Ask Your Question
0

piping Arista tcpdump to Wireshark fails

asked 2025-04-15 06:51:57 +0000

vijay.singh gravatar image

updated 2025-04-15 12:03:31 +0000

grahamb gravatar image

Hi Team,

I was trying to stream live pcap stream directly from Arista EOS switches on my local laptop wireshark and getting below error:

C:\Users\USER\Desktop>plink.exe -ssh -l testuser -pw Arista@1234 192.168.0.14 "tcpdump interface Ethernet52/1" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -


 ** (wireshark:24156) 09:38:02.720583 [Capture MESSAGE] -- Capture Start ...
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on et52_1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
 ** (wireshark:24156) 09:38:04.301455 [Capture MESSAGE] -- Error message from child: "File type is neither a supported pcap nor pcapng format. (magic = 0x333a3930)", "Please report this to the developers of the program writing to the pipe."
 ** (wireshark:24156) 09:38:11.621425 [Capture MESSAGE] -- Capture stopped.
^C^C
C:\Users\USER\Desktop>
edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2025-04-15 08:17:03 +0000

Guy Harris gravatar image

0x333a3930 is either "3:90" or "09:3", which is, indeed, not the first four bytes of a pcap or pcapng file. I suspect it's "09:3", as it appears, from the other messages, that you were doing this at about 09:38.

I.e. the command

plink.exe -ssh -l testuser -pw Arista@1234 192.168.0.14 "tcpdump interface Ethernet52/1"

appears not to be writing a pcap file to its standard output, so Wireshark is not seeing a pcap file on its standard input, and is reporting the appropriate error.

This Arista Community article on troubleshooting EOS devices seems to show a tcpdump with a non-standard user interface, so that tcpdump interface XXX, rather than the standard tcpdump -i XXX, is the way to capture on an interface named "XXX". I guess they tweaked it to have a non-UNIXy command syntax, perhaps because other native commands have a non-UNIXy command syntax (perhaps because that's the way Cisco went ages ago).

It also shows the command tcpdump interface Management1 filter ether proto 0x88cc printing decoded packets to the standard output rather than writing a pcap file to the standard output, which will not work at all in the sceneioo you describe, and will produce the symptoms you see, because it'll be printing out packet timestamps.

If you want to forward tcpdump output to Wireshark, see the Arista Community article "Forward TCPDump to Wireshark". It appears that, if you run tcpdump from Bash, it behaves more like a standard tcpdump, and can be told to write a pcap file to its standard output (-w -).

edit flag offensive delete link more

Comments

Noted, I have tried using multiple permutation/combinations of cmd syntax including without plink, however I was getting warnings all the times like shown below:

C:\Users\USER\Desktop>plink.exe -ssh -l testuser -pw Arista@1234 172.31.0.144 "tcpdump interface Ethernet52/1" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -


(wireshark:28784) 12:12:01.536607 [Capture MESSAGE] -- Capture Start ...
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on et52_1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
(wireshark:28784) 12:12:03.152352 [Capture MESSAGE] -- Error message from child: "File type is neither a supported pcap nor pcapng format. (magic = 0x313a3231)", "Please report this to the developers of the program writing to the pipe."
(wireshark:28784) 12:12:08.329188 [Capture MESSAGE] -- Capture stopped.
^C^C

Below cmd works natively (without getting into bash) in Arista eos:

CL-2#tcpdump interface ethernet 52/1
tcpdump ...
(more)
vijay.singh gravatar imagevijay.singh ( 2025-04-15 09:20:38 +0000 )edit

Below cmd works natively (without getting into bash) in Arista eos:

It works, but it DOES NOT work the way you want it to work; that output:

12:17:48.253368 74:83:ff:ff:bc:fd > 60:66:5b:9e:e1:11, ethertype IPv4 (0x0800), length 66: 10.234.15.1.64575 > 10.234.17.57.bfd-multi-ctl: BFDv1, Multihop, State Up, Flags: [none], length: 24

is dissected packet text, not a pcap file, and so Wireshark cannot read that as a capture.

Got below response from Arista TAC:

Well, did you try what they suggested? If so, what happened?

If none of these approaches work, you could explore Wireshark's developer community or documentation for insights into interpreting pipe errors.

OK, you've done that, and I've given you the insights you need. Go forth and don't run tcpdump without -w -.

Guy Harris gravatar imageGuy Harris ( 2025-04-15 16:40:14 +0000 )edit

I have tried cmds suggested by Arista TAC, however still not work (without -w -) i.e. "Please report this to the developers of the program writing to the pipe."

C:\Users\USER\Desktop>plink.exe -ssh -l testuser -pw Arista@1234 172.31.0.144 "tcpdump interface Ethernet52/1" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

* (wireshark:28784) 12:12:01.536607 [Capture MESSAGE] -- Capture Start ... tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on et52_1, link-type EN10MB (Ethernet), snapshot length 262144 bytes * (wireshark:28784) 12:12:03.152352 [Capture MESSAGE] -- Error message from child: "File type is neither a supported pcap nor pcapng format. (magic = 0x313a3231)", "Please report this to the developers of the program writing to the pipe." ** (wireshark:28784) 12:12:08.329188 [Capture MESSAGE] -- Capture stopped. ^C^C

C:\Users\USER\Desktop>plink.exe -ssh -l testuser -pw Arista@1234 172.31.0 ...(more)

vijay.singh gravatar imagevijay.singh ( 2025-04-16 08:18:49 +0000 )edit

I have tried cmds suggested by Arista TAC, however still not work (without -w -)

This will never work without -w -. Do not waste your time trying to make it work without it.

Try doing

plink.exe -ssh -l testuser -pw Arista@1234 172.31.0.144 "bash tcpdump -i Ethernet52/1 -w -" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

to run tcpdump from bash (i.e., a normal UN*X shell) rather than from Arista's "helpful" EXEC command interpreter. That's similar to what Arista's "Forward TCPDump to Wireshark" article says, but using plink -ssh rather than ssh to open the SSH session.

The name "Ethernet52/1" might not work there; I infer that the EXEC command "tcpdump" maps EXEC command-line names for interfaces to the underlying Linux interface name, just as it maps other EXEC-style command arguments to the underlying tcpdump command line arguments. See Arista ...(more)

Guy Harris gravatar imageGuy Harris ( 2025-04-16 18:55:18 +0000 )edit

Hi Guy, You are correct. We need to put the exact interface listed via ífconfig cmd under eos bash.Thank you for the pointer and help on this. Below cmd seems to work out now:

C:\Users\USER\Desktop>plink.exe -ssh -l <user> -pw <pwd> <switch-ip> "bash tcpdump -i et52_1 -w -" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

vijay.singh gravatar imagevijay.singh ( 2025-04-17 07:29:56 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-04-15 06:51:57 +0000

Seen: 40 times

Last updated: 2 days ago