How to perform a TCPDump on NPM8600 span ports with IPv4 addresses filters
Article ID: 168010
Updated On:
Products
XOS
Issue/Introduction
How to perform a TCPDump on NPM8600 span ports with IPv4 addresses filtersN/A
Cause
Customers using NPM 86x0 would like to perform tcpdump on the physical interface using a mirror port. Due to the NPM6 architecture and the use of VLAN stacking we are unable to use properly the TCPDUMP filters.
Resolution
Technical Considerations
The NPM 6 is using VLAN stacking to identify the Physical port at the EZChip level and the inner VLA tag corresponds to the VLAN tag received from the ethernet wire.
At that point, TCPDump software provided onto the NPM does not let the user the ability to setup regular libpcap filters to match on the host or protocol portion.
The solution is:
1) Telnet to the npm you want to monitor ports
telnet npmx
2) Set the monitoring parameters
cd /crossbeam/tools
./cbsif smcfg xxx 21 8100
xxx represent the bitmask decimal conversion of the physical port
11 10 9 8 7 6 5 4 3 2 1
x x x x x x x x x x x
eg.
21 represents eth2 from the Octeon perspective
8100 is the TPID to have the additional VLAN header in the TCPDump traces.
3) change the interface state
ifconfig eth2 up
4) perform the tcpdump
tcpdump -ni eth2
This packet is untagged at the physical interface level
02:13:40.430112 00:00:0d:00:00:00 (oui Unknown) > 00:00:0d:00:01:00 (oui Unknown), ethertype 802.1Q (0x8100), length 64: vlan 11, p 0, ethertype IPv4, 12.0.0.17 > 11.0.2.14: ICMP echo reply, id 0, seq 0, length 26
This packet is tagged at the physical interface level
02:18:42.050406 00:00:00:00:00:77 (oui Ethernet) > 00:01:0e:00:77:00 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 11, p 0, ethertype 802.1Q, vlan 100, p 0, ethertype IPv4, 2.0.0.2.63 > 7.0.0.2.63: UDP, length 18
5) Filtering a host using TCPDump on the NPM:
If you need to add filters to the TCPdump you then need to calculate the offset for the given traffic to select. The offset are from the beginning of the ethernet frame without the preamble. However offsets needs to take into account the Vlan header coming from the physical interface. The Crossbeam specific vlan header added will have to be taken into consideration.
The following offsets are used for calculation:
Ethernet header = 14 bytes
Vlan (Crossbeam physical interface) = 4 bytes
Vlan (real vlan onto the wire) = 4 bytes
As a consequence a host selection needs to be handled bidirectionnally and offsets has to be calculated in a manual manner
Assuming the host we want to filter is 172.17.150.201 it's hex conversion will then be 0xac1196c9
On a Non vlan tagged frame on the interface:
SRC ip address offset will be at byte 30
DST ip address offset will be at byte 34
tcpdump -ni xxxx ' ( ether[30:4]=0xac1196c3 ) or ( ether[34:4] = 0xac1196c3 )
On a Vlan tagged frame on the interface :
SRC ip address offset will be at byte 34
DST ip address offset will be at byte 38
tcpdump -ni xxxx ' ( ether[34:4]=0xac1196c3 ) or ( ether[38:4] = 0xac1196c3 )
If you need to match both source and destination the following TCPdump filter can be used assuming the second host IP address is 172.17.150.251
On a vlan tagged frame on the interface:
tcpdump -ni xxxx ' ( ether[30:4]=0xac1196c3 and ether [34:4]=0xac1196fb ) or ( ether[30:4] = 0xac1196fb and ether[34:4]=0xac1196c3 )
On a Non vlan tagged frame on the interface:
tcpdump -ni xxxx ' ( ether[34:4]=0xac1196c3 and ether [38:4]=0xac1196fb ) or ( ether[34:4] = 0xac1196fb and ether[38:4]=0xac1196c3 )
The NPM 6 is using VLAN stacking to identify the Physical port at the EZChip level and the inner VLA tag corresponds to the VLAN tag received from the ethernet wire.
At that point, TCPDump software provided onto the NPM does not let the user the ability to setup regular libpcap filters to match on the host or protocol portion.
The solution is:
1) Telnet to the npm you want to monitor ports
telnet npmx
2) Set the monitoring parameters
cd /crossbeam/tools
./cbsif smcfg xxx 21 8100
xxx represent the bitmask decimal conversion of the physical port
11 10 9 8 7 6 5 4 3 2 1
x x x x x x x x x x x
eg.
- If the monitoring is set on port 4 the bitmask will then be 008
- If the monitoring is set on port 2 and 8 the bitmask will be 082
21 represents eth2 from the Octeon perspective
8100 is the TPID to have the additional VLAN header in the TCPDump traces.
3) change the interface state
ifconfig eth2 up
4) perform the tcpdump
tcpdump -ni eth2
This packet is untagged at the physical interface level
02:13:40.430112 00:00:0d:00:00:00 (oui Unknown) > 00:00:0d:00:01:00 (oui Unknown), ethertype 802.1Q (0x8100), length 64: vlan 11, p 0, ethertype IPv4, 12.0.0.17 > 11.0.2.14: ICMP echo reply, id 0, seq 0, length 26
This packet is tagged at the physical interface level
02:18:42.050406 00:00:00:00:00:77 (oui Ethernet) > 00:01:0e:00:77:00 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 11, p 0, ethertype 802.1Q, vlan 100, p 0, ethertype IPv4, 2.0.0.2.63 > 7.0.0.2.63: UDP, length 18
5) Filtering a host using TCPDump on the NPM:
If you need to add filters to the TCPdump you then need to calculate the offset for the given traffic to select. The offset are from the beginning of the ethernet frame without the preamble. However offsets needs to take into account the Vlan header coming from the physical interface. The Crossbeam specific vlan header added will have to be taken into consideration.
The following offsets are used for calculation:
Ethernet header = 14 bytes
Vlan (Crossbeam physical interface) = 4 bytes
Vlan (real vlan onto the wire) = 4 bytes
As a consequence a host selection needs to be handled bidirectionnally and offsets has to be calculated in a manual manner
Assuming the host we want to filter is 172.17.150.201 it's hex conversion will then be 0xac1196c9
On a Non vlan tagged frame on the interface:
SRC ip address offset will be at byte 30
DST ip address offset will be at byte 34
tcpdump -ni xxxx ' ( ether[30:4]=0xac1196c3 ) or ( ether[34:4] = 0xac1196c3 )
On a Vlan tagged frame on the interface :
SRC ip address offset will be at byte 34
DST ip address offset will be at byte 38
tcpdump -ni xxxx ' ( ether[34:4]=0xac1196c3 ) or ( ether[38:4] = 0xac1196c3 )
If you need to match both source and destination the following TCPdump filter can be used assuming the second host IP address is 172.17.150.251
On a vlan tagged frame on the interface:
tcpdump -ni xxxx ' ( ether[30:4]=0xac1196c3 and ether [34:4]=0xac1196fb ) or ( ether[30:4] = 0xac1196fb and ether[34:4]=0xac1196c3 )
On a Non vlan tagged frame on the interface:
tcpdump -ni xxxx ' ( ether[34:4]=0xac1196c3 and ether [38:4]=0xac1196fb ) or ( ether[34:4] = 0xac1196fb and ether[38:4]=0xac1196c3 )
Workaround
N/AFeedback
Yes
No
Powered by
