are tapping the interface between OS and switch ASIC which is not sending all the traffic to the CPU/OS.
If you want to mirror traffic completely you need to do this with the switch ASIC with source and destination interface.
Why don't we allow a port mirror from ASIC interface to the CPU?
Because it is very dangerous and will likely kill the switch operating system (see CoPP).