The Nortel Ethernet Routing Switch 8600 supports utilizing the standby CPU to capture (PCAP) both ingress and egress (E-modules only) packets on selected I/O ports. The switch must have a standby CPU in order to perform PCAP.
You can configure IP/MAC filters to be applied to the PCAP engine but for this article I'll just show you how to perform the basic packet capture and how to retrieve the data so it can be analyzed with either Wireshark or OmniPeek. I currently use both applications for their different strengths and weaknesses.
First we'll configure the basic PCAP engine settings which should be fairly straight forward. The buffer-size is measured in megabytes so we'll be specifying 10MBs. The fragment-size is specified in bytes and in this example we want to capture the entire frame.
ERS-8600:5# config diag pcap buffer-wrap falseNow we need to enable PCAP on the specific switch ports we're interested in capturing. We also want to specify the mode as both (both = ingress and egress packets | rx = ingress packets | tx = egress packets).
ERS-8600:5# config diag pcap buffer-size 10
ERS-8600:5# config diag pcap fragment-size 1522
ERS-8600:5# config ethernet 2/1 pcap enable mode bothNow we're ready to start the capture.
ERS-8600:5# config diag pcap enable trueNow see if we're actually capturing any packets with the following command;
ERS-8600:5# show diag pcap statsNow stop the packet capture and retrieve it from the switch;
Stat Information for PCAP
=========================
Packet Capacity Count : 340909
Number of packets received in PCAP engine : 10
Number of packets accumulated in PCAP engine : 10
Number of packets dropped in PCAP engine by filters : 0
Number of packets dropped in Hardware : 0
ERS-8606:5# config diag pcap enable falseNow you just need to copy the contents of the PCAP engine to the PCMCIA card;
ERS-8606:5# copy PCAP00 /pcmcia/capture.capYou can now remove the PCMCIA card from the CPU and load it into your laptop or better yet you can just FTP the file from the PCMCIA card by making an FTP connection to the switch (you'll need to have FTP enabled in the boot.cfg file).
When your ready to capture again don't forget to resetting the PCAP engine with the following commands;
ERS-8606:5# config diag pcap enable falseIf something happens to the PCAP engine (which occasionally happens to me) you can usually resolve the problem by resetting the standby CPU. You can access the stanby CPU from the console port by telneting into it from the primary CPU. You can use the peer telnet command;
ERS-8606:5# config diag pcap reset-stat
8606:5# peer telnetNote: You might notice that the primary CPU (slot 5 in the chassis) has the internal IP address of 127.0.0.5 while the standby CPU (slot 6 in the chassis) has the internal IP address of 127.0.0.6.
Trying 127.0.0.6 ...
Connected to 127.0.0.6
*********************************************
* Copyright (c) 2003 Nortel Networks, Inc. *
* All Rights Reserved *
* ERS 8006 *
* Software Release 4.1.1.0 *
*********************************************
Login: rwa
Password: ***
@8606:6#
I don't believe you can perform PCAP with the new R modules although I could be wrong.
Cheers!
No comments:
Post a Comment