How to Configure a Packet Capture on an NPM physical port on the X-Series


Article ID: 168124


Updated On:




This Article is a step-by-step guide showing how to configure a packet capture on an NPM physical port.


Some troubleshooting techniques require that you dump packets at the NPM physical port level. It is possible to dump traffic on all NPM-86xx and later versions. In addition to traffic dump, it is also possible to perform actions such as mirroring traffic.

You can use the acl-interface command to apply multiple select filters such as traffic direction, VLAN, ether type, source/destination mac address, and more.


The following example presents all required commands to complete traffic dump on NPM with or without any filtering. For more options, please refer to XOS Configuration Guide and the XOS Command Reference Guide

To Configure ACL for one physical interface:

x80r51# configure acl-interface ouraclname direction bidirectional
x80r51# configure acl-interface-mapping
x80r51(conf-acl-mapping)# interface ethernet 1/1 acl-interface ouraclname capture

You can also use multiple physical interfaces or even use a group interface:

x80r51# configure acl-interface ouraclname1 direction bidirectional
x80r51# configure acl-interface-mapping
x80r51(conf-acl-mapping)# interface ethernet 1/2 acl-interface ouraclname1 capture 
x80r51(conf-acl-mapping)# interface ethernet 2/1 acl-interface ouraclname1 capture 
x80r51(conf-acl-mapping)# group-interface <name> acl-interface ouraclname1 capture

Please note: When doing NPM captures on NPM-86xx modules, there is a traffic limitation for 10Gb interfaces. Please see article titled "Using the "capture" acl-interface-mapping functionality on an NPM-86xx 10gpbs interface to eth2 for tcpdump reduces the NPM's throughput for that 10gbps port to 1gbps."

Such limitation on NPM-86xx also applies when selecting multiple 1Gb physical interfaces or a group interface consisting of 1Gb interfaces -> total current aggregate traffic of all these interfaces must be below 1Gb/sec to avoid traffic impact. NPM96xx modules don't have such limitation.

To dump traffic:

1.       Login to NPM in question. When ACL is configured for physical interfaces of different NPMs, you need to login to each of them:
x80r51# unix su
[[email protected] admin]# telnet npm<number>

2.       Check eth2 status:
/ # ifconfig eth2
eth2 Link encap:Ethernet HWaddr 00:03:D2:00:01:12
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

3.       Bring up eth2 if needed
# ifconfig eth2 up

4.       Tcpdump command below runs a capture without any filters. Stop tcpdump when finished (hit ctrl+c).
# tcpdump -eni eth2

5. You may also use vlan, host, port, protocol filters in the capture:

# tcpdump -eni eth2 vlan and host <IP>

-> This will filter all untagged traffic going to/from the host IP

# tcpdump -eni eth2 vlan and vlan and host <IP>

-> This will filter all tagged (having any VLAN ID) traffic going to/from the host IP

# tcpdump -eni eth2 vlan and vlan <ID> and host <IP>

-> This will filter all tagged traffic with a specific VLAN ID going to/from the host IP

# tcpdump -s0 -eni eth2 vlan and vlan <ID> and host <IP> -w /cbs/logs/capture.cap

-> This will capture full packets of traffic having a specific VLAN ID going to/from the host IP. Output is stored in /cbs/logs/capture.cap capture file.

Please note: Duplicate usage of "vlan" statement is not an error. The NPM module adds an extra VLAN ID on top of the regular ethernet VLAN ID.

The following matrix of VLAN/Interfaces can be used for reference to identify VLANs used per port transmit & receive when using tcpdump on the NPM. All NPM-86xx modules use the same matrix. 

Note: For egress capture, the VLAN tag is the port ID. For ingress capture, the VLAN tag is 0x800 | hex port ID.

Transmit VLANs by NPM Interface:

VLAN 1 – Interface 1

VLAN 2 – Interface 2

VLAN 3 – Interface 3

VLAN 4 – Interface 4

VLAN 5 – Interface 5

VLAN 6 – Interface 6

VLAN 7 – Interface 7

VLAN 8 – Interface 8

VLAN 9 – Interface 9

VLAN 10 – Interface 10

VLAN 11 – Interface 11

VLAN 12 – Interface 12

Receive VLANs by NPM Interface:

VLAN 2049 – Interface 1

VLAN 2050 – Interface 2

VLAN 2051 – Interface 3

VLAN 2052 – Interface 4

VLAN 2053 – Interface 5

VLAN 2054 – Interface 6

VLAN 2055 – Interface 7

VLAN 2056 – Interface 8

VLAN 2057 – Interface 9

VLAN 2058 – Interface 10

VLAN 2059 – Interface 11

VLAN 2060 – Interface 12

NPM-96xx modules use Transmit VLANs VLAN IDs for both inbound and outbound direction.

    6.    Once all required captures are finished, set eth2 to down state and logout from the NPM.
    # ifconfig eth2 down
    # exit
    Connection closed by foreign host.
    [email protected] admin]# exit

To unconfigure ACL:
  x80r51# configure acl-interface-mapping interface gigabitethernet 1/1 no acl-interface ouraclname
  x80r51# configure no acl-interface ouraclname