[c-nsp] tcpdump-style debugging on 6500/7600

"Rolf Hanßen" nsp at rhanssen.de
Fri Mar 15 09:20:13 EDT 2013 

Hello Peter,

just tried out, all ends with:
%SPAN-5-PKTCAP_STOP: Packet capture session 1 ended after the specified
time, 0 packets captured

edge1-dus1#sh monitor session 1 detail
Session 1
---------
Type                   : Capture Session
Description            : -
Source Ports           :
    RX Only            : None
    TX Only            : None
    Both               : None
Source VLANs           :
    RX Only            : None
    TX Only            : None
    Both               : None
Source RSPAN VLAN      : None
Destination Ports      : None
Filter VLANs                : None
Dest RSPAN VLAN        : None
Source IP Address      : None
Source IP VRF          : None
Source ERSPAN ID       : None
Destination IP Address : None
Destination IP VRF     : None
Destination ERSPAN ID  : None
Origin IP Address      : None
IP QOS PREC            : 0
IP TTL                 : 255
Capture dst_cpu_id     : 0
Capture vlan           : 1013
Capture buffer size    : 2048 KB
Capture rate-limit
             value     : 10000
Capture filters        :
     acl               : 25


Tried with these acls:

Standard IP access list 25
    10 permit 1.2.3.4

Extended IP access list span-test
    5 permit ip host 1.2.3.4 any
    10 permit ip any host 1.2.3.4

Maybe some other values/settings needed ?
Source/Destination Ports/vlans means the interfaces that take part in the
capturing or the interfaces used for exporting capture data (I am missing
the "any" keyword here) ?

kind regards
Rolf

> On Thu, 2013-03-14 at 17:38 +0100, "Rolf Hanßen" wrote:
>> I saw there was already a discussion concerning that topic, but 5
>> years old:
>> http://www.gossamer-threads.com/lists/cisco/nsp/78543
>> Is there maybe some new tcpdump-style debugging feature available to
>> provide such functions beside the suggested "debug ip packet"?
>
> Take a look at "monitor session <N> type capture".
>
>> 1) I like to view traffic on a certain physical interface or switched
>> vlan. I would like to see all packets and not a specific protocol or
>> IP range.
>> As far as I see I cannot specify an interface in an ACL but the "debug
>> ip packet" only allows ACLs for filtering as far as I see.
>
> SPAN capture can use an ACL.
>
> Switch(config)#monitor session 2 type capture
> Switch(config-mon-capture)#?
> Monitor sess type capture config commands:
>   buffer-size  Capture buffer size
>   description  Properties for this session
>   exit         Exit from capture session mode
>   filter       Capture filter
>   no           Negate a command or set its defaults
>   rate-limit   Packets per second value
>   source       SPAN source Interface/VLAN
>
> Switch(config-mon-capture)#filter ?
>   access-group  Filter access-list (hardware based)
>   ethertype     Matching ethertype (software based)
>   length        Matching L2-packet length (software based)
>   mac-address   Matching mac-address (software-based)
>   vlan          Filter vlan (hardware based)
>
>> 2) I like to debug an IP connection and limit to a certain amount of
>> packets (like "show me the next 20 packets from/to host x.x.x.x").
>> Can you tell me what bandwidth or pps I have to take into
>> consideration to avoid overload ?
>
> This too:
>
> Switch#monitor capture start for ?
>   <1-4294967295>  Seconds or number of packets
>
>> To understand better what I do before typing it in on a 10G+ box:
>> "debug ip packet ..." redirects the packets to the Management CPU and
>> everything filtered with an ACL leads into only packets matching ALC
>> are forwarded to the CPU, everything else is handled by the DFC/CFC
>> +PFC only like usual.
>> Correct ?
>
> I don't think that's the case for "debug ip packet" but it is for SPAN
> capture; it's hardware filtering for ACLs.
>
>> Im looking for a way that works without exporting stuff to another box
>> and low risk to overload CPU (live environment).
>
> The captured traffic is handled by the processor, but only after
> filtering from the session if using ACLs.
>
>> Hardware in my case are several Sup720-3B, Sup720-3BXL or Sup2T with
>> 67xx linecards.
>> If there are special software revisions needed, please let me know.
>
> It seems that SPAN capture isn't available in SXF but is in SXI. It
> probably also is in SXH.
>
> Maybe certain older HW releases can't do SPAN capture but at least
> revision 4.0 and newer (2004/2005-ish) seem to support it.
>
> --
> Peter
>
>
>

More information about the cisco-nsp mailing list