16808 Packet capturing issue

Popeye_Wang · Created Oct 23, 2019 11:43:34

Posted by sohaib.ansar at 2019-10-23 10:12 can we use packet capturing firstly and use wire shark to check the packets?

On the device, you can run the capture-packet command to capture packets and save them as .cap files. Then, use FTP to export the files and use the packet capture software to analyze the files.

Example
# Capture packets on 10GE1/0/1 matching ACL 2000 and save captured packet information in the capture.cap file.
<HUAWEI> capture-packet interface 10ge 1/0/1 acl 2000 destination file capture.cap

Refer to
http://support.huawei.com/hedex/hdx.do?docid=EDOC1100100456&id=EN-US_CLIREF_0141119899&text=null&lang=en

wissal · Created Oct 23, 2019 10:02:58

Hello,

9 Packet Capture Configuration

This chapter describes how to configure packet capture and provides configuration examples.

imgDownload?uuid=df49ca76517b4ef3bab66ac

NOTE:

Based on your requirements to detect failures in telecom transmission, this feature may collect or store some communication information about specific customers. Huawei cannot offer services to collect or store this information unilaterally. Before enabling the function, ensure that it is performed within the boundaries permitted by applicable laws and regulations. Effective measures must be taken to ensure that information is securely protected.

9.1 Overview

This function improves network maintenance efficiency and reduces maintenance costs. As Internet develops, devices on a network transmit various services, and network administrators often need to capture packets on devices to locate faults. The packet capturing function allows devices to capture received packets for fault location. This function simplifies the configurations of packet analysis device and network monitoring device.

After the packet capturing function is enabled, the devices capture the packets matching certain conditions and send these packets to a remote server. The maintenance personnel can run commands to view information about captured packets or save the captured packets to the local storage media as *.cap files. The saved files can be downloaded for fault analysis. This function greatly improves maintenance efficiency and reduces maintenance costs.

The S7700 and S9700 can capture the following two types of packets:

Service packets: If an error occurs in service traffic forwarding (for example, the traffic status does not match the traffic model), it is recommended that you configure the device to capture service packets for analysis so that the device can quickly identify invalid packets. This function ensures correct data transmission on the network.
Packets sent to the CPU: When a CPU fault occurs, such as the CPU usage is high, configure the packet capture function to capture packets sent to the CPU for analysis. This allows the device to process invalid packets in time, ensuring that the CPU works properly.

9.2 Licensing Requirements and Limitations for Packet Capture

Involved Network Elements

Other network elements are not required.

Licensing Requirements

Packet capture is a basic feature of a switch and is not under License control.

Version Requirements

Table 9-1 Products and versions supporting packet capture

Product	Product Model	Software Version
S7700	S7703, S7706, S7712	V100R003C01, V100R006C00, V200R001(C00&C01), V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C10
S9700	S9703, S9706, S9712	V200R001(C00&C01), V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R007(C00&C10), V200R008C00, V200R009C00, V200R010C00, V200R011C10

NOTE:

To know details about software mappings, see Hardware Query Tool.

Feature Limitations

The device can capture only incoming packets and cannot capture outgoing packets.
The packet capture configuration is not saved in the configuration file, and becomes invalid after a packet capture instance is complete.
Different packet capture instances cannot be executed simultaneously. That is, a new packet capture instance can be executed only when the previous one is complete.
The system limits the rate of captured packets. The default rate limit is 64 kbit/s. If the rate of packets exceeds the limit, some packets may be discarded.
If an interface on the X series cards has been added to an Eth-Trunk, packets on the interface cannot be captured.

9.3 Configuring the Device to Capture Service Packets

Context

If the device fails to forward traffic correctly, configure the packet capture function to capture service packets for analysis. This allows the device to process invalid packets in time, ensuring that network data can be transmitted correctly.

You can configure ACL rules to capture packets matching a specified ACL.

Procedure

Run:
```
system-view
```
The system view is displayed.
Run:
```
capture-packet { interface interface-type interface-number | acl acl-number }^* [ vlan vlan-id | cvlan cvlan-id ]^*destination { file file-name | terminal }^* [ car cir car-value | time-out time-out-value | packet-num number | packet-len { length | total-packet } ]^*
```
The device is configured to capture service packets.
NOTE:
- The packet capture configuration is not saved in the configuration file, and becomes invalid when packet capture is complete.
- The device can capture only upstream packets and cannot capture downstream packets.
- Before using the capture-packet command again, wait until the last command execution is complete.
- The system limits the rate of captured packets. The default rate limit is 64 kbit/s. If the rate of packets exceeds the limit, some packets may be discarded.
- The device cannot capture the packets of BFD, 802.1ag and VBST.
- If an interface on an X1E card is added to an Eth-trunk, the interface does not support packet capturing.

9.4 Configuring Capturing for Packets Sent to the CPU

Context

When a CPU fault occurs, configure the packet capture function to capture packets sent to the CPU for analysis. This allows the device to process invalid packets in time, ensuring that the CPU works properly. You can configure ACL rules to capture packets matching a specified ACL.

Procedure

Run:
```
system-view
```
The system view is displayed.
Run:
```
capture-packet cpu [ vlan vlan-id | acl acl-number ]^*destination { file file-name | terminal }^* [ time-out time-out-value | packet-num number | packet-len { length | total-packet } ]^*
```
The device is configured to capture packets sent to the CPU.
NOTE:
- The packet capture configuration is not saved in the configuration file, and becomes invalid when packet capture is complete.
- Before using the capture-packet cpu command again, wait until the last command execution is complete.
- When the CPU usage is above 80%, executing this command will keep the CPU usage increasing.

9.5 Configuration Examples

9.5.1 Example for Configuring Packet Capturing

Networking Requirements

In Figure 9-1, the switch connects to the network through GE1/0/1.

The user needs to capture the packets received by GE1/0/1 and the packets to be sent to the CPU, and display the captured packets on the terminal.

Figure 9-1 Networking diagram for configuring the packet capture function
imgDownload?uuid=5017e34d1b94403b9a4ae4f

Configuration Roadmap

The configuration roadmap is as follows:

Capture service packets sent upstream from GE1/0/1, and display captured packet information on the terminal.
Capture packets sent to the CPU, and display captured packet information on the terminal.

Procedure

Capture service packets sent upstream from GE1/0/1, and display captured packet information on the terminal.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] capture-packet interface gigabitethernet 1/0/1 destination terminal packet-num 3 packet-len 128
[Switch]
  Packet: 1
  -------------------------------------------------------
  01 00 5e 00 00 fc 00 1b 21 c4 82 0f 81 00 0f ff
  08 00 45 00 00 32 65 cb 00 00 01 11 80 48 c0 a8
  32 03 e0 00 00 fc ce 94 14 eb 00 1e 4b 3f 24 6f
  00 00 00 01 00 00 00 00 00 00 04 77 70 61 64 00
  00 01 00 01
  -------------------------------------------------------

  Packet: 2
  -------------------------------------------------------
  33 33 00 01 00 03 00 1b 21 c4 82 0f 81 00 0f ff
  86 dd 60 00 00 00 00 1e 11 01 fe 80 00 00 00 00
  00 00 d5 b2 02 74 37 0b 4c 6e ff 02 00 00 00 00
  00 00 00 00 00 00 00 01 00 03 e3 11 14 eb 00 1e
  d2 74 03 3d 00 00 00 01 00 00 00 00 00 00 04 77
  70 61 64 00 00 01 00 01
  -------------------------------------------------------

  Packet: 3
  -------------------------------------------------------
  01 00 5e 00 00 fc 00 1b 21 c4 82 0f 81 00 0f ff
  08 00 45 00 00 32 62 2e 00 00 01 11 83 e5 c0 a8
  32 03 e0 00 00 fc d4 df 14 eb 00 1e dc 49 8d 19
  00 00 00 01 00 00 00 00 00 00 04 77 70 61 64 00
  00 01 00 01
  -------------------------------------------------------

  ------------------packet getting report-----------------------
  file: NULL
  packets getting: interface GigabitEthernet1/0/1
  acl: -
  vlan: -  cvlan: -
  car: 64kbps timeout: 60s
  packets: 3 (expected) 3 (actual)
  length: 128 (expected)
  -------------------------------------------------------

Capture packets sent to the CPU, and display captured packet information on the terminal.

[Switch] capture-packet cpu destination terminal packet-num 3 packet-len 128
[Switch]
  Packet: 1
  -------------------------------------------------------
  01 80 c2 00 00 0e 02 00 00 00 00 00 81 00 00 0c
  88 cc 02 07 04 02 00 00 00 00 00 04 16 05 47 69
  67 61 62 69 74 45 74 68 65 72 6e 65 74 30 2f 30
  2f 31 30 06 02 00 78 08 15 47 69 67 61 62 69 74
  45 74 68 65 72 6e 65 74 30 2f 30 2f 31 30 0a 09
  31 30 38 2d 53 31 37 32 30 0c a1 53 31 37 32 30
  2d 32 30 47 46 52 2d 34 54 50 2d 41 43 0d 0a 48
  75 61 77 65 69 20 56 65 72 73 61 74 69 6c 65 20
  -------------------------------------------------------

  Packet: 2
  -------------------------------------------------------
  01 80 c2 00 00 0e 02 35 20 36 ad cc 81 00 0f ff
  88 cc 02 07 04 02 35 20 36 ad cc 04 0f 05 45 74
  68 65 72 6e 65 74 30 2f 30 2f 31 30 06 02 00 78
  08 0e 45 74 68 65 72 6e 65 74 30 2f 30 2f 31 30
  0a 0b 31 30 37 2d 53 32 33 35 30 45 49 0c a3 53
  32 33 35 30 2d 32 30 54 50 2d 50 57 52 2d 45 49
  2d 41 43 0d 0a 48 75 61 77 65 69 20 56 65 72 73
  61 74 69 6c 65 20 52 6f 75 74 69 6e 67 20 50 6c
  -------------------------------------------------------

  Packet: 3
  -------------------------------------------------------
  01 80 c2 00 00 0a 00 e0 fc 09 bc f9 81 00 00 01
  88 a7 00 03 00 00 01 b4 fb 8e 00 01 00 0e 00 00
  00 00 02 00 00 00 00 00 00 07 00 19 31 30 39 2d
  53 31 37 32 30 20 56 32 30 30 52 30 30 36 43 31
  30 00 0f 00 15 53 31 37 32 30 20 56 32 30 30 52
  30 30 36 43 31 30 00 12 00 1d 56 65 72 73 69 6f
  6e 20 35 2e 31 36 30 20 56 32 30 30 52 30 30 36
  43 31 30 00 11 00 1d 56 65 72 73 69 6f 6e 20 35
  -------------------------------------------------------

  ------------------packet getting report-----------------------
  file: NULL
  packets getting: cpu
  acl: -
  vlan: -  cvlan: -
  car: -- timeout: 60s
  packets: 3 (expected) 3 (actual)
  length: 128 (expected)
  -------------------------------------------------------

For more details you can see

https://support.huawei.com/enterprise/en/doc/EDOC1000088753?section=j00d

Thanks

chenhui · Created Oct 23, 2019 10:04:59

@sohaib.ansar hello,
did you mean software like wireshark? I don't think there are such tools or plug-in. You can mirror the traffic using port-mirroring to duplicate the traffic, but software like wireshark is also required.

sohaib.ansar · Created Oct 23, 2019 10:12:11

Posted by chenhui at 2019-10-23 10:04 @sohaib.ansar hello, did you mean software like wireshark? I don't think there are such tools or plu ...

can we use packet capturing firstly and use wire shark to check the packets?

chenhui · Created Oct 23, 2019 11:20:03

Posted by sohaib.ansar at 2019-10-23 10:12 can we use packet capturing firstly and use wire shark to check the packets?

yeah, the port mirroring will duplicate the packets to the observe port. You can capture the duplicated packets with wireshark on the observe port.

Popeye_Wang · Created Oct 23, 2019 11:43:34

Posted by sohaib.ansar at 2019-10-23 10:12 can we use packet capturing firstly and use wire shark to check the packets?

On the device, you can run the capture-packet command to capture packets and save them as .cap files. Then, use FTP to export the files and use the packet capture software to analyze the files.

Example
# Capture packets on 10GE1/0/1 matching ACL 2000 and save captured packet information in the capture.cap file.
<HUAWEI> capture-packet interface 10ge 1/0/1 acl 2000 destination file capture.cap

Refer to
http://support.huawei.com/hedex/hdx.do?docid=EDOC1100100456&id=EN-US_CLIREF_0141119899&text=null&lang=en

sohaib.ansar · Created Oct 24, 2019 06:12:13

Posted by Popeye_Wang at 2019-10-23 11:43 On the device, you can run the capture-packet command to capture packets and save them as .cap fil ...

thanks popeye for your response.

16808 Packet capturing issue

9 Packet Capture Configuration

9.1 Overview