cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6553
Views
10
Helpful
3
Replies

Problem setting up Wireshark/Ethanalyzer on Nexus

mullzkBern_2
Level 1
Level 1

Hi there

We have a Nexus N7K with NX-OS 4.2. Ethanalzer/Built-in Wireshark works great for IP-Packets which go to the Nexus' CPU, but - as stated by Cisco - most traffic doesn't pass through the CPU and therefor cannot be sniffed & analyzed by the built-in Packet Capture as such...

The corresponding White Paper (http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/white_paper_c11-554444.html) says, that - in order to capture normal dataplane traffic - we need to log each Packet with an ACL, like:

IP access list my app

statistics per-entry

10 permit tcp 1.1.1.1/32 1.1.2/32 eq 5600 log

20 permit tcp 1.1.1.2/32 1.1.1.1/32 eq 5600 log

ethanalyzer local interface inband capture-filter "port 5600" limit-capture-frame 0 write bootflash:my-app-capture

interface ethernet 1/1

ip access-list my-app input

The procedure in this White Paper does not seem to work for us - NX-OS (4.2?) rejects the interface-config "ip access-list". If I just replace ip access-list with "ip access-group my-app input", I kill all traffic on the Interface.

Three Questions:

1. How can we pass regular Data Plane Traffic to the CPU, if the above procedure does not work because of the "ip access-list"-command?

2. Ethanalyzer works only in the Default VDC. If we want to capture Packets in another VDC, does this work too? (-> ACL-Definition and ACL-On-Interface-Statement in VDC XY and ethanalyzer-Statement in Default-VDC)?

3. We would like to capture traffic on a Port-Channel. Can we use the ACL on the int poXY, or should we configure it on all corresponding Physical Interfaces?

Thanx in advance and greetings from Switzerland

Stefan Mueller

3 Replies 3

mullzkBern_2
Level 1
Level 1

found a solution, in case has the same problem:

1. The Cisco-White-Paper needs to adjustments:

a) the access-list needs a last statement (not for logging, but for forwarding the traffic)

30 permit ip any any

b) The Interface needs not the statement "ip access-list WORD input" but "ip access-group WORD input"

2. You can sniff in Non-Default-VDCs as well: configure the ACL-Definition and the interfaces-access-group in the Non-Default-VDC start ethanalyzer-capture in the Default-VDC.

3. Sniffing in int poXY is no problem. I didn't test it on a VPC-Etherchannel, though...

Greetings from Switzerland

Stefan Mueller

Stephen,

Thank you for answering your own question and replying back.  Although most will read these posts, not everyone replies, but don't think that it wasn't very helpful.

If you don't mind would you mind replying with the exact syntax that you put in the command-line.  I'm also looking to capture traffic with an ACL and output that file to a TFTP or remote location.

Thanks,

Joe

Config in VDC, where your Port belongs to

ip access-list capturefilter
  statistics per-entry
  ! Capturing all Traffic from host 1.2.3.4 on TCP 1234
  10 permit tcp any 1.2.3.4/32 eq 1234 log
  20 permit tcp 1.2.3.4/32 any eq 1234 log
  30 permit ip any any
interface ethernet x/y
  ip access-group capturefilter in

Enable-Mode in Default-VDC:

! I try to filter both with ACL and capture-filter. Don't know wether this is necessary

ethanalyzer local interface inband capture-filter "host 1.2.3.4 && port 1234" limit-capture-frame 1000 write bootflash:snifferfile.pcap
copy bootflash:/snifferfile.pcap ftp://user@ftpserver/snifferfile.pcap vrf management


Don't forget to remove the access-group (and ACL) after the capture

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: