Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
4577
Views
10
Helpful
4
Comments

7.1.2 Feature introduction - SPAN to file

Victor Pelaez
Cisco Employee
Cisco Employee

on ‎07-18-2022 03:55 PM

 

Introduction

 

Purpose of this document is to provide examples of SPAN to file feature introduced on 7.1.2 for NCS5500 and ASR9000 devices.

 

Feature components

 

Monitor session

 

Destination needs to be set to file.

 

monitor-session span_test ethernet
 destination file size [size] [buffer-type linear]

 

  • If no buffer-type is configured, default is circular
  • Buffer size is set in KB
  • If not specified, file size default value is 2 GB per location

 

Interface attachment

 

Either physical or Bundle interfaces need to have attached the monitor-session:

 

interface Bundle-Ether14
 monitor-session span_test ethernet [direction rx-only] port-level
!

 

Start/stop packet capture

 

Need to manually specify the beginning and end of the packet capture as follows:

 

monitor-session span_test packet-collection start

 

When stopping the monitor-session, there are two options:

  • Stop and erase the buffer

 

monitor-session span_test packet-collection stop discard-data

 

  • Stop and save the buffer contents on a .pcap file

 

monitor-session span_test packet-collection stop write directory /misc/disk1 filename span_test

 

  • No need to specify .pcap termination

  • This command will create a folder per location of where monitor-session was configured. That is, if we have a Bundle-Ether interface where its members belong to 3 different linecards, 3 folders can get created as long as traffic from that LC was mirrored. Quick example had Bundle-Ether members on two different linecards (0/0/CPU0 and 0/7/CPU0), and traffic from both members was mirrored:

 

[xr-vm_node0_RP0_CPU0:/misc/disk1]$ls -lar | grep node0_
< SNIP >
drwxr-xr-x.  2 root root     4096 Aug 13 14:31 node0_7_CPU0
drwxr-xr-x.  2 root root     4096 Aug 13 14:31 node0_0_CPU0
< SNIP >

 

tcpdump shell tool

 

There are two options to read the .pcap files

  • Retrieve the file(s) via FTP/TFTP/SFTP
  • Use tcpdump tool to review

 

Once files are created on device, we can follow the next syntax:

 

tcpdump -r /[location]/[filename]

 

Follows a quick example:

 

RP/0/RP0/CPU0:NCS5501#run
Wed Sep  2 19:43:57.046 UTC
[xr-vm_node0_RP0_CPU0:~]$cd /misc/disk1/node0_0_CPU0/
[xr-vm_node0_RP0_CPU0:/misc/disk1/node0_0_CPU0]$ls
span_vlan.pcap
[xr-vm_node0_RP0_CPU0:/misc/disk1/node0_0_CPU0]$tcpdump -r span_vlan.pcap 
reading from file span_vlan.pcap, link-type EN10MB (Ethernet)
19:43:17.481536 IP 10.10.100.1 > 10.10.100.0: ICMP echo reply, id 12985, seq 0, length 80
19:43:19.481642 IP 10.10.100.1 > 10.10.100.0: ICMP echo reply, id 12985, seq 1, length 80
19:43:21.481738 IP 10.10.100.1 > 10.10.100.0: ICMP echo reply, id 12985, seq 2, length 80
19:43:23.481927 IP 10.10.100.1 > 10.10.100.0: ICMP echo reply, id 12985, seq 3, length 80
19:43:25.482172 IP 10.10.100.1 > 10.10.100.0: ICMP echo reply, id 12985, seq 4, length 80
19:43:27.482303 IP 10.10.100.1 > 10.10.100.0: ICMP echo reply, id 12985, seq 5, length 80
19:43:29.482483 IP 10.10.100.1 > 10.10.100.0: ICMP echo reply, id 12985, seq 6, length 80
19:43:31.482496 IP 10.10.100.1 > 10.10.100.0: ICMP echo reply, id 12985, seq 7, length 80
19:43:33.482624 IP 10.10.100.1 > 10.10.100.0: ICMP echo reply, id 12985, seq 8, length 80
19:43:35.482789 IP 10.10.100.1 > 10.10.100.0: ICMP echo reply, id 12985, seq 9, length 80

 

Configuration examples

 

Simple SPAN to File configuration

 

monitor-session span_test ethernet
 destination file size 10000
!
interface Bundle-Ether14
 monitor-session span_test ethernet direction rx-only port-level
!

 

SPAN to File configuration with ACL filtering

 

monitor-session span_test ethernet
 destination file size 10000
!
ipv4 access-list span_acl_ipv4
 5 permit ipv4 any host 172.16.14.1 capture
 10 permit ipv4 host 172.16.14.1 any capture
 15 permit ipv4 any any
! 
ipv6 access-list span_acl_ipv6
 5 permit ipv6 any host 2001::172:16:14:1 capture
 10 permit ipv6 host 2001::172:16:14:1 any capture
 15 permit ipv6 any any
!
interface Bundle-Ether14
 monitor-session span_test ethernet direction rx-only port-level
  acl
!
 ipv4 access-group span_acl_ipv4
 ipv6 access-group span_acl_ipv6

 

SPAN to File configuration with ACL filtering and User-Defined Key

 

udf vlanid header outer l2 offset 14 length 2
!
hw-module profile tcam format access-list ipv4 src-addr dst-addr src-port dst-port proto tcp-flags packet-length frag-bit enable-set-ttl udf1 vlanid location 0/0/CPU0
!
ipv4 access-list span
 10 deny ipv4 any any udf vlanid 0x64 0xfff capture
 20 permit ipv4 any any
!
monitor-session span ethernet
 destination file size 10000
!
interface HundredGigE0/0/1/4
 description TO_SPIRENT_2/1
 monitor-session span ethernet direction rx-only port-level
  acl
 !
 load-interval 30
!
interface HundredGigE0/0/1/4.100
 ipv4 address 10.10.100.0/31
 ipv6 address 2001::10:10:100:0/127
 encapsulation dot1q 100
 ipv4 access-group span ingress
!

 

Scale support comparison

 

  • Scale support comparison:
  ASR9000 DNX
SPAN sessions 8

NCS5500 - 4

NCS560 - 4

NCS540 - 4
# of source interfaces 800

NCS5500 - 800

NCS560 - 800

NCS540 - 800

 

  • To validate status of SPAN to file:

 

RP/0/RP0/CPU0:NCS5501#show monitor-session status 
Wed Sep  2 20:58:49.431 UTC
Monitor-session span
Destination File - Not collecting
================================================================================
Source Interface      Dir   Status
--------------------- ----  ----------------------------------------------------
Hu0/0/1/4 (port)      Rx    Operational

 

NCS5500 restrictions

 

  • port-level keyword always needs to be configured at the end of the monitor-session statement
  • Monitor session can only be attached to either physical or Bundle main interfaces. This restriction doesn't apply only to SPAN to file features, but SPAN feature in general
  • Due to the restriction of monitor-sessions not to be configured on sub-interfaces, the following will need to be always followed:
    • monitor-session to be configured on main interface with acl statement but no ACL configured
    • IPv4/IPv6 ACL with capture keyword to be attached to sub-interface
  • SPAN to file with ACL filtering is only supported at rx-only direction
  • ACL entries to be mirrored need to have capture keyword
  • 40000 kbps is the max rate for Fretta platforms
  • BVI source interface with GRE traffic is not supported
  • No counters support for SPAN to file:

     

 

RP/0/RP0/CPU0:NCS5501#show monitor-session counters 
Wed Sep  2 20:57:52.253 UTC
This platform does not support collection of session counters.

 

Hope you find this useful!

 

Regards,

vipelaez

Comments
gariasca
Cisco Employee
Cisco Employee
‎07-21-2022 02:57 PM

Excellent Document 

Mario Sotres
Cisco Employee
Cisco Employee
‎05-31-2023 02:49 PM

If you want to copy the pcap from LC to harddisk:

1. Check the VM ip address from the RP where you would like to copy the pcap:

RP/0/RP1/CPU0:NCS-5508-B#show platform vm
Wed May 31 21:19:37.825 UTC
Node name Node type Partner name SW status IP address
--------------- --------------- --------------- --------------- ---------------
0/3/CPU0 LC (ACTIVE) NONE FINAL Band 192.0.16.3
0/RP1/CPU0 RP (ACTIVE) 0/RP0/CPU0 FINAL Band 192.0.112.4  <<<<
0/RP0/CPU0 RP (STANDBY) 0/RP1/CPU0 FINAL Band 192.0.108.4
0/7/CPU0 LC (ACTIVE) NONE FINAL Band 192.0.32.3
0/5/CPU0 LC (ACTIVE) NONE FINAL Band 192.0.24.3

2. move to your LC where the pcap was save

 

RP/0/RP1/CPU0:NCS-5508-B#run
Wed May 31 21:18:27.907 UTC
[xr-vm_node0_RP1_CPU0:~]$cd /misc/disk1/node0_3_CPU0
[xr-vm_node0_RP1_CPU0:/misc/disk1/node0_3_CPU0]$ls
span_test.pcap

 

3. Copy your pcap to the harddisk on RP:

 

[xr-vm_node0_RP1_CPU0:/misc/disk1/node0_3_CPU0]$touch span_test.pcap
[xr-vm_node0_RP1_CPU0:/misc/disk1/node0_3_CPU0]$scp span_test.pcap root@192.0.112.4:/misc/disk1/
Warning: Permanently added '192.0.112.4' (ECDSA) to the list of known hosts.
span_test.pcap                                                                 100%  164     0.2KB/s   00:00

 

 

RP/0/RP1/CPU0:NCS-5508-B#dir harddisk: | i span
Wed May 31 21:25:20.748 UTC
     42 -rw-r--r--.  1        164 May 31 21:20 span_test.pcap
RP/0/RP1/CPU0:NCS-5508-B#

 

 

 

Victor Pelaez
Cisco Employee
Cisco Employee
‎06-09-2023 12:35 PM

Hi @Mario Sotres, need to do one correction to avoid confusion.

 

PCAP file is always stored on active RP. It will just be inside a folder named after the location where the packet was mirrored. but NOT on the LC's VM. According to your output, you're on RP1's shell and just move to /misc/disk1/node0_3_CPU0. Then you're doing scp from /misc/disk1/node0_3_CPU0 to /misc/disk1/ on same VM. There is no need to move between VMs any kind of file, but you only need to do regular file handling as in Linux.

 

Hope this helps with confusion. Else, just feel free to ping me directly.

 

Regards,

vipelaez

filopeter
Level 1
Level 1
‎03-27-2024 08:27 AM

It looks like the "SPAN to File" feature is also supported IOS XR7 platforms. Tested on NCS 540. Very helpful.

Best Regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
Discussions
Customers Also Viewed These Support Documents