PCAPs are one of the most useful tools to debug traffic issues on a 128T Router(s) as well as wider networking issues. The nature of troubleshooting is that it is transitory; once the problem has been identified, the system state should be restored to its previous state (or possibly with necessary modifications as a result of the troubleshooting exercise). This guide walks through the approaches for applying dynamic capture filters to the 128T Networking Platform.
Packet Capture per Device Interface
Enabling packet capture through configuration, while useful for defining filters that will survive a reboot, can pose challenges while debugging. Pending configuration changes may exist, requiring reverting the configuration so as to apply a capture filter. Thankfully there exists a dynamic way to apply capture filters to a device interface that does not require making configuration changes.
When using dynamic capture filters, the following rules apply:
- Creating or removing a dynamic capture filter does not persist and will not survive a restart of the 128T software
- Interactions exist with configured capture filters
- If capture filters exist within the configuration and a configuration change happens that does not impact static capture filters, the configuration change will not affect dynamic capture filters
- If static capture filters exist within the configuration, and if a configuration change modifies the static capture filters, all dynamic capture filters will be removed
Three commands provide the capabilities to manage dynamic capture filters.
Dynamic capture filters use Berkeley Packet Filter (BPF) syntax, the same as statically configured capture filters. If the syntax is not correct, the filter will be rejected. Please refer to online BPF documentation for syntax help. If a capture filter already exists, the create operation will be ignored.
The syntax for creating a capture filter can be seen below:
This command can be used to remove dynamic capture filters as well as temporarily removing any static capture filtered added through configuration. The command will return an error if the capture filter is not present.
The syntax for removing a capture filter can be seen below:
all can be used as an argument to
device-interface to remove all capture filters on a particular node and router. Omitting
capture-filter from the command will remove all capture filters for a specified device interface.
In order to display both static and dynamic capture filters, the show capture-filters PCLI command will reflect the current state capture filters.
The syntax for displaying static and dynamic capture filters can be seen below:
Selective Packet Capture
While a powerful tool, it can be difficult to isolate a particular set of packets pertaining to a service using device-interface packet captures; especially if the session that is being tracked is an SVR session, where the IPs and L4 ports will be NATed. To simplify the troubleshooting effort, selective packet captures provides filtering controls beyond what is capable with BPF, and affords the administrator the ability to match traffic by service. A powerful capability of this feature is to apply a trace not only on the ingress node where the capture is defined, but also triggering traces on every subsequent 128T node the session traverses.
Selective capture can operate in one of two modes:
- local-only mode will trigger a capture only on the node to which the command is issued
- default mode will propagate the capture to all subsequent 128T nodes the session traverses
Much like per device interface packet captures, selective packet captures will not survive a restart of the 128T.
There are four locations within the 128T wherein capturing packets will provide full visibility into the behavior of a packet.
- Forward flow of a session arriving on the ingress interface (before any NATing has been applied)
- Forward flow of a session leaving the egress interface (post NAT with decrypted metadata)
- Reverse flow of a session arriving on the egress interface
- Reverse flow of a session leaving the ingress interface
When creating a selective capture filter on the LAN interface, sessions will be tagged with an action that will capture all packets for the session at each of the four points listed above. Additionally, metadata will indicate to subsequent 128T nodes/routers to enable the packet capture for this session. Each 128T node will install capture filters in each of the four capture points for the same session. A PCAP file will be created on each node, containing the name of the service captured.
Referencing the above diagram, a capture on node1.routerA will create PCAPs for a single session on each of the 12 points shown.
When creating selective packet captures in local-mode, a user can initiate a capture filter, targeting a particular node. No other "downstream" nodes will capture this session.
Creating Selective Packet Capture
create session-capture will create a file with the name
128T_service_<service-name>.pcap on each node the session traverses. Additionally,
INFO level logging for session setup and tear down will be added to the
serviceArea.log. All sessions captured for the same service, even if they match more than one filter will be added to the same file and the “.pcap” file.
There is no mechanism to stop a capture for an existing session once the capture is in progress. Each session defaults to capturing 100 packets.
The syntax for creating a selective capture filter can be seen below:
Removing Selective Packet Capture
The selective packet capture can be removed by specifying the filter or by the uniquely generated capture id which is displayed in the show command:
The syntax for removing a selective capture filter can be seen below:
If the selective capture is created for a limited number of sessions, once all the sessions have been captured, the capture will remove itself. Issuing a command to remove the capture will stop any new captures for new sessions on that service and any session that is still active will continue capturing until the packet count reaches the specified or default termination count.
Showing Selective Packet Captures
The syntax for displaying selective packet capture filters can be seen below:
The output from the show command will display currently enabled capture filters as well as the session IDs for those sessions that were captured. With no parameters, the command will display a summary of all captures for all services. Below is a sample output, with two captures for service “west”, and one capture for service “east”, with one active session being captured.
If you specify the service and capture ID via arguments, you will see details of the sessions being captured. In the above example you can see that service “west” has an active session on capture
5. The detailed view can be seen below, where it shows session “1640858e-fe6a-44cd-b38a-7d479a68418” is actively being captured: