For example, imagine spanning/mirroring a 10G backbone link, how many people are pinging 8.8.8.8 all the time. I can ping with a specific DSCP value set to isolate my pings from anyone elses, looking into the reported issue of 8.8.8.8 latency, then apply a filter to tcpdump on my mirrored port that matches ICMP traffic to a specific IP, with a specific DSCP value, inside specific L3 VPN (specific MPLS labels) etc.
sudo tcpdump -nlASX -s 65535 -vvv -i eth3 '(mpls 52634 and (ip and (ip[1] & 0xfc) >> 2 > 0x01) and host 11.22.33.44 and icmp)'
I mostly make notes for myself, so no need for an about page, I'm the target audience. Someone else might find the info useful which is why it's publically visible, but I'm mainly writing for myself, so no contact or comments. If you want to contact me, jwbensley /at/ gmail /dot/ com. Or Google this username, I just did, you'll find me on GitHub, LinkedIn, StackExchnage and many other places.
If anyone is interested I've made some notes here: https://null.53bits.co.uk/index.php?page=tcpdump-notes
For example, imagine spanning/mirroring a 10G backbone link, how many people are pinging 8.8.8.8 all the time. I can ping with a specific DSCP value set to isolate my pings from anyone elses, looking into the reported issue of 8.8.8.8 latency, then apply a filter to tcpdump on my mirrored port that matches ICMP traffic to a specific IP, with a specific DSCP value, inside specific L3 VPN (specific MPLS labels) etc.
sudo tcpdump -nlASX -s 65535 -vvv -i eth3 '(mpls 52634 and (ip and (ip[1] & 0xfc) >> 2 > 0x01) and host 11.22.33.44 and icmp)'
I love tcpdump's filtering capabilities.