Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches

ciscomoderator · ‎10-15-2013

With Rahul Rammanohar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.

In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:

• 7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr

• ASR9k: network processor capture

• 7200/ISRs: embedded packet capture

• Cisco Nexus 7K, 5K, and 3K: Ethanalyzer

• Cisco Nexus 7K: ELAM

• CRS: show captured packets

• ASR1K: embedded packet capture

More Information

Blog URL: Packet Capture Capabilities of Cisco Routers and Switches

Watch the Video: https://supportforums.cisco.com/videos/6226

Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service.

Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.

Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.

Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

liufeng01 · ‎10-20-2013

Hi, would you share the PDF for this video please?

rrahul · ‎10-20-2013

Hi,

I have uploaded the pdf to the Support Forum and you can access it from the following link. Feel free to ping us regarding any further query you might have regarding this topic.

https://supportforums.cisco.com/docs/DOC-37097

Thanks and regards,

Hitesh and Rahul.

amitdave1985 · ‎10-21-2013

Hi Hitesh & Rahul,

I am facing a problem in L3 switch.......because of unwanted packet,high arp request and vrrp packet CPU utilization getting high, beacuse of that LACP links to other L3 switch and PE router become inactive state and at the end L3 switch is getting hanged........for precaution i have configure loop-detect on all the interface, cpu guard threshold set for arp & vrrp packet and then given higher priority to lacp packet.......but still in packet statistic higher arp reuest packet drop and unknown packet getting on each port.

Hitesh Kumar · ‎10-21-2013

Hello Amit

Thanks for your query. Are you facing any issues while capturing the traffic? If yes, can you please let us know what kind of device is it, provide a topology and what method you used to capture the traffic?

Thanks and regards,

Hitesh and Rahul.

amitdave1985 · ‎10-22-2013

Hi hitesh,

I am working on 3G project where all telecom core element connected via MPLS VPN...........In that on CE as a L3 LAN switch, we are using for connecting Node B sites(3G), RNC & BSC.

Today, we have captured packet from LAN SWITCH through wirshark by port mirroring.........from one port where we were getting high unknwon packet....within 30sec..... 12Lac packets capture..

Observation:-

1) Though we have disable PTP on this port..........still getting PTPv2 protocal packets.

2) As we have not enable STP protocol..............still STP packet present.

3)We are observing some unknown Malformed packet called "YAMI packet".

4)we are observing ttl=1 packet LLMNR protocol packet.

......because i know different transmission media will be their and if it microwave media then fluctuation will be thier......and which is not in my control..........

Just I want to restrict that unwanted fluctution traffic at my device.....Is their any solution of restriction of Broadcast of packet or keeping some threshold on port.......after reaching the max threshold level......port will block itself and safeguard the CPU

BR,

Amit Dave

Hitesh Kumar · ‎10-23-2013

Hello Amit

We would suggest you to open up a TAC case as in our point of view this requires more troubleshooting to be done as to how many of each packets are you receiving and how many are expected. I am sorry, but this event was created to assist everyone with the packet captures across Cisco platforms and if they are having any issues while capturing those, so might not be the right forum to carry on troubleshooting.

Reagdring restricting broadcast you can configure broadcast supression, storm control or other methods depending on type of requirement & platform, but we would suggest you to check with TAC engineer before doing that.

Thanks and regards,

Hitesh and Rahul.

tenaro.gusatu.novici · ‎10-22-2013

Hi guys,

you did a fantastic job creating that video! I would just like to double check one bullet from the begining of Nexus section: can we capture transit traffic on Nexus 5k too? From your first slide in Nexus section seems like it is possible only for 7k.

Hitesh Kumar · ‎10-23-2013

Hello Tenaro

Thanks for your valuable feedback. At the moment we dont have any method to capture transit traffic on Nexus5k. Ethanalyzer will only capture traffic destined to the box on Nexus5k.

Thanks and regards,

Hitesh and Rahul.

erickbrocher · ‎10-23-2013

Hi Hitesh

I worked with you on a case and thanks for the wonderfull support. I am unable to capture a transit packet through ELAM. I am trying to capture the packet on the linecard. Shall I capture the packet on the RP? As per your ppt we can capture the packet on both the RP and Linecard.

I checked in the video and it seems I am using the correct syntax of the commands. I am using source and destination ip address in the trigger.

Reg

Erick

Hitesh Kumar · ‎10-24-2013

Hello Erick

Thanks for your query. If the incoming linecard has a DFC then it should take all the forwarding decisions for the transit traffic and the packets need not to go to the RP. If the incoming linecard doesn't have a DFC then the packet has to go to RP for the forwardin decision to be done.

So it depends on the incoming linecard where the transit packet will go and you will need to perform the ELAM accordingly.

Regarding the ELAM unable to capture the packet, can you please let me know the topology and what type of packet are you trying to capture. It would be great if you can let me know the exact commands used.

Thanks and regards,

Hitesh and Rahul.

erickbrocher · ‎10-24-2013

Hi Hitesh

Its a normal MPLS VPN scenario Ce---PE(7600)---P(7600)---P---P---PE---Ce. I am trying to capture the packet on P router.

Reg

Erick

Hitesh Kumar · ‎10-24-2013

Hello Erick

Thanks for the topology. The trigger will be different for labelled packet as you would need to mention the values of labels too in the trigger.

Below are two examples of one or two labels being used, it depends on where you are capturing the packet in mplsvpn scenario which will decide teh number of labels being imposed on the packet.

Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)

VPN label - 5678

Source Address - 111.111.111.111

Destination Address - 123.123.123.123

show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]

Trigger for two labels. (for other core routers)

IGP label - 1234

VPN label - 5678

Source Address - 111.111.111.111

Destination Address - 123.123.123.123

show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]

You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.

I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.

Please let me know if this helps.

Thanks & Regards

Hitesh & Rahul

kunalp · ‎10-24-2013

Hi Hitesh/Rahul

Is it that everytime you need to capture the packet via ELAM you need to configure "service internal"? I am working in a SP environment and configuring something is not that easy. Can you guys please suggest an alternative?

There has been lot of instances where TAC engineer wants to run some internal commands for which service internal is required, so is there any way of enabling it without configuring anything?

regards

Kunal

rrahul · ‎10-24-2013

Hi Kunal,

Thank you very much for your query.

There is an alternate way to configuring the service internal. At the enable prompt, you could issue the command "test platform service internal enable" to configure "service internal". The command "test platform service internal disable" would remove the configuration.

R2_7606B#

R2_7606B#show runn | i service internal

R2_7606B#

R2_7606B#test platform service internal enable

%WARNING: service internal enable. Please disable when you are done.

R2_7606B#

R2_7606B#show runn | i service internal

service internal

R2_7606B#

Thanks and regards,

Hitesh and Rahul.