Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
NN46220-702
Nortel Metro Ethernet Routing Switch 8600, Release 5.0
Publication: Using the Packet Capture Tool (PCAP)
Document Status: Standard
Document Release Date: April 25, 2008
While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing
NORTEL PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR
IMPLIED. This information and/or products described in this document are subject to change without notice.
Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks.
Contents 0
PCAP examples 45
Capturing traffic with PCAP 45
Capturing all traffic with PCAP filters 46
Capturing specific traffic with PCAP filters 49
Capturing specific traffic with ACL 51
Troubleshooting example 52
Problem definition 52
Hardware configuration 52
Software configuration 52
Solution 1 54
Solution 2 57
Solution 3 59
Solution 4 60
Index 61
The following sections detail what’s new in Using the Packet Capture Tool
(PCAP), NN46220-702 Standard for Release 5.0.
New features
There are no changes to this document for MERS 8600 Release 5.0.
Topic Page
Overview 7
Roadmap of PCAP CLI commands 13
Configuring PCAP with the CLI 14
Displaying PCAP information with the CLI 24
Configuring PCAP with Device Manager 29
Viewing PCAP statistics 41
PCAP limitations and considerations 42
Overview
PCAP is a data packet capture tool that captures ingress and egress
(E-modules only) packets on selected I/O ports. Once packets are captured,
they are analyzed for troubleshooting purposes. This feature is based on the
mirroring capabilities of the I/O ports. Packets can be captured based on port
mirroring or exchange flow with packet filters. You can also use this feature to
configure software filters, which limits the number of packets captured by
PCAP.
All captured packets are stored in the PCAP engine. The primary CPU
maintains its protocol handling and is not affected by any PCAP capture
activity. Packets captured by PCAP can be saved and downloaded from the
PCAP engine to be analyzed offline.
Figure 1 illustrates how to use the PCAP tool to configure PCAP capture filters
and enable them on ports.
Figure 1
PCAP tool packet flow
Communication Flow
PCAP enabled
ports
Master CPU
PCAP Engine
Management station/
Packet analyzer
10908EA
Using IP filter sets affects data network traffic, depending on the action taken
at the filter and port level. Applying IP filter sets has the same affect on
network traffic as configuring filter sets to ports using PCAP parameters. For
routed IP traffic, use Source/Destination IP filter sets; for bridged IP traffic use
Global IP filter sets.
To reference how to configure and enable IP traffic filters, refer to MERS 8600
Configuration -- IP Routing Operations, NN46220-509.
Figure 2
Accessing the PCAP engine
*********************************************
* Copyright (c) 2007 Nortel Networks, Inc. *
* All Rights Reserved *
* MERS 8600 *
* Software Release 5.0.0.0 *
*********************************************
Login: rwa
Password: ***
8600:5#
ATTENTION
While this capture filter specifies to capture TCP packets, the
default action is to capture all packets. A PCAP capture filter with
action drop must be configured to drop all packets to achieve the
desired result.
or
config ether 2/10 pcap enable true mode rxFilter
config vlan 2 fdb-filter pcap 00:08:07:60:89:D6 enable
or
config ether 2/10 pcap enable true mode rxFilter
config ip traffic-filter create global src-ip
10.10.10.10/32 dst-ip 10.10.20.20/32 id 5
3 Enable PCAP globally.
config diag pcap enable true
4 Configure a PCAP filter that only allows TCP ports that are not in 20 to 21.
config diag pcap capture-filter 7 tcp-port 20 to 21 not
5 Display all PCAP statistics.
show diag pcap stats
6 Disable PCAP at the port level.
config ether 2/10 pcap enable false
7 Copy captured packets to a file.
copy PCAP00 /pcmcia/pcap_packets.cap
8 Use EtherReal or Sniffer Pro to analyze the packets.
—end—
Command Parameter
config {ethernet|atm|pos} <ports> info
pcap
add set <value>
enable <true|false> [mode <value>]
remove set <value>
config diag pcap info
auto-save <true|false> file-name
<value>] device <value>] ip <value>]
buffer-size <2...256>
buffer-wrap <true|false>
enable <true|false>
ethertype-for-svlan-level
<EtherType for hex vlan level>
fragment-size <64...9600>
pcmcia-wrap <true|false>
reset-stat
config diag pcap capture-filter info
<listid>
action <capture|drop|trigger-
on|trigger-off>
create
delete
dscp <dscp> [to <value>] [match-zero
<value>] [not]
dstip <ipaddr/mask> [to <value>]
[not]
dstmac <DstMac> [mask <value>] [not]
enable <true|false>
ether-type <Ethertype> [to <value>]
[not]
packet-count <PacketCount>
pbits <Pbits> [to <value>]
[match-zero <value>] [not]
Command Parameter
protocol-type <protocoltype> [to
<value>] [not]
refresh-timer <RefreshTimer>
srcip <ipaddr> [to <value>] [not]
srcmac <SrcMac> [mask <value>] [not]
tcp-port <tcport> [to <value>] [not]
timer <Timer>
udp-port <udpport> [to <value>] [not]
user-defined <0..9600> <data> [not]
vlan-id <Vlanid> [to <value>] [not]
config vlan <vid> fdb-filter pcap
<mac> enable
show diag pcap capture-filter [id
<value>]
show diag pcap dump
show diag pcap info
show diag pcap port
show diag pcap stats
Topic Page
To enable PCAP on Ethernet, ATM, or POS ports, use the following CLI
command:
Figure 3
The config {ethernet| atm| pos} pcap info command
ATTENTION
Nortel recommends using PCAP with IP or MAC address filters to
reduce traffic flow on the PCAP engine.
For information about the other options available from the config vlan
<vid> fdb-filter command, see MERS 8600 Configuration -- VLANs,
Spanning Tree, and Link Aggregation, NN46220-511.
ATTENTION
All of the following commands can be executed only when PCAP is
globally disabled. All commands can be executed from the primary
CPU or PCAP engine.
To configure PCAP global parameters, use the command config diag pcap
with the following options:
Figure 4 shows sample output for the config diag pcap info command.
The command can be issued from both the primary CPU or the PCAP engine.
Figure 4
The config diag pcap info command
ATTENTION
Nortel recommends using PCAP with IP or MAC filters to reduce the
load on the PCAP engine that has a capturing capability that can be
exceeded by a gigabit port mirrored traffic stream. IP filter sets affect
network traffic and is dependent on the action taken by the filter on
the port.
To configure a capture filter with match criteria, use the following CLI
command:
This command includes the following options. The command can be issued
from both the primary CPU and the PCAP engine.
Figure 5 shows sample output for the config diag pcap capture-filter
info command. The command can be issued from both the primary CPU and
the PCAP engine.
Figure 5
The config diag pcap capture-filter info command
ATTENTION
Dumping a large number of captured packets is CPU intensive. The
switch does not respond to any commands while the dump is in
progress. Nortel recommends to use this command only when it is
absolutely necessary. However, there is no degradation in the
normal traffic handling or switch failover.
To display information about all captured packets, use the following command:
Figure 6
The show diag pcap dump command output
Figure 7 shows sample output for the show diag pcap capture-filter
command.
Figure 7
The show diag pcap capture-filter command output
===============================================================
PCAP Capture-filters
===============================================================
Id : 10
action : capture
enable : false
srcmac : 00:00:00:00:00:00 Mask = 6
dstmac : 00:00:00:00:00:00 Mask = 6
srcip : 0.0.0.0 to 0.0.0.0
dstip : 0.0.0.0 to 0.0.0.0
vlan-id : 0 to 0
pbits : 0 to 0
ether-type : 0x0 to 0x0
protocol-type : 0 to 0
dscp : 0 to 0
udp-port : 0 to 0
tcp-port : 0 to 0
user-defined: Offset: 0 Data:
timer : 0 ms
packet-count : 0
refresh-timer : 0 ms
Figure 8
The show diag pcap info command output
Figure 9
The show diag pcap port command output
Figure 10
The show diag pcap stat command output
Table 11
PCAP statistic counters
Statistic Description
and
<filename> is (filename.cap)
and
filename is (filename.cap)
This section discusses the following topics and includes PCAP features that
the 8600 Series Ethernet Routing Switch supports.
Topic Page
1 From the Device Manager menu bar, choose Edit > Diagnostics.
The Diagnostic dialog box appears with the Test tab displayed.
Table 12
PcapGlobal tab fields
Field Description
Table 12
PcapGlobal tab fields (continued)
Field Description
1 Select a port.
From the Device Manager menu bar, choose Edit > Port.
The Port dialog box appears with the Interface tab displayed.
3 Click Enable.
4 Select a mode.
5 Click the FilterSet button and select a filter set.
6 Click Apply.
—end—
Table 13
PCAP tab fields
Field Description
1 From the Device Manager menu bar, choose Edit > Diagnostics.
The Diagnostic dialog box appears with the Test tab displayed.
3 Click Insert.
The Diagnostic, Insert PcapFilter dialog box appears.
4 Click Insert..
—end—
Table 14
PcapFilter dialog box fields
Field Description
Table 14
PcapFilter dialog box fields (continued)
Field Description
1 From the Device Manager menu bar, choose Edit > Diagnostics.
The Diagnostic dialog box appears with the Test tab displayed.
2 Click the PcapAdvancedFilter tab.
The PcapAdvancedFilter tab appears.
Table 15
PcapAdvanceFilter dialog box fields
Field Description
ATTENTION
Nortel recommends using PCAP with IP or MAC address filters to
reduce traffic flow on the PCAP engine.
1 From the Device Manager menu bar, choose VLAN > VLANs.
The VLAN dialog box appears with the Basic tab displayed.
5 Click Insert.
The Bridge, VLAN, Insert Filter dialog box appears.
6 Select PCAP.
This field is used to enable or disable PCAP for the fdb-filter.
7 Click Insert..
—end—
For information about the other fields on the Bridge, VLAN Insert Filter dialog
box, see MERS 8600 Configuration -- VLANs, Spanning Tree, and Link
Aggregation, NN46220-511.
ATTENTION
The procedure described below requires that the secondary CPU
have a management IP address assigned, and that your Device
Manager client has access to that management network. If either of
these conditions are not met, this process is not successful, and the
file must be obtained using the CLI. “Copying captured packets to a
remote machine” on page 29.
1 From the Device Manager menu bar, choose Actions > Get PCAP File.
The Get Pcap File dialog box appears.
2 Enter your login name and password for the PCAP engine (secondary
CPU).
3 Click RAM or PCMCIA.
If you click RAM, the PCAP file is copied from RAM. If you click PCMCIA, the
PCAP file is copied from a PCMCIA device.
4 In the PcapDirectory field, enter the directory path where you want the file
to be stored.
5 Click OK.
—end—
Table 16
Get Pcap File dialog box fields
Field Description
1 From the Device Manager menu bar, choose Edit > Diagnostics.
The Diagnostic dialog box appears with the Test tab displayed.
2 Click the PcapStat tab.
The PcapStat dialog box appears.
3 If you want to clear the statistics counter, select resetStat and then click
Apply. To display current statistics, click Refresh.
—end—
Table 17
PcapStat dialog box fields
Field Description
ResetStat Resets the PCAP engine DRAM buffer,
as well as all software counters used for
PCAP statistics.
PacketCapacityCount The maximum number of packets that
currently can be stored in the PCAP
engine buffer. ResetStat does not reset
this value.
NumberOfPacketsReceived The number of packets currently in the
PCAP engine buffer. When buffer-wrap
occurs, this is set to 0 and the count starts
again.
When buffer-wrap occurs, the second
field is set to 0 and the third field is not set
to zero. From the capture log, the user
can determine how many times
buffer-wrap has occurred.
NumberOfPacketsAccumulated This is the number of packets
accumulated in the PCAP engine.
When buffer-wrap occurs, the second
field is set to 0 and the third field is not set
to zero. From the capture log, the user
can determine how many times
buffer-wrap has occurred.
NumberOfPacketsDroppedInPcapEn The number of packets dropped when
gine ingress packets match the filter criteria
and the PCAP action is set to drop.
NumberOfPacketsDroppedInHardwa The number of packets dropped by the
re PCAP engine hardware when the amount
of packets being forwarded cannot be
processed.
for PCAP and for regular IP traffic filtering. Therefore, when you use the
config ethernet <ports> pcap info command, you may see filter set
values that are specific to IP traffic filters only.
• Use the config ethernet <ports> pcap enable command to enable
or disable PCAP on the port. When you use the config ethernet
<ports> pcap info command, the information displayed for the enable
parameter refers to PCAP only (that is, if enable is set to true, this means
that PCAP is enabled for the specified interface).
• If you use an IP filter as a PCAP filter to capture packets, then you disable
PCAP globally and at the port level, the IP filter remains active.
• If you want the PCAP config file to be restored after a CPU-failover, you
must source the config file after the standby CPU becomes the master.
Otherwise, the PCAP config file is not loaded.
• If you globally disable PCAP, the number of packets dropped in hardware
continues to go up unless you also disable PCAP on the port. To disable
PCAP on the port, use the config {ethernet|atm|pos} <ports> pcap
command.
PCAP examples
This chapter describes how PCAP is used to solve common network
problems. It provides examples of how PCAP captures traffic and looks at
problems in a sample network configuration and how those problems are
solved with PCAP CLI commands.
Topic Page
2 By default, the PCAP buffer size is set to 32M byte on the backup CPU. For
this example, change the buffer size to 128M.
MERS8600-B:5# config diag pcap buffer-size 128
Be careful not to exceed the buffer size on the backup CPU. Although the
following command is used to view the CPU buffer size on the primary CPU
(if both the primary and backup CPU have the same DRAM size), this
command also indicates the DRAM used. This command cannot be used on
the backup CPU when it is in slave mode
MERS8600-B:5# show sys perf
The following figure shows sample output of the show sys perf command.
Figure 18
The show sys perf command
3 Enable PCAP globally and enable PCAP on port 7/26 to capture traffic in both
directions.
MERS8600-B:5# config diag pcap enable true
MERS8600-B:5# config ethernet 7/26 pcap enable true
mode both
Figure 19 shows sample output for the config diag pcap info command.
Figure 19
The config diag pcap info command
MERS-8606:5# config diag pcap info
enable = TRUE
buffer-wrap = TRUE
pcmcia-wrap = TRUE
buffer-size = 128 MB
fragment-size = 64 Bytes
auto-save = TRUE
AutoSaveFilename = pcap_data.cap
AutoSaveDevice = pcmcia
ether-type-for-svlan-level = 0x8100
Figure 20 shows the sample output for show diag pcap port command.
Figure 20
The show diag pcap port command
Figure 21
shows sample output for the show diag pcap stat command.
Figure 21
The show diag pcap stat command
ATTENTION
When the number of packets received in the PCAP engine equals
the packet capacity count, captured traffic is written to the backup
CPU PCMCIA card. If the PCAP wrap parameter is enabled,
captured traffic continuously overwrites to the PCMCIA file.
Building on the configuration from “Capturing all traffic with PCAP filters, this
example captures UDP port 1025 with a source IP of 10.1.1.100 on port 7/26.
Figure 22
The show diag pcap capture-filter command
MERS-8606:5# show diag pcap capture-filter
id: 1
action: capture
enable: true
srcmac:00.00.00.00.00.00 Mask=6
dstmac: 00.00.00.00.00.00 Mask=6
srcip: 10.1.1.100 to 10.1.1.100
dstip: 0.0.0.0 to 0.0.0.0
vlan-id: 0 to 0
pbits: 0 to 0
ether-type: 0x0 to 0x0
protocol-type: 0 to 0
dscp: 0 to 0
udp-port: 1025 to 1025
tcp-port: 0 to 0
user-defined: 0 Data:
timer: 0ms
packet-count: 0
refresh-timer: 0ms
id: 2
action: drop
enable: true
srcmac:00.00.00.00.00.00 Mask=6
dstmac: 00.00.00.00.00.00 Mask=6
srcip: 0.0.0.0 to 0.0.0.0
dstip: 0.0.0.0 to 0.0.0.0
vlan-id: 0 to 0
pbits: 0 to 0
ether-type: 0x0 to 0x0
protocol-type: 0 to 0
dscp: 0 to 0
udp-port: 0 to 0
tcp-port: 0 to 0
user-defined: Offset:0 Data:
timer: 0ms
packet-count: 0
refresh-timer: 0ms
You can use ACL instead of PCAP filters to capture traffic with PCAP. For this
example, use PCAP and an ACL to capture traffic from a source IP of
10.1.1.10 and a UDP port 69.
3 Configure PCAP on port 7/26 and enable the mode to allow PCAP capture
using ACLs.
ERS8600-B:5# config ethernet 7/26 pcap enable true
mode rxFilter
4 Enable PCAP globally again and reset the PCAP statistics.
MERS8600-B:5# config diag pcap reset-stat true
MERS8600-B:5# config diag pcap enable true
Troubleshooting example
This section includes an example of a problem encountered in the field and
four possible solutions.
Problem definition
You are the network administrator at a large multinational software company
and encounter the following problem. A user calls and states that they are
trying to download some data from an FTP server to their client machine.
However, they are having a problem connecting to the FTP server. The FTP
client resides on client 1 and the FTP server is on client 2. The FTP server is
connected to an [Model #] (R1) through port interface 2/10 (Figure 23).
Hardware configuration
This section describes the hardware configurations that are assumed for each
of the PCAP solutions. The hardware configurations are:
Figure 23
Sample Network configuration
Other Other
Networks Networks
PP8600 (R1)
MLT
IP = 10.10.20.20 IP = 10.10.10.10
MAC = 00:08:07:60:89:D6 MAC = 00:08:C7:60:88:D4
Router B
10907EA
Solution 1
In this solution, PCAP is configured to capture all packets on port interface
2/10 and have the packets saved on a PCMCIA device. The file containing
captured packets is then copied using FTP for analysis at a later time.
To enable PCAP and capture all packets on a port interface, complete the
following steps:
3 Enable PCAP.
Enable PCAP and display the parameter values. Packet capture begins when
PCAP is enabled. Figure 26 displays that the following parameters are set:
auto-save = True
file-name = pcap_test.cap
Device = PCMCIA
Figure 26
Enable PCAP
You can also copy captured packets stored in the PCAP engine memory to a
remote client using the FTP commands (Figure 29).
Figure 29
The FTP get PCAP00 command output
C:\WINDOWS\DESKTOP>ftp 10.10.42.54
Connected to 10.10.42.54.
220 MERS FTP server ready
User (10.10.42.54:(none)): rwa
331 Password required
Password:
230 User logged in
ftp> bin
200 Type set to I, binary mode
ftp> hash
Hash mark printing On (2048 bytes/hash mark).
ftp> get PCAP00 pcap_ftp.cap
200 Port set okay
150 Opening BINARY mode data connection
##############################################################
##########
226 Transfer complete
171992 bytes received in 0.38 seconds (452.61 Kbytes/sec)
Solution 2
In solution 1, the number of packets that are captured is quite large. In this
solution, PCAP is configured to refine the type of packets to be captured so
that fewer packets are captured. This solution uses IP traffic filters to capture
only packets with a source IP address of 10.10.10.10 and a destination IP
address of 10.10.20.20. In addition to procedures followed in solution 1,
perform the following steps:
========================================================
Ip Traffic-filter Global Filters
========================================================
N_H_FORWARD_IP N_H_UNREACHABLEDROPE
0.0.0.0 false
MERS-8606:5/config/ip/traffic-filter/global-set/5# box
MERS-8606:5# config ip traffic-filter global-set 5 create name
pcap_set
MERS-8606:5# config ip traffic-filter global-set 5 add-filter 5
MERS-8606:5# config ip traffic-filter global-set 5 info
Sub-Context: clear config dump monitor show test trace wsm
Current Context:
If the amount of traffic flowing between client 1 and client 2 is still too large for
analysis, define a filter by protocol-type as shown in solution 3.
Solution 3
In this solution, PCAP filters are configured on the PCAP engine to drop all IP
packets that are not protocol type 6 and are not FTP packets. In effect, this
captures all TCP/FTP packets. When used in conjunction with IP filters, this
narrows down the number of packets captured to TCP/FTP packets flowing
from client 2 to client 1 (Figure 33).
Figure 33
Configuring PCAP protocol-type filters
If the amount of traffic flowing between client 1 and client 2 continues to be too
large for analysis, define a filter using the action parameter, as shown in
solution 3.
Solution 4
In this solution, PCAP is configured to start packet capture when the first
TCP/FTP packet arrives at the port, which enables PCAP automatically. This
is done by setting the trigger-on parameter. Prior to setting the trigger-on
filter, disable PCAP. PCAP is disabled after the first 1000 packets are captured
by setting the packet-count parameter (Figure 34).
Figure 34
Configuring PCAP trigger filters
Index
A IsInverseDstIp field 37
IsInverseDstMac field 36
Action field 36
IsInverseEtherType field 36
add set 15
IsInversePbit field 36
AutoSave field 31
IsInverseProtocolType field 37
AutoSaveDevice field 31
IsInverseSrcIp field 36
AutoSaveFilename field 31
IsInverseSrcMac field 36
AutoSaveNetworkIpDevice field 32
IsInverseTcpPort field 38
IsInverseUdpPort field 38
B IsInverseUserDefined field 38
BufferSize field 31 IsInverseVlanId field 36
BufferWrap field 31
L
C Login field 41
CLI commands 14
M
D Mode field 34
Dscp field 37
DstIp field 37
DstMac field 36
P
Packet Capture Tool 7
DstMacMask field 36
PacketCount field 38
Password field 41
E Pbit field 36
Enable field 31 PCAP 14
EtherType field 36 PCAP tab fields 34
PcmciaWrap field 31
F ProtocolType field 37
FilterSet field 34
FrameSize field 31 R
RefreshTimer field 38
G
global config PCAP commands 15 S
show diag pcap capture-filter command 25
I show diag pcap info command 26
show diag pcap port command 27
IsInverseDscp field 37
show diag pcap stats command 27
T
TcpPort field 38
Timer field 38
ToDscp field 37
ToDstIp field 37
ToEtherType field 36
ToPbit field 36
ToProtocolType field 37
ToSrcIp field 36
ToTcpPort field 38
ToUdpPort field 38
ToVlanId field 36
U
UdpPort field 38
UserDefinedData field 38
UserDefinedDataSize field 38
UserDefinedOffset field 38
V
viewing statistics using Device Manager 41
VlanId field 36
While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing
NORTEL PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR
IMPLIED. This information and/or products described in this document are subject to change without notice.
Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks.