Introduction
Ethanalyzer is a command-line version of Wireshark that captures and decodes packets. You can use Ethanalyzer to troubleshoot your network and analyze the control-plane traffic. Ethanalyzer is useful when troubleshooting problems related to the switch itself. The packets captured by Ethanalyzer need to be generated or destined for the switch supervisor CPU itself. Ethanalyzer does not capture hardware switched traffic between data ports of the switch. For this type of packet capture, you can use Cisco Switch Protocol Analyzer (SPAN). The packets captured can be viewed using the CLI or exported to a Wireshark protocol analyzer on an external host for GUI analysis.
Ethanalyzer provides sniffing capabilities to Cisco NX-OS within the operating system, simplifying the need for a third-party network probe to capture control traffic sourced from or destined to the switch, including Spanning Tree Protocol and Link Aggregation Control Protocol (LACP) traffic.
Ethanalyzer and CPU
Since Ethanalyzer is part of the software running on the supervisor, understanding its effect to the supervisor's CPU is important. Testing has shown an average increase in the supervisor's CPU utilization of just under 5 percent. Utilization can be decreased by 1 or 2 percent by saving the capture data in a file using the write option, described later in this document. Ethanalyzer is useful when troubleshooting problems related to the switch itself. The packets captured by Ethanalyzer need to be generated or destined for the switch supervisor CPU itself.
Create a Capture
n7000# ethanalyzer local sniff-interface ?
inband Inband/Outband interface
mgmt Management interface
Capture using Defaults and Write to a File on Bootflash:
n7000# ethanalyzer local sniff-interface inband write bootflash:ethanalyzer-data
Capturing on inband
Additional Capture Options:
n7000# ethanalyzer local sniff-interface inband ?
<CR>
> Redirect it to a file
>> Redirect it to a file in append mode
capture-filter Filter on ethanalyzer capture
decode-internal Include internal system header decoding
detailed-dissection Display detailed protocol information
display-filter Display filter on frames captured
dump-pkt Hex/Ascii dump the packet with possibly one line summary
limit-captured-frames Maximum number of frames to be captured (default is 10)
limit-frame-size Capture only a subset of a frame
write Filename
Capture filters can be used to reduce the amount of data collected when troubleshooting. The following CLI illustrates some basic examples.
The capture filter syntax is the same as tcpdump.
n7000# ethanalyzer local sniff-interface inband capture-filter "icmp"
n7000# ethanalyzer local sniff-interface inband capture-filter "tcp"
n7000# ethanalyzer local sniff-interface inband capture-filter "udp"
Use the detailed-dissection option to capture detailed packet information.
n7000# ethanalyzer local sniff-interface inband detailed-dissection
Capturing on inband
Capturing on inband
Frame 1 (60 bytes on wire, 60 bytes captured)
Arrival Time: Apr 24, 2013 22:07:57.150394000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:llc:stp]
IEEE 802.3 Ethernet
Destination: 01:80:c2:00:00:00 (01:80:c2:00:00:00)
Address: 01:80:c2:00:00:00 (01:80:c2:00:00:00)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:0d:ec:6d:96:6f (00:0d:ec:6d:96:6f)
Address: 00:0d:ec:6d:96:6f (00:0d:ec:6d:96:6f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Length: 39
Trailer: 00000000000000
<Text Omitted>
Related Information
Packet Loss When Pinging A Nexus 7000
Ethanalyzer: Cisco NX-OS Software Built-In Packet Capture Utility
