×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASR9000/XR: How to capture MPLS Ping or ipv4 Ping packets on an XR device.

Document

Wed, 03/05/2014 - 08:56
Mar 5th, 2014
User Badges:

Introduction:


CRS-I-------->ASR9010-A------->ASR9010-B (loopback IP 140.4.2.2).

Capturing egress packets which are sent as mpls packets.

We will look into both MPLS ping and normal ping.



Packet capture:

There are two methods to capture the packet on XR.

  1. Using capture software config under interface. But for that, packet needs to be punted to Cpu. You do that by sending pings with dontfragment and size larger than interface MTU.

Please note: this method doesn't work for ASR9k.

interface GigabitEthernet0/1/0/6

cdp

ipv4 address 16.16.16.1 255.255.255.252

flow mpls monitor rak-mon sampler rak-sample egress

capture software packets

RP/0/RP0/CPU0:CRS-I#show cef 140.4.2.2 detail

140.4.2.2/32, version 1458, internal 0x4004001 (ptr 0x76547d44) [1], 0x0 (0x724969b8), 0x450 (0x72d85be0)

Updated Mar  5 09:45:11.731

remote adjacency to GigabitEthernet0/1/0/6

Prefix Len 32, traffic index 0, precedence routine (0), priority 1

  gateway array (0x72237840) reference count 9, flags 0xd0, source lsd (3), 1 backups

                [4 type 5 flags 0x10101 (0x72db76c8) ext 0x0 (0x0)]

  LW-LDI[type=5, refc=3, ptr=0x724969b8, sh-ldi=0x72db76c8]

   via 16.16.16.2, GigabitEthernet0/1/0/6, 4 dependencies, weight 0, class 0 [flags 0x0]

    path-idx 0 [0x7340e224 0x0]

    next hop 16.16.16.2

    remote adjacency

     local label 1000006      labels imposed {17042}

Make sure captured packet stats are clear before you execute the command.

clear captured packets egress interface gi 0/1/0/6 location 0/1/cpu0

RP/0/RP0/CPU0:CRS-I#ping 140.4.2.2 size 2000 donotfrag tim 0                           

Wed Mar  5 10:54:33.316 UTC

Type escape sequence to abort.

Sending 5, 2000-byte ICMP Echos to 140.4.2.2, timeout is 0 seconds:

.....

Success rate is 0 percent (0/5)

RP/0/RP0/CPU0:CRS-I#show captured packets egress interface gi 0/1/0/6 location 0/1/cpu0

Wed Mar  5 10:54:40.083 UTC

-------------------------------------------------------

packets captured on interface in egress direction

buffer overflow pkt drops:0, current: 6, non wrapping: 0 maximum: 200

-------------------------------------------------------

           Wrapping entries

-------------------------------------------------------

[2] Mar   5 10:54:33.629, len: 186, hits: 1, o/p i/f: GigabitEthernet0/1/0/6

    [punt reason: MPLS_INCOMPLETE_ADJ] [PPE used: cluster=0 ppe=0]

   [ether dst: 4055.396b.1076 src: 6400.f19d.c47c type/len: 0x8847]

    [MPLS  label: 17042, exp 0x0, eos 1, ttl 255]

    450000a8 be9e0000 ff01bc94 10101001 10101001 03041f20 000005d8 450007d0

    00004000 ff01c615 10101001 8c040202 0800e076 61610000 abcdabcd abcdabcd

    abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd

    abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd

    abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd 2000b8ce

    00080101 042921ff

[3] Mar   5 10:54:33.629, len: 186, hits: 1, o/p i/f: GigabitEthernet0/1/0/6

    [punt reason: MPLS_INCOMPLETE_ADJ] [PPE used: cluster=0 ppe=0]

    [ether dst: 4055.396b.1076 src: 6400.f19d.c47c type/len: 0x8847]

    [MPLS  label: 17042, exp 0x0, eos 1, ttl 255]

    450000a8 be9f0000 ff01bc93 10101001 10101001 03041f20 000005d8 450007d0

    00014000 ff01c614 10101001 8c040202 0800e075 61610001 abcdabcd abcdabcd

    abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd

    abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd

    abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd 2000b8ce

    00080101 042921ff

Analysis:

Outgoing label: 17042 exp 0x0, End of stack 1, TTL 255.

Make sure ethernet type field is 0x8847 (mpls) in the packet

Decode the one in yellow which is a IP content.

Packet decoder:


Pick any Hex2IP decoder and put the entire hex content in bold.


output:

    Internet Protocol, Src: 16.16.16.1 (16.16.16.1), Dst: 140.4.2.2 (140.4.2.2)

        Version: 4

        Header length: 20 bytes

        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

            0000 00.. = Differentiated Services Codepoint: Default (0x00)

            .... ..0. = ECN-Capable Transport (ECT): 0

            .... ...0 = ECN-CE: 0

        Total Length: 2000

        Identification: 0x0001 (1)

        Flags: 0x02 (Don't Fragment)

            0.. = Reserved bit: Not Set

            .1. = Don't fragment: Set

            ..0 = More fragments: Not Set

        Fragment offset: 0

        Time to live: 255

        Protocol: ICMP (0x01)

        Header checksum: 0xc614 [correct]

            [Good: True]

            [Bad : False]

        Source: 16.16.16.1 (16.16.16.1)

        Destination: 140.4.2.2 (140.4.2.2)

    Internet Control Message Protocol

        Type: 8 (Echo (ping) request)

        Code: 0 ()

        Checksum: 0xe075 [incorrect, should be 0x0872]

        Identifier: 0x6161

        Sequence number: 1 (0x0001)

        Data (112 bytes)

0000  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................

0010  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................

0020  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................

0030  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................

0040  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................

0050  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................

0060  ab cd ab cd 20 00 b8 ce 00 08 01 01 04 29 21 ff   .... ........)!.

            Data: ABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCD...

            [Length: 112]


Doing the same for MPLS ping: These packets by default be captured by LC CPU. No need to mention size.


clear captured packets egress interface gi 0/1/0/6 location 0/1/cpu0


RP/0/RP0/CPU0:CRS-I#ping mpls ipv4 140.4.2.2/32                                       

Sending 5, 100-byte MPLS Echos to 140.4.2.2/32,

      timeout is 2 seconds, send interval is 0 msec:

Codes: '!' - success, 'Q' - request not sent, '.' - timeout,

  'L' - labeled output interface, 'B' - unlabeled output interface,

  'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC mismatch,

  'M' - malformed request, 'm' - unsupported tlvs, 'N' - no rx label,

  'P' - no rx intf label prot, 'p' - premature termination of LSP,

  'R' - transit router, 'I' - unknown upstream index,

  'X' - unknown return code, 'x' - return code 0

Type escape sequence to abort.

!!!!!


RP/0/RP0/CPU0:CRS-I#show captured packets egress interface gi 0/1/0/6 location 0/1/cpu0

Wed Mar  5 11:07:45.861 UTC

-------------------------------------------------------

packets captured on interface in egress direction

buffer overflow pkt drops:0, current: 6, non wrapping: 0 maximum: 200

-------------------------------------------------------

           Wrapping entries

-------------------------------------------------------

[2] Mar   5 11:07:18.618, len: 114, hits: 1, o/p i/f: GigabitEthernet0/1/0/6

    [punt reason: MPLS_INCOMPLETE_ADJ] [PPE used: cluster=0 ppe=0]

    [ether dst: 4055.396b.1076 src: 6400.f19d.c47c type/len: 0x8847]

    [MPLS  label: 17042, exp 0x0, eos 1, ttl 255]

    46000060 11d84000 0111339f 10101001 7f000001 94040000 0daf0daf 0048fd9a

    00010000 01020000 00000036 00000001 d6c183e6 9de6a351 00000000 00000000

    fc00000c 00000009 00010004 00000004 0001000c 00010005 8c040202 20000000

   

[3] Mar   5 11:07:18.624, len: 114, hits: 1, o/p i/f: GigabitEthernet0/1/0/6

    [punt reason: MPLS_INCOMPLETE_ADJ] [PPE used: cluster=0 ppe=0]

    [ether dst: 4055.396b.1076 src: 6400.f19d.c47c type/len: 0x8847]

    [MPLS  label: 17042, exp 0x0, eos 1, ttl 255]

    46000060 11d94000 0111339e 10101001 7f000001 94040000 0daf0daf 0048d1a7

    00010000 01020000 00000036 00000002 d6c183e6 9f6fcdba 00000000 00000000

    fc00000c 00000009 00010004 00000004 0001000c 00010005 8c040202 20000000



Pick any Hex2IP decoder and put the entire hex content in bold.


output:

Internet Protocol, Src: 16.16.16.1 (16.16.16.1), Dst: 127.0.0.1 (127.0.0.1)

    Version: 4

    Header length: 24 bytes

    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

        0000 00.. = Differentiated Services Codepoint: Default (0x00)

        .... ..0. = ECN-Capable Transport (ECT): 0

        .... ...0 = ECN-CE: 0

    Total Length: 96

    Identification: 0x2c41 (11329)

    Flags: 0x02 (Don't Fragment)

        0.. = Reserved bit: Not Set

        .1. = Don't fragment: Set

        ..0 = More fragments: Not Set

    Fragment offset: 0

    Time to live: 1

        [Expert Info (Note/Sequence): "Time To Live" only 1]

            [Message: "Time To Live" only 1]

            [Severity level: Note]

            [Group: Sequence]

    Protocol: UDP (0x11)

    Header checksum: 0x1936 [correct]

        [Good: True]

        [Bad : False]

    Source: 16.16.16.1 (16.16.16.1)

    Destination: 127.0.0.1 (127.0.0.1)

    Options: (4 bytes)

        Router Alert: Every router examines packet

User Datagram Protocol, Src Port: 3503 (3503), Dst Port: 3503 (3503)

    Source port: 3503 (3503)

    Destination port: 3503 (3503)

    Length: 72

    Checksum: 0xe5ea [validation disabled]

        [Good Checksum: False]

        [Bad Checksum: False]

Multiprotocol Label Switching Echo

    Version: 1

    Global Flags: 0x0000

        0000 0000 0000 000. = Reserved: 0x0000

        .... .... .... ...0 = Validate FEC Stack: False

    Message Type: MPLS Echo Request (1)

    Reply Mode: Reply via an IPv4/IPv6 UDP packet (2)

    Return Code: No return code (0)

    Return Subcode: 0

    Sender's Handle: 0x00000038

    Sequence Number: 6261

    Timestamp Sent: Mar  5, 2014 11:10:43.4066 UTC

    Timestamp Received: NULL

    Vendor Private

        Type: Vendor Private (64512)

        Length: 12

        Vendor Id: ciscoSystems (9)

        Value: 0001000400000004

    Target FEC Stack

        Type: Target FEC Stack (1)

        Length: 12

        FEC Element 1: LDP IPv4 prefix

            Type: LDP IPv4 prefix (1)

            Length: 5

            IPv4 Prefix: 140.4.2.2 (140.4.2.2)

            Prefix Length: 32

            Padding


2. You could use netflow on the interface CRS interface to capture how CRS sending out the ICMP packet.

Please note: Netflow will only capture header content, but not the payload.

Drawback:

The flow monitor would not record MPLS ping packets (UDP) but works well for regular ping.. But if you do the netflow on the ingress of the peer router, you could see the mpls ping packets recorded by the netflow.

Ex:

flow monitor-map rak-mon

record mpls ipv4-fields labels 1

exporter rak

cache timeout active 604000

cache timeout inactive 604000

flow exporter-map flow-export

version v9

  options interface-table

!

!

sampler-map rak-sample

random 1 out-of 5

RP/0/RP0/CPU0:CRS-I#show run int gi 0/1/0/6

Wed Mar  5 09:36:07.259 UTC

interface GigabitEthernet0/1/0/6

cdp

ipv4 address 16.16.16.1 255.255.255.252

flow mpls monitor rak-mon sampler rak-sample egress

    Load distribution: 0 (refcount 4)

    Hash  OK  Interface                 Address

    0     Y   GigabitEthernet0/1/0/6    remote        

RP/0/RP0/CPU0:CRS-I#ping 140.4.2.2 count 1000 tim 0                  

Wed Mar  5 09:58:37.360 UTC

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 140.4.2.2, timeout is 0 seconds:

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

....................

Success rate is 0 percent (0/1000)

RP/0/RP0/CPU0:CRS-I#show flow monitor rak-mon cache  location 0/1/cpu0

Wed Mar  5 09:58:43.139 UTC

Cache summary for Flow Monitor rak-mon:

Cache size:                          65535

Current entries:                         1

High Watermark:                      62258

Flows added:                             1

Flows not added:                         0

Ager Polls:                             11

  - Active timeout                       0

  - Inactive timeout                     0

  - TCP FIN flag                         0

  - Watermark aged                       0

  - Emergency aged                       0

  - Counter wrap aged                    0

  - Total                                0

Periodic export:

  - Counter wrap                         0

  - TCP FIN flag                         0

Flows exported                           0

LabelType Prefix/Length      Label1-EXP-S     InputInterface  OutputInterface ForwardStatus        FirstSwitched   LastSwitched    ByteCount    PacketCount  Dir SamplerID  IPV4SrcAddr      IPV4DstAddr      IPV4TOS  IPV4Prot L4SrcPort  L4DestPort L4TCPFlags  

      LDP 140.4.2.2/32          17042-0-1     0               Gi0/1/0/6       FwdNoFrag            41 10:55:30:253 41 10:55:30:329 19344        186          Egr 6          16.16.16.1       140.4.2.2        0        icmp     0          2048       0           

Matching entries:                        1

Total packets : 186 ( since we are doing 1 packet out of 5 as sampling rate).

Out going label : 17042 0 (exp)  End of stack 1.

To clear the cache,

clear flow monitor rak-mon cache loc 0/1/cpu0

Loading.

Actions

This Document

Related Content