Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2939
Views
5
Helpful
8
Replies

Unable to capture traffic with Ethanalyzer on N5K-5548

kstamandk
Level 1
Level 1

‎02-28-2011 06:42 PM

Version - 5.0(2)N2(1)

My understanding is that we need

1) Access-List defined, with statistics configured to get matched traffic onto control plane

2) Access-List applied to an interface, via command "ip port access-group mycap in"

3) ethanalyzer command, ex; "ethanalyzer local interface mgmt capture-filter "net 1.1.1.0/24" (also tried interfaces inbound-hi & inbound-low)

I see matches on the access-list, but not seeing anything captured.

What am I missing?

ip access-list mycap
  statistics per-entry
  10 permit ip any 1.1.1.0/24
  20 permit ip 1.1.1.0/24 any
  30 permit ip any any

Labels:
0 Helpful
8 Replies 8

vdsudame
Cisco Employee
Cisco Employee

‎03-01-2011 08:12 PM

can you please try display-filter instead of capture-filter in the ethanalyzer command ?

0 Helpful

kstamandk
Level 1
Level 1
In response to vdsudame

‎03-03-2011 06:57 AM

display-filter appears to give any traffic crossing the control plane. I'm trying to find a way to capture the traffic (data plane) coming in a host connected port.

It appears that may not be available - is that correct?

0 Helpful

Lucien Avramov
Level 10
Level 10
In response to kstamandk

‎03-03-2011 09:51 AM

correct, ethanalyzer is only for traffic going to the CPU. Cut trough switched traffic between hosts is not captured with ethanalyzer, you need to use a span session for this.

0 Helpful

tj.mitchell
Level 4
Level 4
In response to Lucien Avramov

‎03-24-2011 01:19 PM

From a Nexus training it is possible to capture the traffic with the ethanalyzer, but you need to send the traffic to the control plane. I'll need to look up the configurations that the instructor gave us to do this.. I'll see if I can find it.

0 Helpful

vdsudame
Cisco Employee
Cisco Employee
In response to tj.mitchell

‎03-31-2011 07:31 AM

just fyi.. on a similar sidenote we are going to enchance the capability of capture filter to collect the necessary statistics via the following enhancement

CSCsz99277 - ethanalyzer capture filter broken

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz99277

johgill
Level 1
Level 1
In response to tj.mitchell

‎05-18-2011 03:07 PM

TJ,

Is it possible you are referring to the log keyword on the Nexus 7000?  The hardware capabilities in this case do not correspond to the N5k platform unfortunately.

Regards,

John

0 Helpful

derek.small
Level 5
Level 5
In response to Lucien Avramov

‎04-24-2012 12:53 PM

Can you tell us how to do that?  I can't find any documentation on how to send a SPAN (monitor) session to the Ethanalyzer.  Is the destination port 4 (inbound-lo) on the Sup?

0 Helpful

jonesandrew
Level 1
Level 1
In response to derek.small

‎07-03-2012 03:59 AM

from what i undersatand to capture data plane traffic in ethanalyzer on the 7k you need to add the log keywoard to the acl entry, as this causes the traffic to be punted to the CPU. this is not recommmended and may by of limted use with the 7k hardware based control plane policies. (ie the traffic may get dropped before reaching the cpu if COPP policies arent removed. do so at your own risk...)

0 Helpful
Customers Also Viewed These Support Documents