Michael McNamara

The Nortel Ethernet Routing Switch 8600 supports utilizing the standby CPU to capture (PCAP) both ingress and egress (E-modules only) packets on selected I/O ports. The switch must have a standby CPU in order to perform PCAP.

You can configure IP/MAC filters to be applied to the PCAP engine but for this article I'll just show you how to perform the basic packet capture and how to retrieve the data so it can be analyzed with either Wireshark or OmniPeek. I currently use both applications for their different strengths and weaknesses.

First we'll configure the basic PCAP engine settings which should be fairly straight forward. The buffer-size is measured in megabytes so we'll be specifying 10MBs. The fragment-size is specified in bytes and in this example we want to capture the entire frame.

ERS-8600:5# config diag pcap buffer-wrap false
ERS-8600:5# config diag pcap buffer-size 10
ERS-8600:5# config diag pcap fragment-size 1522

Now we need to enable PCAP on the specific switch ports we're interested in capturing. We also want to specify the mode as both (both = ingress and egress packets | rx = ingress packets | tx = egress packets).

ERS-8600:5# config ethernet 2/1 pcap enable mode both

Now we're ready to start the capture.

ERS-8600:5# config diag pcap enable true

Now see if we're actually capturing any packets with the following command;

ERS-8600:5# show diag pcap stats
Stat Information for PCAP
=========================
Packet Capacity Count : 340909
Number of packets received in PCAP engine : 10
Number of packets accumulated in PCAP engine : 10
Number of packets dropped in PCAP engine by filters : 0
Number of packets dropped in Hardware : 0

Now stop the packet capture and retrieve it from the switch;

ERS-8606:5# config diag pcap enable false

Now you just need to copy the contents of the PCAP engine to the PCMCIA card;

ERS-8606:5# copy PCAP00 /pcmcia/capture.cap

You can now remove the PCMCIA card from the CPU and load it into your laptop or better yet you can just FTP the file from the PCMCIA card by making an FTP connection to the switch (you'll need to have FTP enabled in the boot.cfg file).

When your ready to capture again don't forget to resetting the PCAP engine with the following commands;

ERS-8606:5# config diag pcap enable false
ERS-8606:5# config diag pcap reset-stat

If something happens to the PCAP engine (which occasionally happens to me) you can usually resolve the problem by resetting the standby CPU. You can access the stanby CPU from the console port by telneting into it from the primary CPU. You can use the peer telnet command;

8606:5# peer telnet
Trying 127.0.0.6 ...
Connected to 127.0.0.6
*********************************************
* Copyright (c) 2003 Nortel Networks, Inc. *
* All Rights Reserved *
* ERS 8006 *
* Software Release 4.1.1.0 *
*********************************************
Login: rwa
Password: ***
@8606:6#

Note: You might notice that the primary CPU (slot 5 in the chassis) has the internal IP address of 127.0.0.5 while the standby CPU (slot 6 in the chassis) has the internal IP address of 127.0.0.6.

I don't believe you can perform PCAP with the new R modules although I could be wrong.

Cheers!

The Nortel Ethernet Routing Switch 8600 supports port mirroring feature to analyze traffic ingressing/egressing a specific switch port. The ERS 8600 also supports remote port mirroring by moving mirrored traffic across a switch network to a remote switch port.

This allows you to deploy a centralized network analyzer or probe to capture packets for the entire Local Area Network (LAN). This is accomplished by encapsulating the mirrored packets in a remote mirroring encapsulation wrapper. The encapsulation frame is bridged through the network by a seperate port-based VLAN to the remote mirroring termination port.

The following example is taken from the Nortel document "Using Diagnostic Tools".
We'll mirror port 1/15 on S1 to port 1/15 on S3 using the remote mirroring feature of the ERS 8600 Switch. As I mentioned above the packets to be mirrored will be encapsulated and put onto a specific port-based VLAN to be bridged across the network. In the following example we'll create VLAN 99 for this purpose.

Configure S3:

ERS-8610:5# config vlan 99 create byport 1
ERS-8610:5# config vlan 99 ports add 1/15, 2/8
ERS-8610:5# config ethernet 1/15 remote-mirroring create
ERS-8610:5# config ethernet 1/15 remote-mirroring add-vlan-id 99
ERS-8610:5# config ethernet 1/15 remote-mirroring mode termination
ERS-8610:5# config ethernet 1/15 remote-mirroring enable true

We'll need to determine the MAC address of the switch port that will be connecting to the network analyzer (sniffer). We'll need this information in order to configure the originating switch properly.

ERS-8610:5# config ethernet 1/15 remote-mirroring info port 1/15
Enable = TRUE
Mode = termination
srcmac = 00:e0:7b:82:9c:0e
dstmac = 00:e0:7b:82:9d:9c
ether-type = 0x8103
vlan-id-list =10

We'll need to record the "dstmac" MAC address above as we'll need it when configuring the origin switch.

Configure S1:

ERS-8610:5# config vlan 99 create byport 1
ERS-8610:5# config vlan 99 ports add 1/1
ERS-8610:5# config diag mirror-by-port 1 create in-port 1/15 out-port 1/1 mode both enable true remote-mirror-vlan-id 99
ERS-8610:5# config ethernet 1/1 remote-mirroring create
ERS-8610:5# config ethernet 1/1 remote-mirroring dstmac 00:e0:7b:82:9d:9c
ERS-8610:5# config ethernet 1/1 remote-mirroring enable true

Configure S2:

ERS-8610:5# config vlan 99 create byport 1
ERS-8610:5# config vlan 99 ports add 1/1,2/8

I've actually used this feature to mirror traffic from the ELAN interface on a Nortel Succession 1000M (Option 81C) from a closet ERS 8600 to a core ERS 8600 where I had a network analyzer setup to perform network traces.

I was and still am impressed with the feature.

Cheers!