SR Linux features an interactive traffic monitoring tool that allows you to capture and monitor traffic based on 5-tuple match criteria. The match criteria is injected into a capture-filter ACL entry that is applied to all subinterfaces; information from matching packets can be displayed on screen or directed to a file.
You can specify the match criteria either by using the tools system traffic-monitor CLI command, or by defining capture-filter ACL entries.
If you use the tools system traffic-monitor command to specify the match criteria, SR Linux dynamically creates a capture-filter entry with the match criteria. Packets that match the capture-filter entry are sent to the traffic monitoring tool running on the CPM and displayed until the traffic monitor tool is exited, at which time the dynamically created capture-filter entries are removed.
Use the following syntax to configure the tools system traffic-monitor command:
tools system traffic-monitor [source-address <ip-addr/len>] [destination-address <ip-addr/len>] [protocol <proto-val>] [source-port <value | range>] [destination-port <value | range>] [verbose] [output-file <file-name>] [hex-output]
The command parameters are described in Table 3.
Command/parameter | Description |
tools system traffic-monitor | Initiates an interactive monitor session |
source-address <ip-addr/len> | Source IP address (IPv4 or IPv6) prefix and netmask length value. For example: 10.10.11.0/24 |
destination-address <ip-addr/len> | Destination IP address (IPv4 or IPv6) prefix and netmask length value. For example: 10.10.20.0/24 |
protocol <proto-val> | Specifies the protocol type value to match (required if either port values are specified) |
source-port <value | range> | Source port integer value or port range in the format of port1..port2 |
destination-port <value | range> | Destination port integer value or port range in the format of port1..port2 |
verbose | Displays detailed output |
output-file <filename> | Directs output to a file |
hex-output | Displays output in hex format |
If you specify the match criteria by defining capture-filter ACL entries, starting the traffic monitoring tool with the tools system traffic-monitor command causes the system to send packets that match the defined capture-filter entries to the CPM and display them until the traffic monitoring tool is exited. Unlike the dynamically created capture-filter entries, the defined capture-filter entries are not removed from the system when the traffic monitoring tool is exited.
The following is an example of a capture-filter ACL entry:
Capture filters are applied to traffic after any subinterface filters, but before CPM filters. If a packet is dropped by a subinterface filter, it is not evaluated by a capture filter.
Only a single instance of the traffic monitoring tool can be running at a time.
If no capture-filter entries are already defined, you must specify the match criteria with the tools system traffic-monitor command. If capture-filter entries are already defined, match criteria specified with the tools system traffic-monitor command is ignored.
The following is an example of using the traffic monitoring tool to monitor ICMP packets. In this example, information about ICMP packets with source address 1.1.1.1/32 and destination address 2.2.2.2/32 is displayed in the monitor window, including the arrival time and source port (ethernet-1/20.1) of each packet. The traffic monitoring tool captures ICMP packets until you press Ctrl-C.
When you execute the tools system traffic-monitor command in the example above, it dynamically creates the following traffic monitoring policy:
When you terminate the command by pressing Ctrl-C, the dynamically created traffic monitoring policy is removed from all ingress interfaces.
If you include the verbose option in the tools system traffic-monitor command, it displays the header fields and additional information from the shim header, followed by the original packet.
The following example shows verbose output for an ICMP packet:
You can direct the captured packets to a file, which can be used as a source for the SR Linux packet trace utility or for Wireshark.
The following example directs information about ICMP packets with source address 1.1.1.1/32 and destination address 2.2.2.2/32 to a .pcap file.
Prior to opening the .pcap file, remove the shim header (the first 48 bytes of the file). For example:
The 5-tuple matching criteria defined in a tools system traffic-monitor command applies in one direction only. To capture traffic in both directions, you define capture filters for each direction, then start the traffic monitoring tool, which applies both capture filters on all ports.
The following example defines two capture filter entries: one that matches traffic with source address 1.1.1.1/32 and one that matches traffic with destination address 1.1.1.1/32:
When you start the traffic monitoring tool, it captures packets matching both filter entries. For example: