Troubleshooting with tcpdump - Mac OS X and Linux

Q.Is there a way to confirm whether my exporter is sending flows packets to the InterMapper Flows server?

A. Both Mac OS X and Linux provide a command-line packet capture utility (tcpdump) that will intercept and display the contents of packets sent and received on a network interface.

You should first determine the interface to include in the tcpdump command line by running the following command in a Terminal window:

ifconfig -a

The output of this command will list all network interfaces:

dhcp-78:~ Janice$ ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::20a:95ff:fede:79f4%en0 prefixlen 64 scopeid 0x4
inet 192.168.1.78 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:0a:95:de:79:f4
media: autoselect (100baseTX ) status: active
supported media: none autoselect 10baseT/UTP 10baseT/UTP
10baseT/UTP <full-duplex,hw-loopback> 100baseTX
100baseTX 100baseTX <full-duplex,hw-loopback>
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 2030
lladdr 00:0a:95:ff:fe:de:79:f4
media: autoselect status: inactive
supported media: autoselect

To capture and display all UDP packets on port 2055 on interface en0, use the following commands. If you wish to save the collected data packets for later analysis, you can write them to a file using the second form. To stop collecting packets, press Control-C.

tcpdump -i en0 -s 0 -v udp and port 2055
tcpdump -i en0 -s 65535 -v -w somefile udp and port 2055

NB: On MacOSX, the ethernet interface is generally en0; on Linux, it's generally eth0. Use the "ifconfig -a" command described above to be sure.

NB: The filter for the packets can use several terms separated by and, including:

icmp or udp or tcp
port ###
host ip-address or DNS name
src ip-address or DNS name
dst ip-address or DNS name

If flows packets are being received by the InterMapper Flows server, the tcpdump program will show information like this on the screen:

dhcp-78:~ Janice$ sudo tcpdump -i en0 -s 0 -v udp and port 2055
Password:
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:51:21.914611 IP (tos 0x0, ttl 128, id 5008, offset 0, flags [none], proto UDP
(17), length 1492) ipaq.dartware.com.ms-sql-s > dhcp-78.dartware.com.iop: UDP,
length 1464
15:51:25.906928 IP (tos 0x0, ttl 128, id 5034, offset 0, flags [none], proto UDP
(17), length 1492) ipaq.dartware.com.ms-sql-s > dhcp-78.dartware.com.iop: UDP,
length 1464
15:51:29.907013 IP (tos 0x0, ttl 128, id 5057, offset 0, flags [none], proto UDP
(17), length 1492) ipaq.dartware.com.ms-sql-s > dhcp-78.dartware.com.iop: UDP,
length 1464
15:51:33.907121 IP (tos 0x0, ttl 128, id 5090, offset 0, flags [none], proto UDP
(17), length 1492) ipaq.dartware.com.ms-sql-s > dhcp-78.dartware.com.iop: UDP,
length 1464
^C
4 packets captured
829 packets received by filter
0 packets dropped by kernel