PCAP packet capture

Prerequisites

Packet capture is a troubleshooting tool that uses both mirroring and debugging. A user’s CLI profile must have debug privileges to perform packet capture. To enable packet capture perform the following steps.

Procedure

Set up the mirror destination (in this case, a PCAP). Specify the file URL to which the packet captures are to be sent using the mirror-dest command. The packet captures are packaged into the libpcap file format.
The file URL requires the full path, including both username and password, and the filename. When configured, the system performs a syntax check, including an FTP connection test. The configured file URL is rejected if the syntax check fails.
Specify the source for packet capture. Using either the debug mirror-source or config mirror mirror-source CLI commands, specify the source to be captured. All mirror sources are supported, including IP-filter, subscriber, SAP, and ports.
The debug mirror-source service-id must match the mirror-dest service-id for the PCAP.
Begin the capture using the debug pcap session-name capture start CLI command. The following conditions apply:
- Previous captures with the same filename are overwritten. To avoid a file overwrite, create a new capture with a new filename. This can be accomplished by either renaming the file on the FTP server or by renaming the filename in the mirror destination.
- This CLI command restarts the file transfer session with the remote FTP server.
- If the remote FTP server is unreachable, the command prompt can pause while attempting to re-establish the remote FTP session. The total wait time can be up to 24 seconds (after four attempts of approximately six seconds each).
- If the debug command pauses, verify the following items:
  - the connectivity to the server through the FTP port
  - the FTP user permissions on the FTP server
  - that the FTP server is functional
- The file capture continues indefinitely until the user manually specifies for the packet capture to stop.
- If the file capture fails to start, enter the show pcap session-name detail command to see the status of the capture. The detail prompt notifies the operator of the error, and it may require the operator to stop and re start the capture again.
End the capture. To stop the capture, enter the debug pcap session-name capture stop CLI command. This command stops the file transfer session and terminates the FTP session.
- If the FTP server is unreachable, the command prompt rejects further input while it attempts to re-establish the remote FTP session. The total wait time can be up to 24 seconds (4 attempts of approximately 6 seconds each).
- If the debug command pauses, check the following items:
  - the connectivity to the server through FTP port
  - the FTP user permissions on the FTP server
  - that the FTP server is functional

What to do next

The mirrored packets are placed in a buffer in the CPM before they are transferred over FTP or TFTP. The buffer holds a maximum of 20 Mb. The FTP transfer is performed every 0.5 seconds. Each packet that is transferred successfully is flushed from the buffer. Therefore, to ensure all packets are captured successfully, the capture rate must not exceed 20 Mb in 0.5 seconds and the FTP transfer must not exceed 320 Mb/s of bandwidth (20 Mb per 0.5 seconds).

In the following show pcap output, the statistics, the session state, write failure, read failures, process time bailouts, and dropped packets are key elements for identifying whether the packet capture on the FTP server is reliable.

A:DUT> show pcap "2" detail
===============================================================================
Pcap Session "2" Information
===============================================================================
Application Type   : mirror-dest        Session State   : ready
Capture            : stop               Last Changed    : 02/06/2018 19:52:07
Capture File Url   : ftp://*:*@192.168.41.1/pcap2.pcap
Buffer Size        : 10 Bytes           File Size       : 200 Bytes
Write Failures     : 0                  Read Failures   : 0
Proc Time Bailouts : 0                  Last File Write : 02/06/2018 19:52:07
Dropped Packets    : 661 Packets
===============================================================================

Packet capture is a troubleshooting tool. Therefore, all CLI commands except for the FTP URL destination are located under debug. This allows the administrator to set up a CLI profile specifically for packet capture with debug privileges.

The packet capture uses FTP for file transfer and can be routed to the destination using the management port or through the IOM port. If the FTP server destination is routed through the management port, consider the maximum bandwidth available.

Caution: Typically, the management port is used for logging, SNMP, SSH/Telnet, AAA, and other management services. A high-throughput packet capture may disrupt these management services. Therefore, use packet capture transfers using the management port with caution.

Mechanisms are built in to prevent mirroring or packet captures that result in loops or daisy-chains. However, it is possible to form a loop or daisy-chain if routing re routes or configuration changes. When a packet capture becomes looped or daisy-chained, the packet capture stops.

Note: When executing an admin rollback for a configuration under the config mirror mirror-dest service-id pcap CLI context, the pcap must first be stopped by executing the debug pcap session-name capture stop command. If the pcap is not stopped, the rollback fails.