SSH to the NAC Appliance you wish to run the tcpdump command on
For ALL examples, use Control-C
to stop the packet capture. To limit capture size, read Additional notes below.
For issues with Radius or Authentication coming from a source switch or wireless controller use the below as example
tcpdump -i eth0 -s 0 port 1812 and port 1813 -w radius.pcap
Note that it may be easier if you know the target device sending the radius packets. In that case, add the IP address into that command.
tcpdump -i eth0 -s 0 port 1812 or port 1813 and host 22.214.171.124 -w radius.pcap
If one omits the -w radius.pcap
, the information will print to the screen with limited detail. It is often used to see if one sees any traffic at all prior to capturing to a file.
tcpdump -i eth0 -s 0 port 1812 or port 3799 and host 126.96.36.199 -w radiusW3799.pcap
If one is troubleshooting wireless and wants to get some RFC3576 Information add in port 3799
For issues with the NAC Captive Portal
here is a common example
tcpdump -i eth0 -s 0 port 80 or port 443 and host <host IP of connecting device to portal> -w portaltrace.pcap
For issues with LDAP Authentication
tcpdump -i eth0 -s 0 port 389 or port 636
To search on multiple parameters using tcpdump use the following arguments and an 'and/or' to add multiple search parameters
- port - tcp/udp port
- host - ip address search
- ether dst, ether src, ether host - MAC address search
tcpdump -i eth0 port 1812 and ether host 00.00.00.00.00.01