[c-nsp] arp packet capture via elam
James Bensley
jwbensley at gmail.com
Wed Nov 9 09:37:49 EST 2016
On 9 November 2016 at 13:25, Hefin James [ahj] <ahj at aber.ac.uk> wrote:
> Can anybody point me in the right direction.
> I'm trying to capture a broadcast ARP packet from a specific MAC address on a Sup6T
> When I ping from the device in question, I capture the ICMP and not the initial ARP, (This is after clearing the device ARP cache.)
>
> I've got the following. From what I've read, I need to change the ipv4 to other, but that will not let me capture via smacm and ideas?
>
> show platform capture elam release
> show platform capture elam asic eureka slot 1
> show platform capture elam trigger master eu10 dbus dbi ingress ipv4 if smac=e4f8.9c6d.e494
> show platform capture elam trigger slave eu10 rbus rbi pb2
> show platform capture elam start
>
> Thanks,
> Hefin
I'm not sure about the 6800's/SUP6T however on a 6500/7600 I would use
an "other" filter and just write out the packet headers manually for
more flexibility...
I have written an example off of the top of my head so you will need
to tweak to your scenario;
# Example ARP request found via Google:
https://www.cloudshark.org/captures/e4d6ea732135
# Packet hex dump
ff ff ff ff ff ff 00 1a 6b 6c 0c cc 08 06 00 01
08 00 06 04 00 01 00 1a 6b 6c 0c cc 0a 0a 0a 02
00 00 00 00 00 00 0a 0a 0a 01 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
# Configure an "other" filter so we can match on anything (within
reason) we lik:
# 0x00000000 0000 = DestMAC
# 001a 0x6b6c0ccc = SrcMAC
# 0 = Dot1Q tag
# 0x0806 = Ethertype for ARP
show platform capture elam trigger dbus others if data = 0 0x0000001a
0x6b6c0ccc 0 0x08060000 [ 0 0x0000ffff 0xffffffff 0 0xffff0000 ]
This should (untested!) match an ARP frame from the source MAC "00 1a
6b 6c 0c cc".
Cheers,
James.
More information about the cisco-nsp
mailing list