Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

Nexus and linux tcpdump

I have an issue that I don't know if this is an issue with Nexus or the sniffer box itself.

Nexus software version:

Software

  BIOS:      version 3.5.0

  loader:    version N/A

  kickstart: version 5.0(3)N2(1)

  system:    version 5.0(3)N2(1)

  power-seq: Module 1: version v3.0

             Module 2: version v1.0

             Module 3: version v2.0

  uC:        version v1.1.0.1

  BIOS compile time:       02/03/2011

  kickstart image file is: bootflash:/n5000-uk9-kickstart.5.0.3.N2.1.bin

  kickstart compile time:  6/13/2011 6:00:00 [06/13/2011 13:43:33]

  system image file is:    bootflash:/n5000-uk9.5.0.3.N2.1.bin

  system compile time:     6/13/2011 6:00:00 [06/13/2011 15:33:42]

- I have a linux machine Redhat EL 5.4 64 bits OS running on a Dell R710.  The NIC is Intel Pro 1000MT.  Eth0 is the management interface while Eth1 is the sniffer interface.

- I setup span port on a Catalyst 3750 and plug Eth1 into the 3750 port F1/0/48 interface with the following setup:

monitor session 1 source interface Fa1/0/27

monitor session 1 destination interface Fa1/0/48

basically I am spanning traffics on port 1/0/27 and mirroring it on port 1/0/48.

From the linux machine, I can run the following:  tcpdump -nnni eth1 icmp.  I then can see any echo request and echo reply coming and leaving interface f1/0/27 on the linux machine sniffer. 

Everything is working fine with Catalyst 3750 ans span port.

Now I do the same thing with the Nexus 5K.  I plugged in interface eth1 of the linux machine into the a port on the Nexus 5K and do the same thing as follows:

monitor  session 2

  source  interface Ethernet101/1/28

  destination  interface Ethernet1/31

  no shut

I want to watch traffics coming in and out of port 101/1/28 and mirror it  to 1/31 where Linux eth1 interface is connected to.

Well, if I run "tcpdump -nnni eth1" I can see ALL traffics coming and leaving interface 101/1/28,  but I do NOT want to do that.  I only want to see icmp traffics.  If I do "tcpdump -nnni eth1 icmp", I am not seeing traffics.  However, I can confirm that icmp is hitting interfaces 101/1/28 because if I do "tcpdump -nnni eth1 | grep icmp", I can see icmp traffics.  In other words, if I fine tunned filter on the tcpdump like "tcpdump -nnni eth1 port 1521", it does not work even though there are definitely sqlnet traffics hitting interface 101/1/28.

My question is:  are there any issues with tcpdump using filter with Nexus 5k switches?  In other words, the exact setup works with catalyst 6509 and 3750 but not Nexus.

Anyone know why?

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Nexus and linux tcpdump

Hi David,

In case of SPAN Nexus 5000 sends the traffic out the port with the VLAN tag. In the linux filter you need to specify the Vlan also.

this is an example from MAC OSX:

tcpdump -i en0 'vlan 17 && icmp[icmptype] = icmp-echoreply'

You can also check this link:

http://www.christian-rossow.de/articles/tcpdump_filter_mixed_tagged_and_untagged_VLAN_traffic.php

Vasil

2 REPLIES
Cisco Employee

Nexus and linux tcpdump

Hi David,

In case of SPAN Nexus 5000 sends the traffic out the port with the VLAN tag. In the linux filter you need to specify the Vlan also.

this is an example from MAC OSX:

tcpdump -i en0 'vlan 17 && icmp[icmptype] = icmp-echoreply'

You can also check this link:

http://www.christian-rossow.de/articles/tcpdump_filter_mixed_tagged_and_untagged_VLAN_traffic.php

Vasil

Bronze

Nexus and linux tcpdump

Hi Vasil,

I wish you told me this six months ago .  I figured this ou myself that I need the "vlan" option in the tcpdump. 

Everything is good after that

Thank you for following up on this. 

1898
Views
0
Helpful
2
Replies
CreatePlease to create content