[c-nsp] tcpdump-style debugging on 6500/7600

Peter Rathlev peter at rathlev.dk
Thu Mar 14 13:11:20 EDT 2013 

On Thu, 2013-03-14 at 17:38 +0100, "Rolf Hanßen" wrote:
> I saw there was already a discussion concerning that topic, but 5
> years old:
> http://www.gossamer-threads.com/lists/cisco/nsp/78543
> Is there maybe some new tcpdump-style debugging feature available to
> provide such functions beside the suggested "debug ip packet"?

Take a look at "monitor session <N> type capture".

> 1) I like to view traffic on a certain physical interface or switched
> vlan. I would like to see all packets and not a specific protocol or
> IP range.
> As far as I see I cannot specify an interface in an ACL but the "debug
> ip packet" only allows ACLs for filtering as far as I see.

SPAN capture can use an ACL.

Switch(config)#monitor session 2 type capture 
Switch(config-mon-capture)#?
Monitor sess type capture config commands:
  buffer-size  Capture buffer size
  description  Properties for this session
  exit         Exit from capture session mode
  filter       Capture filter 
  no           Negate a command or set its defaults
  rate-limit   Packets per second value
  source       SPAN source Interface/VLAN 

Switch(config-mon-capture)#filter ?
  access-group  Filter access-list (hardware based)
  ethertype     Matching ethertype (software based)
  length        Matching L2-packet length (software based)
  mac-address   Matching mac-address (software-based)
  vlan          Filter vlan (hardware based)

> 2) I like to debug an IP connection and limit to a certain amount of
> packets (like "show me the next 20 packets from/to host x.x.x.x").
> Can you tell me what bandwidth or pps I have to take into
> consideration to avoid overload ?

This too:

Switch#monitor capture start for ?
  <1-4294967295>  Seconds or number of packets

> To understand better what I do before typing it in on a 10G+ box:
> "debug ip packet ..." redirects the packets to the Management CPU and
> everything filtered with an ACL leads into only packets matching ALC
> are forwarded to the CPU, everything else is handled by the DFC/CFC
> +PFC only like usual.
> Correct ?

I don't think that's the case for "debug ip packet" but it is for SPAN
capture; it's hardware filtering for ACLs.

> Im looking for a way that works without exporting stuff to another box
> and low risk to overload CPU (live environment).

The captured traffic is handled by the processor, but only after
filtering from the session if using ACLs.

> Hardware in my case are several Sup720-3B, Sup720-3BXL or Sup2T with
> 67xx linecards.
> If there are special software revisions needed, please let me know.

It seems that SPAN capture isn't available in SXF but is in SXI. It
probably also is in SXH.

Maybe certain older HW releases can't do SPAN capture but at least
revision 4.0 and newer (2004/2005-ish) seem to support it.

-- 
Peter

More information about the cisco-nsp mailing list