pcap

Required Command-Line Mode = Admin

Use the pcap command to configure packet capture, which lets you capture packets at an ingress port, an egress port, or both and the captured packets are stored in a PCAP file.

To configure packet capture, define filters to capture specific traffic based on rules. The following criteria can be specified in the rules:

■   Source MAC address
■   Destination MAC address
■   VLAN ID
■   Inner-VLAN
■   Layer 2 ethernet type
■   Source IPv4 address
■   Destination IPv4 address
■   Internet protocol
■   IP version number
■   IP fragmentation bits
■   Time to Live (TTL) value
■   DiffServ Code Point bits
■   Layer 4 destination port number
■   Layer 4 source port number
■   TCP flags

Packet capture is supported on GigaVUE‑HC1, GigaVUE‑HC1-Plus, GigaVUE‑HC3, and GigaVUE TA Series nodes. It is supported on both standalone nodes and clusters.

The port type used for packet capture can be tool, network, hybrid, inline tool, or inline network. They must be physical ports.

Refer to the following notes:

  • The PCAP feature supports up to 16 capture files per device. Each capture file can have up to 40000 packets. A capture file is maintained per PCAP session. Each session can have up to 64 filter rules per direction. Each capture file can be viewed, deleted, or uploaded out of the device for offline use.

  • The PCAP feature supports up to 16 active capture sessions at a time per port on all GigaVUE platforms except GigaVUE‑TA400. The GigaVUE‑TA400 platform currently supports one active PCAP session per port at a time.

  • The PCAP configuration doesn’t persist across node reboots or upgrades.

  • The PCAP feature is not supported on stack ports in legacy stacking mode.

  • The PCAP feature is not supported on ports associated with the IP interface.

  • The PCAP feature does not support 'vlan' and 'inner-vlan' filter rules on a tool or hybrid port in the 'tx' direction.

  • The PCAP feature on tool ports does not capture the vlan tag specified with the ingress-vlan-tag feature. To overcome this, redirect the traffic to another hybrid port along with other tool ports and capture the packets on the hybrid port ingress.

  • The PCAP feature on GigaVUE‑HC1-Plus, GigaVUE‑HC1, GigaVUE‑TA25, GigaVUE‑TA25E, and GigaVUE‑TA400 platforms contain extra VLAN header added in capture files. Untagged packet captures contain vlan-tag 1 header added and tagged packet captures contain an outer tag duplicated.

  • The PCAP feature on port discovery protocols (LLDP/CDP/GDP) enabled ports will not capture the discovery protocol control packet in the PCAP file.

  • The PCAP feature may miss some packets in the capture file depending on the rate of traffic being captured.

The pcap command has the following syntax:

pcap   alias <alias>
      channel-port <port ID>
      packet-limit <1-20000>
      port <port ID> <tx | rx | both>
      filter

         dscp <af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | ef>

         ethertype <2-byte-hex>

         inner-vlan <vlan>

         ipdst <IP address> <netmask>

         ipfrag <no-frag | all-frag | all-frag-no-first | first-frag | first-or-no-frag>

         ipsrc <IP address> <netmask>

         ipver <4 | 6>

         macdst <MAC address> <MAC netmask>

         macsrc <MAC address> <MAC netmask>

         portdst <0-65535>

         portsrc <0-65535>

         protocol <ipv6-hop | icmp-ipv4 | igmp | ipv4ov4 | tcp | udp | ipv6 | rsvp | gre | icmp-ipv6>

         tcpctl <1-byte-hex>

         ttl <ttl>
         vlan <vlan>

The following table describes the arguments for the pcap command:

Argument

Description

alias <alias>

Specifies the name of the packet capture filter.

For example:

(config) # pcap alias issl_ack

channel-port <port ID>

Specifies the channel port identifier for the packet capture filter, in the format <bid/sid/pid>. The channel port can be a network, tool, or hybrid port.

The channel port is any unused port. Unused means that it does not have any map configuration. In addition, the channel port must be on the same node as the capture port. Finally, the channel port must be administratively enabled and must remain enabled while a packet capture filter is configured.

You must specify one channel port for each tx or both direction. A channel port is not needed for rx.

For example:

(config pcap alias issl_ack) # channel-port 1/1/x2

(config) # port 1/1/x2 params admin enable

 

Note:  If a PCAP configuration is deleted, the channel ports configured in the PCAP will go down.

packet-limit <1-40000>

Specifies the number of packets to capture. The valid range is 1 to 40000 for all the platforms. Use the packet limit to specify that the packet capture will stop after the specified number of packets have been captured.

The default value is 40000 for all the platforms.

For example:

(config pcap alias issl_ack) # packet-limit 100

If you do not specify a packet limit, delete the packet capture filter to stop capturing. For example:

(config) # no pcap alias issl_ack

port <port ID> <tx | rx | both>

Specifies the port identifier for the packet capture filter, in the format <bid/sid/pid>, and the direction as follows:

tx—Specifies the transmitting end (egress).
rx—Specifies the receiving end (ingress).
both—Specifies both the transmitting and the receiving ends (egress and ingress).

This port may also be referred to as the capture port or the filter port.

The port type can be tool, network, hybrid, inline tool, or inline network. They must be physical ports.

Examples:

(config pcap alias issl_ack) # port 1/1/x1 tx

filter

dscp <af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | ef>

   ethertype <2-byte-hex>

   inner-vlan <vlan>

   ipdst <IP address> <netmask>

   ipfrag <no-frag | all-frag | all-frag-no-first | first-frag | first-or-no-frag>

    ipsrc <IP address> <netmask>

    ipver <4 | 6>

    macdst <MAC address> <MAC netmask>

    macsrc <MAC address> <MAC netmask>

    portdst <0-65535>

    portsrc <0-65535>

    protocol <ipv6-hop | icmp-ipv4 | igmp | ipv4ov4 | tcp | udp | ipv6 | rsvp | gre | icmp-ipv6>

    tcpctl <1-byte-hex>

    ttl <ttl>
    vlan <vlan>

Specifies the rules on which to filter traffic as follows:

dscp—Specifies the decimal DSCP value. You can select any value within the four Assured Forwarding (af) class ranges or ef for Expedited Forwarding (the highest priority in the DSCP model). The valid DSCP values by Assured Forwarding Class are as follows:
o Class 1—11, 12, 13
o Class 2—21, 22, 23
o Class 3—31, 32, 33
o Class 4—41, 42, 43
o Expedited Forwarding—ef
ethertype—Specifies the layer 2 ethernet type value.
inner-vlan—Specifies the VLAN ID value as a number between 1 and 4094.
ipdst—Specifies the destination IPv4 address and IP mask or a wildcard with an IP mask.
ipfrag—Specifies any of the IP fragments listed below.
o no-frag—Matches unfragmented packets.
o all-frag—Matches any fragment.
o all-frag-no-first—Matches all fragments except the first fragment in a packet.
o first-frag—Matches the first fragment of a packet.
o first-or-no-frag—Matches unfragmented packets or the first fragment of a packet
ipsrc—Specifies the source IPv4 address and IP mask or a wildcard with an IP mask.
ipver—Specifies the IP version for traffic, either IPv4 or IPv6.
macdst—Specifies the destination MAC address and MAC netmask.
macsrc—Specifies the source MAC address and MAC netmask.
portdst—Specifies the Layer 4 destination port number, from 0 to 65535. A range of ports is not supported.
portsrc—Specifies the Layer 4 source port number, from 0 to 65535. A range of ports is not supported.
protocol—Specifies the Internet protocol. The valid protocols and their hex value are as follows:
o ipv6-hop (0x0)
o icmp-ipv4 (0x1)
o igmp (0x2)
o ipv4ov4 (0x4)
o tcp (0x6)
o udp (0x11)
o ipv6 (0x29)
o rsvp (0x2E)
o gre (0x2F)
o icmp-ipv6 (0x3A)
o A custom-defined value can also be defined in 1 byte hex.
tcpctl—Specifies TCP control bits, such as SYN, FIN, ACK, URG, as 1 byte hex values. Rules using the tcpctl parameter must also specify the protocol as tcp.
ttl—Specifies the Time to Live (TTL—IPv4) or Hop Limit (IPv6) value in an IP packet, as a number between 0 and 255.
vlan—Specifies the VLAN ID value as a number between 1 and 4094.

You can configure multiple filter rules to the same PCAP.

For example:

(config pcap alias issl_ack ) # filter ipsrc 10.10.1.16 /24 portsrc 2152 protocol udp

Related Commands

The following table summarizes other commands related to the pcap command:

Task

Command

Displays all packet capture filters.

# show pcap

Displays a specified packet capture filter.

# show pcap alias issl_ack

Displays PCAP files.

show files pcap

Sends a PCAP file to a remote host. Refer to file.

(config) # file pcap upload pcap_p1_2018_05_08_17_28.pcap scp://myNode@10.115.0.100/tftpboot/myName/.

Stops a specified packet capture and deletes it.

(config) # no pcap alias issl_ack