How to perform a TCPDump on NPM8600 span ports with IPv4 addresses filters

book

Article ID: 168010

calendar_today

Updated On:

Products

XOS

Issue/Introduction

How to perform a TCPDump on NPM8600 span ports with IPv4 addresses filtersN/A

Cause


Customers using NPM 86x0 would like to perform tcpdump on the physical interface using a mirror port. Due to the NPM6 architecture and the use of VLAN stacking we are unable to use properly the TCPDUMP filters.

Resolution

Technical Considerations

The NPM 6 is using VLAN stacking to identify the Physical port at the EZChip level and the inner VLA tag corresponds to the VLAN tag received from the ethernet wire.
At that point, TCPDump software provided onto the NPM does not let the user the ability to setup regular libpcap filters to match on the host or protocol portion.



The solution is:

1) Telnet to the npm you want to monitor ports

   telnet npmx


2) Set the monitoring parameters

  cd /crossbeam/tools
  ./cbsif smcfg xxx 21 8100


xxx represent the bitmask decimal conversion of the physical port

11 10 9 8 7 6 5 4 3 2 1
 x  x x x x x x x x x x

eg.
  • If the monitoring is set on port 4 the bitmask will then be 008
  • If the monitoring is set on port 2 and 8 the bitmask will be 082

21 represents eth2 from the Octeon perspective

8100 is the TPID to have the additional VLAN header in the TCPDump traces.

3) change the interface state

   ifconfig eth2 up

4) perform the tcpdump

  tcpdump -ni eth2

This packet is untagged at the physical interface level

02:13:40.430112 00:00:0d:00:00:00 (oui Unknown) > 00:00:0d:00:01:00 (oui Unknown), ethertype 802.1Q (0x8100), length 64: vlan 11, p 0, ethertype IPv4, 12.0.0.17 > 11.0.2.14: ICMP echo reply, id 0, seq 0, length 26

This packet is tagged at the physical interface level

02:18:42.050406 00:00:00:00:00:77 (oui Ethernet) > 00:01:0e:00:77:00 (oui Unknown), ethertype 802.1Q (0x8100), length 68: vlan 11, p 0, ethertype 802.1Q, vlan 100, p 0, ethertype IPv4, 2.0.0.2.63 > 7.0.0.2.63: UDP, length 18


5) Filtering a host using TCPDump on the NPM:

If you need to add filters to the TCPdump you then need to calculate the offset for the given traffic to select. The offset are from the beginning of the ethernet frame without the preamble. However offsets needs to take into account the Vlan header coming from the physical interface. The Crossbeam specific vlan header added will have to be taken into consideration.

The following offsets are used for calculation:
Ethernet header = 14 bytes
Vlan (Crossbeam physical interface) = 4 bytes
Vlan (real vlan onto the wire) = 4 bytes

As a consequence a host selection needs to be handled bidirectionnally and offsets has to be calculated in a manual manner
Assuming the host we want to filter is 172.17.150.201 it's hex conversion will then be 0xac1196c9

On a Non vlan tagged frame on the interface:
SRC ip address offset will be at byte 30
DST ip address offset will be at byte 34

tcpdump -ni xxxx ' ( ether[30:4]=0xac1196c3 ) or ( ether[34:4] = 0xac1196c3 )

On a Vlan tagged frame on the interface :
SRC ip address offset will be at byte 34
DST ip address offset will be at byte 38

tcpdump -ni xxxx ' ( ether[34:4]=0xac1196c3 ) or ( ether[38:4] = 0xac1196c3 )


If you need to match both source and destination the following TCPdump filter can be used assuming the second host IP address is 172.17.150.251

On a vlan tagged frame on the interface:

tcpdump -ni xxxx ' ( ether[30:4]=0xac1196c3 and ether [34:4]=0xac1196fb ) or ( ether[30:4] = 0xac1196fb and ether[34:4]=0xac1196c3 )

On a Non vlan tagged frame on the interface:

tcpdump -ni xxxx ' ( ether[34:4]=0xac1196c3 and ether [38:4]=0xac1196fb ) or ( ether[34:4] = 0xac1196fb and ether[38:4]=0xac1196c3 )

Workaround

N/A