Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

Using tcpdump to troubleshoot Cisco Prime Infrastructure

While troubleshooting issues with Cisco Prime Infrastructure (CPI) 1.3 and snmp trap alarms, I was introduced to using tcpdump on our CPI server to figure out if it was actually getting the snmp trap that we weren’t getting notifications on. Below is a very basic tutorial for those who may find it useful. Depending on the type of trap you are troubleshooting, you may need a maintenance window to test it. For me, it was IPSLA up–>down status messages that CPI wasn’t alarming on. To test this, I had to start the packet capture on CPI then shut down the edge interface to our ISP to see if the IPSLA actually triggered the trap and the switch sent it to CPI.

ssh to your CPI instance with the admin user


[sdewndr@jumpbox ~]$ ssh admin@prime

Gain root access (if you have not set this up yet read THIS article first)

PRIME/admin#root
Enter root patch password :
Starting root bash shell ...
ade #

Switch to superuser

ade # su -
[root@PRIME ~]#

Since this isn’t really a tutorial on tcpdump (not that I could write one anyway) I’m not going to get into too much detail about the following command. I will go over it briefly however and what each switch is used for. Do your own research on other possible options. The syntax provided by TAC was:


[root@PRIME ~]#tcpdump -vv "host 192.168.1.1 and port 162" -i eth0 -s0 -w ipsla.pcapng

  • -vv: more verbose capture
  • “host x.x.x.x and port xxx”: must be in quotes, the IP address of the trap sender and port CPI is expecting to receive it on
  • -i eth0: -i is interface and eth0 is the interface CPI is using
  • -s0: save the whole packet, do not limit how many bytes per packet are saved
  • -w: write the packet capture to a file so we can export it
  • ipsla.pcapng: the file name you are writing too (file must end with .pcapng or .pcap depending on Wireshark version)

You can stop the capture by simply pressing control -c on your keyboard. I suggest you try the command on your CPI server to make sure you don’t get any syntax errors before actually triggering your trap. If there are no syntax errors, trigger the trap and you should see the counter increment if the trap is being received by CPI. To make sure CPI is also getting “alarm clear” trap, make sure you reverse whatever you did to trigger the trap. For instance, if you wanted to make sure you get a trap when an interface goes down – shut down the interface and then bring it back up. You should get two packets, once you have them both use cntrl C to end the capture and then we can transfer the capture off CPI to view in Wireshark.


[root@PRIME ~]#scp ipsla.pcapng username@10.1.1.252:/dir/dir/etc...

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.       

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
4 REPLIES
Hall of Fame Super Silver

Re: Using tcpdump to troubleshoot Cisco Prime Infrastructure

Nice writeup Christopher. I'd give it +5 but I can't do that to a question's original posting.

I suspect it will come in handy going forward (at least until PI exposes the packet capture in the GUI like LMS has for some time now).

I would suggest reposting it as a document for better archiving.

Oh by the way did you figure out the root problem?

Re: Using tcpdump to troubleshoot Cisco Prime Infrastructure

Not as of yet, TAC has the capture so we'll see what they say.  I'll repost as a doc, good suggestion.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
New Member

Using tcpdump to troubleshoot Cisco Prime Infrastructure

I suspect it will come in handy going forward (at least until PI exposes the packet capture in the GUI like LMS has for some time now). 

Hi Marvin, can you elaborate on this, can we do packet capture directly from LMS 4 GUI?

Hall of Fame Super Silver

Using tcpdump to troubleshoot Cisco Prime Infrastructure

Yes, you can do a packet capture direct from the LMS 4.x GUI. It's a tool under Device Center.

When you launch it you will see a screen with captures you have done before and the option to create a new one. the captures are saved as .jet files (courtesy of Joe Clarke - Joe's Ethereal Tool) and can be opened in Wireshark.

It is documented in the LMS Monitoring and Troubleshooting guide, chapter 11.

See the screenshot below (click to enlarge):

2255
Views
10
Helpful
4
Replies
CreatePlease to create content