We have a Nexus N7K with NX-OS 4.2. Ethanalzer/Built-in Wireshark works great for IP-Packets which go to the Nexus' CPU, but - as stated by Cisco - most traffic doesn't pass through the CPU and therefor cannot be sniffed & analyzed by the built-in Packet Capture as such...
The corresponding White Paper (http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/white_paper_c11-554444.html) says, that - in order to capture normal dataplane traffic - we need to log each Packet with an ACL, like:
IP access list my app
10 permit tcp 18.104.22.168/32 1.1.2/32 eq 5600 log
20 permit tcp 22.214.171.124/32 126.96.36.199/32 eq 5600 log
ethanalyzer local interface inband capture-filter "port 5600" limit-capture-frame 0 write bootflash:my-app-capture
interface ethernet 1/1
ip access-list my-app input
The procedure in this White Paper does not seem to work for us - NX-OS (4.2?) rejects the interface-config "ip access-list". If I just replace ip access-list with "ip access-group my-app input", I kill all traffic on the Interface.
1. How can we pass regular Data Plane Traffic to the CPU, if the above procedure does not work because of the "ip access-list"-command?
2. Ethanalyzer works only in the Default VDC. If we want to capture Packets in another VDC, does this work too? (-> ACL-Definition and ACL-On-Interface-Statement in VDC XY and ethanalyzer-Statement in Default-VDC)?
3. We would like to capture traffic on a Port-Channel. Can we use the ACL on the int poXY, or should we configure it on all corresponding Physical Interfaces?
Thanx in advance and greetings from Switzerland
found a solution, in case has the same problem:
1. The Cisco-White-Paper needs to adjustments:
a) the access-list needs a last statement (not for logging, but for forwarding the traffic)
30 permit ip any any
b) The Interface needs not the statement "ip access-list WORD input" but "ip access-group WORD input"
2. You can sniff in Non-Default-VDCs as well: configure the ACL-Definition and the interfaces-access-group in the Non-Default-VDC start ethanalyzer-capture in the Default-VDC.
3. Sniffing in int poXY is no problem. I didn't test it on a VPC-Etherchannel, though...
Greetings from Switzerland
Thank you for answering your own question and replying back. Although most will read these posts, not everyone replies, but don't think that it wasn't very helpful.
If you don't mind would you mind replying with the exact syntax that you put in the command-line. I'm also looking to capture traffic with an ACL and output that file to a TFTP or remote location.
Config in VDC, where your Port belongs to
ip access-list capturefilter
! Capturing all Traffic from host 188.8.131.52 on TCP 1234
10 permit tcp any 184.108.40.206/32 eq 1234 log
20 permit tcp 220.127.116.11/32 any eq 1234 log
30 permit ip any any
interface ethernet x/y
ip access-group capturefilter in
Enable-Mode in Default-VDC:
! I try to filter both with ACL and capture-filter. Don't know wether this is necessary
ethanalyzer local interface inband capture-filter "host 18.104.22.168 && port 1234" limit-capture-frame 1000 write bootflash:snifferfile.pcap
copy bootflash:/snifferfile.pcap ftp://user@ftpserver/snifferfile.pcap vrf management
Don't forget to remove the access-group (and ACL) after the capture