The following example presents all required commands to complete traffic dump on NPM with or without any filtering. For more options, please refer to XOS Configuration Guide and the XOS Command Reference Guide.
x80r51# configure acl-interface ouraclname direction bidirectional
x80r51# configure acl-interface-mapping
x80r51(conf-acl-mapping)# interface ethernet 1/1 acl-interface ouraclname capture
You can also use multiple physical interfaces or even use a group interface:
x80r51# configure acl-interface ouraclname1 direction bidirectional
x80r51# configure acl-interface-mapping
x80r51(conf-acl-mapping)# interface ethernet 1/2 acl-interface ouraclname1 capture
x80r51(conf-acl-mapping)# interface ethernet 2/1 acl-interface ouraclname1 capture
x80r51(conf-acl-mapping)# group-interface <name> acl-interface ouraclname1 capture
Please note: When doing NPM captures on NPM-86xx modules, there is a traffic limitation for 10Gb interfaces. Please see article titled "Using the "capture" acl-interface-mapping functionality on an NPM-86xx 10gpbs interface to eth2 for tcpdump reduces the NPM's throughput for that 10gbps port to 1gbps."
Such limitation on NPM-86xx also applies when selecting multiple 1Gb physical interfaces or a group interface consisting of 1Gb interfaces -> total current aggregate traffic of all these interfaces must be below 1Gb/sec to avoid traffic impact. NPM96xx modules don't have such limitation.
To dump traffic:
1. Login to NPM in question. When ACL is configured for physical interfaces of different NPMs, you need to login to each of them:
x80r51# unix su
[[email protected] admin]# telnet npm<number>
2. Check eth2 status:
/ # ifconfig eth2
eth2 Link encap:Ethernet HWaddr 00:03:D2:00:01:12
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:23
3. Bring up eth2 if needed
# ifconfig eth2 up
4. Tcpdump command below runs a capture without any filters. Stop tcpdump when finished (hit ctrl+c).
# tcpdump -eni eth2
5. You may also use vlan, host, port, protocol filters in the capture:
# tcpdump -eni eth2 vlan and host <IP>
-> This will filter all untagged traffic going to/from the host IP
# tcpdump -eni eth2 vlan and vlan and host <IP>
-> This will filter all tagged (having any VLAN ID) traffic going to/from the host IP
# tcpdump -eni eth2 vlan and vlan <ID> and host <IP>
-> This will filter all tagged traffic with a specific VLAN ID going to/from the host IP
# tcpdump -s0 -eni eth2 vlan and vlan <ID> and host <IP> -w /cbs/logs/capture.cap
-> This will capture full packets of traffic having a specific VLAN ID going to/from the host IP. Output is stored in /cbs/logs/capture.cap capture file.
Please note: Duplicate usage of "vlan" statement is not an error. The NPM module adds an extra VLAN ID on top of the regular ethernet VLAN ID.
Note: For egress capture, the VLAN tag is the port ID. For ingress capture, the VLAN tag is 0x800 | hex port ID.
Transmit VLANs by NPM Interface:
VLAN 1 – Interface 1
VLAN 2 – Interface 2
VLAN 3 – Interface 3
VLAN 4 – Interface 4
VLAN 5 – Interface 5
VLAN 6 – Interface 6
VLAN 7 – Interface 7
VLAN 8 – Interface 8
VLAN 9 – Interface 9
VLAN 10 – Interface 10
VLAN 11 – Interface 11
VLAN 12 – Interface 12
Receive VLANs by NPM Interface:
VLAN 2049 – Interface 1
VLAN 2050 – Interface 2
VLAN 2051 – Interface 3
VLAN 2052 – Interface 4
VLAN 2053 – Interface 5
VLAN 2054 – Interface 6
VLAN 2055 – Interface 7
VLAN 2056 – Interface 8
VLAN 2057 – Interface 9
VLAN 2058 – Interface 10
VLAN 2059 – Interface 11
VLAN 2060 – Interface 12
NPM-96xx modules use Transmit VLANs VLAN IDs for both inbound and outbound direction.