Re: Nexus 5500 ethanalizer interrupts

JPavonM · ‎05-10-2024

Hi community,

I'm trying to collect DHCP packets from a Nexus 5500 and the problem I have is that the capture is interrupted randomly, so I nbeed to keep looking at the console to re-run it again, and some times it takes me some tries to get it working again.

I've tried with both Putty and SecureCRT so the problem is not related to the SSH client. I've also tried to see it in the console or writing it to the bootflash with same results.

Other packet captures keep running in other devices (non-Cisco) while I have the session open, but this one with N5k is not.

The NXOS version I'm running is this:

Software
BIOS: version 3.6.0
loader: version N/A
kickstart: version 6.0(2)N1(2)
system: version 6.0(2)N1(2)
Power Sequencer Firmware: 
Module 1: version v1.0
Module 2: version v1.0
Module 3: version v5.0
Microcontroller Firmware: version v1.2.0.1
SFP uC: Module 1: v1.0.0.0
QSFP uC: Module not detected
BIOS compile time: 05/09/2012
kickstart image file is: bootflash:///n5000-uk9-kickstart.6.0.2.N1.2.bin
kickstart compile time: 3/14/2013 1:00:00 [03/14/2013 08:53:55]
system image file is: bootflash:///n5000-uk9.6.0.2.N1.2.bin
system compile time: 3/14/2013 1:00:00 [03/14/2013 11:28:50]
Hardware
cisco Nexus5548 Chassis ("O2 32X10GE/Modular Universal Platform Supervisor")

balaji.bandi · ‎05-10-2024

the code running on the nexus quite old.

i have tested some time back on 7.X and on 5596 i dont see any issue when i was capturing ?

do you see any CPU high ?

try some display-filter what you looking :

https://www.cisco.com/c/en/us/support/docs/switches/nexus-5000-series-switches/116201-technote-ethanalyzer-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JPavonM · ‎05-10-2024

Hi @balaji.bandi and happy to see you on this channel also.

I know this is pretty old, but you know that some companies has a weird policy not to update anything unless something critical happen. I'm trying that path in the meanwhile, but I wanted to ask just in case somebody had the same issue.

This is the command with filter that I'm using:

ethanalyzer local interface inbound-hi display-filter bootp limit-captured-frames 0 write bootflash:n5k_dhcp_20240509-1.pcap

MHM Cisco World · ‎05-10-2024

I know it problem before you post command

You use inband' what meaning of this keyword' it meaning capture traffic toward your NSK CPU' and as I know NSK not run local dhcp so you will dont capture using this keyboard for traffic pass through NSK.

You need to use different that ethanalzyer for this task

MHM

JPavonM · ‎05-10-2024

But yes I'm capturing that traffic as the N5K SVIs are doing the relay to DHCP servers. See below:

MHM Cisco World · ‎05-10-2024

if that case then the traffic must hit SVI (CPU)
but if you use vPC then traffic can send back through the second NSK not this one

MHM

JPavonM · ‎05-10-2024

The problem is not with capturing traffic, but with the capture stopping randomly and then taking some tries to restart it.

It's more like a bug that a config issue.

MHM Cisco World · ‎05-10-2024

you have vPC ?

MHM

JPavonM · ‎05-10-2024

No I don't.

In parallel, I have tried using "ethanalyzer local interface inbound-low" and "ethanalyzer local interface inbound-hi" and same behavior.

MHM Cisco World · ‎05-10-2024

Then we return to first point

NSK have two switching

1-software (cpu)

2-hardware (tcam)

The dhcp relay traffic is

1- from client to 255.255.255.255 (SW)

2- from NSK SVI to dhpc server (SW)

3- from NSK SVI to client (SW)

4- from clinet direct to server (SW then HW)

The ethanalzyer until point 4 is sure show traffic after point four since the client is direct connect to Serve the the traffic is HW switching

Compare above with what you capture

MHM

JPavonM · ‎05-12-2024

@MHM Cisco World the problem is not about the capture, it WORKS, BUT the fact that capture stops randomly always and it does not keep running until the number of packets that I set for it, nor until I press Ctrl+C to stop it.

MHM Cisco World · ‎05-12-2024

If you dont focus on the dhcp packet capture but stop of capturing

There is circle or ringe keyword' this keyboard will make packet overwrite in buffer.

When buffer is full and NSK still capture traffic with this keyboard the NSK overwrite the packet over the old one.

Check this.

MHM