[c-nsp] arp packet capture via elam

Hefin James [ahj] ahj at aber.ac.uk
Thu Nov 10 03:32:04 EST 2016 

Thanks,
Hefin

> -----Original Message-----
> From: James Bensley [mailto:jwbensley at gmail.com]
> Sent: 09 November 2016 14:38
> To: Hefin James [ahj] <ahj at aber.ac.uk>; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] arp packet capture via elam
> 
> On 9 November 2016 at 13:25, Hefin James [ahj] <ahj at aber.ac.uk> wrote:
> > Can anybody point me in the right direction.
> > I'm trying to capture a broadcast ARP packet from a specific MAC
> > address on a Sup6T When I ping from the device in question, I capture
> > the ICMP and not the initial ARP, (This is after clearing the device
> > ARP cache.)
> >
> > I've got the following. From what I've read, I need to change the ipv4 to
> other, but that will not let me capture via smacm and ideas?
> >
> > show platform capture elam release
> > show platform capture elam asic eureka slot 1 show platform capture
> > elam trigger master eu10 dbus dbi ingress ipv4 if smac=e4f8.9c6d.e494
> > show platform capture elam trigger slave eu10 rbus rbi pb2 show
> > platform capture elam start
> >
> > Thanks,
> > Hefin
> 
> 
> I'm not sure about the 6800's/SUP6T however on a 6500/7600 I would use an
> "other" filter and just write out the packet headers manually for more
> flexibility...
> 
> I have written an example off of the top of my head so you will need to
> tweak to your scenario;
> 
> # Example ARP request found via Google:
> https://www.cloudshark.org/captures/e4d6ea732135
> 
> # Packet hex dump
> ff ff ff ff ff ff 00 1a 6b 6c 0c cc 08 06 00 01
> 08 00 06 04 00 01 00 1a 6b 6c 0c cc 0a 0a 0a 02
> 00 00 00 00 00 00 0a 0a 0a 01 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00
> 
> # Configure an "other" filter so we can match on anything (within
> reason) we lik:
> 
> # 0x00000000 0000 = DestMAC
> # 001a 0x6b6c0ccc = SrcMAC
> # 0 = Dot1Q tag
> # 0x0806 = Ethertype for ARP
> 
> 
> show platform capture elam trigger dbus others if data = 0 0x0000001a
> 0x6b6c0ccc 0 0x08060000 [ 0 0x0000ffff 0xffffffff 0 0xffff0000 ]
> 
> This should (untested!) match an ARP frame from the source MAC "00 1a 6b
> 6c 0c cc".
> 
> Cheers,
> James.

More information about the cisco-nsp mailing list