ASR9000/XR: How to capture MPLS Ping or ipv4 Ping packets on an XR device.

Rakesh Kumar Aribindi · ‎03-05-2014

Introduction:

CRS-I-------->ASR9010-A------->ASR9010-B (loopback IP 140.4.2.2).

Capturing egress packets which are sent as mpls packets.

We will look into both MPLS ping and normal ping.

Packet capture:

There are two methods to capture the packet on XR.

Using capture software config under interface. But for that, packet needs to be punted to Cpu. You do that by sending pings with dontfragment and size larger than interface MTU.

Please note: this method doesn't work for ASR9k.

interface GigabitEthernet0/1/0/6

cdp

ipv4 address 16.16.16.1 255.255.255.252

flow mpls monitor rak-mon sampler rak-sample egress

capture software packets

RP/0/RP0/CPU0:CRS-I#show cef 140.4.2.2 detail

140.4.2.2/32, version 1458, internal 0x4004001 (ptr 0x76547d44) [1], 0x0 (0x724969b8), 0x450 (0x72d85be0)

Updated Mar 5 09:45:11.731

remote adjacency to GigabitEthernet0/1/0/6

Prefix Len 32, traffic index 0, precedence routine (0), priority 1

gateway array (0x72237840) reference count 9, flags 0xd0, source lsd (3), 1 backups

[4 type 5 flags 0x10101 (0x72db76c8) ext 0x0 (0x0)]

LW-LDI[type=5, refc=3, ptr=0x724969b8, sh-ldi=0x72db76c8]

via 16.16.16.2, GigabitEthernet0/1/0/6, 4 dependencies, weight 0, class 0 [flags 0x0]

path-idx 0 [0x7340e224 0x0]

next hop 16.16.16.2

remote adjacency

local label 1000006 labels imposed {17042}

Make sure captured packet stats are clear before you execute the command.

clear captured packets egress interface gi 0/1/0/6 location 0/1/cpu0

RP/0/RP0/CPU0:CRS-I#ping 140.4.2.2 size 2000 donotfrag tim 0

Wed Mar 5 10:54:33.316 UTC

Type escape sequence to abort.

Sending 5, 2000-byte ICMP Echos to 140.4.2.2, timeout is 0 seconds:

.....

Success rate is 0 percent (0/5)

RP/0/RP0/CPU0:CRS-I#show captured packets egress interface gi 0/1/0/6 location 0/1/cpu0

Wed Mar 5 10:54:40.083 UTC

-------------------------------------------------------

packets captured on interface in egress direction

buffer overflow pkt drops:0, current: 6, non wrapping: 0 maximum: 200

-------------------------------------------------------

Wrapping entries

-------------------------------------------------------

[2] Mar 5 10:54:33.629, len: 186, hits: 1, o/p i/f: GigabitEthernet0/1/0/6

[punt reason: MPLS_INCOMPLETE_ADJ] [PPE used: cluster=0 ppe=0]

[ether dst: 4055.396b.1076 src: 6400.f19d.c47c type/len: 0x8847]

[MPLS label: 17042, exp 0x0, eos 1, ttl 255]

450000a8 be9e0000 ff01bc94 10101001 10101001 03041f20 000005d8 450007d0

00004000 ff01c615 10101001 8c040202 0800e076 61610000 abcdabcd abcdabcd

abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd

abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd 2000b8ce

00080101 042921ff

[3] Mar 5 10:54:33.629, len: 186, hits: 1, o/p i/f: GigabitEthernet0/1/0/6

[punt reason: MPLS_INCOMPLETE_ADJ] [PPE used: cluster=0 ppe=0]

[ether dst: 4055.396b.1076 src: 6400.f19d.c47c type/len: 0x8847]

[MPLS label: 17042, exp 0x0, eos 1, ttl 255]

450000a8 be9f0000 ff01bc93 10101001 10101001 03041f20 000005d8 450007d0

00014000 ff01c614 10101001 8c040202 0800e075 61610001 abcdabcd abcdabcd

abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd

abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd 2000b8ce

00080101 042921ff

Analysis:

Outgoing label: 17042 exp 0x0, End of stack 1, TTL 255.

Make sure ethernet type field is 0x8847 (mpls) in the packet

Decode the one in yellow which is a IP content.

Packet decoder:

Pick any Hex2IP decoder and put the entire hex content in bold.

output:

Internet Protocol, Src: 16.16.16.1 (16.16.16.1), Dst: 140.4.2.2 (140.4.2.2)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 2000

Identification: 0x0001 (1)

Flags: 0x02 (Don't Fragment)

0.. = Reserved bit: Not Set

.1. = Don't fragment: Set

..0 = More fragments: Not Set

Fragment offset: 0

Time to live: 255

Protocol: ICMP (0x01)

Header checksum: 0xc614 [correct]

[Good: True]

[Bad : False]

Source: 16.16.16.1 (16.16.16.1)

Destination: 140.4.2.2 (140.4.2.2)

Internet Control Message Protocol

Type: 8 (Echo (ping) request)

Code: 0 ()

Checksum: 0xe075 [incorrect, should be 0x0872]

Identifier: 0x6161

Sequence number: 1 (0x0001)

Data (112 bytes)

0000 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................

0010 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................

0020 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................

0030 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................

0040 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................

0050 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................

0060 ab cd ab cd 20 00 b8 ce 00 08 01 01 04 29 21 ff .... ........)!.

Data&colon; ABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCD...

[Length: 112]

Doing the same for MPLS ping: These packets by default be captured by LC CPU. No need to mention size.

clear captured packets egress interface gi 0/1/0/6 location 0/1/cpu0

RP/0/RP0/CPU0:CRS-I#ping mpls ipv4 140.4.2.2/32

Sending 5, 100-byte MPLS Echos to 140.4.2.2/32,

timeout is 2 seconds, send interval is 0 msec:

Codes: '!' - success, 'Q' - request not sent, '.' - timeout,

'L' - labeled output interface, 'B' - unlabeled output interface,

'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC mismatch,

'M' - malformed request, 'm' - unsupported tlvs, 'N' - no rx label,

'P' - no rx intf label prot, 'p' - premature termination of LSP,

'R' - transit router, 'I' - unknown upstream index,

'X' - unknown return code, 'x' - return code 0

Type escape sequence to abort.

!!!!!

RP/0/RP0/CPU0:CRS-I#show captured packets egress interface gi 0/1/0/6 location 0/1/cpu0

Wed Mar 5 11:07:45.861 UTC

-------------------------------------------------------

packets captured on interface in egress direction

buffer overflow pkt drops:0, current: 6, non wrapping: 0 maximum: 200

-------------------------------------------------------

Wrapping entries

-------------------------------------------------------

[2] Mar 5 11:07:18.618, len: 114, hits: 1, o/p i/f: GigabitEthernet0/1/0/6

[punt reason: MPLS_INCOMPLETE_ADJ] [PPE used: cluster=0 ppe=0]

[ether dst: 4055.396b.1076 src: 6400.f19d.c47c type/len: 0x8847]

[MPLS label: 17042, exp 0x0, eos 1, ttl 255]

46000060 11d84000 0111339f 10101001 7f000001 94040000 0daf0daf 0048fd9a

00010000 01020000 00000036 00000001 d6c183e6 9de6a351 00000000 00000000

fc00000c 00000009 00010004 00000004 0001000c 00010005 8c040202 20000000

[3] Mar 5 11:07:18.624, len: 114, hits: 1, o/p i/f: GigabitEthernet0/1/0/6

[punt reason: MPLS_INCOMPLETE_ADJ] [PPE used: cluster=0 ppe=0]

[ether dst: 4055.396b.1076 src: 6400.f19d.c47c type/len: 0x8847]

[MPLS label: 17042, exp 0x0, eos 1, ttl 255]

46000060 11d94000 0111339e 10101001 7f000001 94040000 0daf0daf 0048d1a7

00010000 01020000 00000036 00000002 d6c183e6 9f6fcdba 00000000 00000000

fc00000c 00000009 00010004 00000004 0001000c 00010005 8c040202 20000000

Pick any Hex2IP decoder and put the entire hex content in bold.

output:

Internet Protocol, Src: 16.16.16.1 (16.16.16.1), Dst: 127.0.0.1 (127.0.0.1)

Version: 4

Header length: 24 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 96

Identification: 0x2c41 (11329)

Flags: 0x02 (Don't Fragment)

0.. = Reserved bit: Not Set

.1. = Don't fragment: Set

..0 = More fragments: Not Set

Fragment offset: 0

Time to live: 1

[Expert Info (Note/Sequence): "Time To Live" only 1]

[Message: "Time To Live" only 1]

[Severity level: Note]

[Group: Sequence]

Protocol: UDP (0x11)

Header checksum: 0x1936 [correct]

[Good: True]

[Bad : False]

Source: 16.16.16.1 (16.16.16.1)

Destination: 127.0.0.1 (127.0.0.1)

Options: (4 bytes)

Router Alert: Every router examines packet

User Datagram Protocol, Src Port: 3503 (3503), Dst Port: 3503 (3503)

Source port: 3503 (3503)

Destination port: 3503 (3503)

Length: 72

Checksum: 0xe5ea [validation disabled]

[Good Checksum: False]

[Bad Checksum: False]

Multiprotocol Label Switching Echo

Version: 1

Global Flags: 0x0000

0000 0000 0000 000. = Reserved: 0x0000

.... .... .... ...0 = Validate FEC Stack: False

Message Type: MPLS Echo Request (1)

Reply Mode: Reply via an IPv4/IPv6 UDP packet (2)

Return Code: No return code (0)

Return Subcode: 0

Sender's Handle: 0x00000038

Sequence Number: 6261

Timestamp Sent: Mar 5, 2014 11:10:43.4066 UTC

Timestamp Received: NULL

Vendor Private

Type: Vendor Private (64512)

Length: 12

Vendor Id: ciscoSystems (9)

Value: 0001000400000004

Target FEC Stack

Type: Target FEC Stack (1)

Length: 12

FEC Element 1: LDP IPv4 prefix

Type: LDP IPv4 prefix (1)

Length: 5

IPv4 Prefix: 140.4.2.2 (140.4.2.2)

Prefix Length: 32

Padding

2. You could use netflow on the interface CRS interface to capture how CRS sending out the ICMP packet.

Please note: Netflow will only capture header content, but not the payload.

Drawback:

The flow monitor would not record MPLS ping packets (UDP) but works well for regular ping.. But if you do the netflow on the ingress of the peer router, you could see the mpls ping packets recorded by the netflow.

Ex:

flow monitor-map rak-mon

record mpls ipv4-fields labels 1

exporter rak

cache timeout active 604000

cache timeout inactive 604000

flow exporter-map flow-export

version v9

options interface-table

!

sampler-map rak-sample

random 1 out-of 5

RP/0/RP0/CPU0:CRS-I#show run int gi 0/1/0/6

Wed Mar 5 09:36:07.259 UTC

interface GigabitEthernet0/1/0/6

cdp

ipv4 address 16.16.16.1 255.255.255.252

flow mpls monitor rak-mon sampler rak-sample egress

Load distribution: 0 (refcount 4)

Hash OK Interface Address

0 Y GigabitEthernet0/1/0/6 remote

RP/0/RP0/CPU0:CRS-I#ping 140.4.2.2 count 1000 tim 0

Wed Mar 5 09:58:37.360 UTC

Type escape sequence to abort.

Sending 1000, 100-byte ICMP Echos to 140.4.2.2, timeout is 0 seconds:

......................................................................

....................

Success rate is 0 percent (0/1000)

RP/0/RP0/CPU0:CRS-I#show flow monitor rak-mon cache location 0/1/cpu0

Wed Mar 5 09:58:43.139 UTC

Cache summary for Flow Monitor rak-mon:

Cache size: 65535

Current entries: 1

High Watermark: 62258

Flows added: 1

Flows not added: 0

Ager Polls: 11

- Active timeout 0

- Inactive timeout 0

- TCP FIN flag 0

- Watermark aged 0

- Emergency aged 0

- Counter wrap aged 0

- Total 0

Periodic export:

- Counter wrap 0

- TCP FIN flag 0

Flows exported 0

LabelType Prefix/Length Label1-EXP-S InputInterface OutputInterface ForwardStatus FirstSwitched LastSwitched ByteCount PacketCount Dir SamplerID IPV4SrcAddr IPV4DstAddr IPV4TOS IPV4Prot L4SrcPort L4DestPort L4TCPFlags

LDP 140.4.2.2/32 17042-0-1 0 Gi0/1/0/6 FwdNoFrag 41 10:55:30:253 41 10:55:30:329 19344 186 Egr 6 16.16.16.1 140.4.2.2 0 icmp 0 2048 0

Matching entries: 1

Total packets : 186 ( since we are doing 1 packet out of 5 as sampling rate).

Out going label : 17042 0 (exp) End of stack 1.

To clear the cache,

clear flow monitor rak-mon cache loc 0/1/cpu0