Capture Packet Remotely on the MA561X

Hello, friends.

This article will introduce how to capture the packet on the MA561X.

Step 1: Backup the configuration of the server.

MA5616(config)#file-server auto-backup debug primary 192.168.0.5 tftp  //192.168.0.5 is the IP address of the tftp server, we need to ensure that our device can ping the server.

For the MA5615 of the FPGA architecture, the next step goes to step 7 directly, while for the MA5610 of LSW architecture, continue the next step until step 6.

Step 2: Configure a packed matching rule.

MA5616(config)#acl 5000
MA5616(config-acl-user-5000)#rule permit 0806 ffff 16   //Here indicates that two bytes with 0806 packet after the 16th byte of the Ethernet packet is matched

The number of VLAN TAG layers is various according to the VLAN type and service port type. Therefore, you need to configure ACLs with different offset values for different VLAN types or service virtual port types.

Step 3: Configure packet capture Rules.

MA5616(su)%ture item 1 bidirection user-group 5000 rule 5 port 0/3/0    

//bidirection is used to match bidirectional packets, inbound is used to match incoming packets, and outbound is used to match outgoing packets. 0/3/0 is the matched port number. Thereinto, outbound matches only f/s. A maximum of five packet capture rules can be configured. When you need to configure the downstream packet capture point of the service board, only the frame/slot can be matched. Therefore, if the downstream packets of the non-designated port are captured, it is normal.

Step 4: Start packet capture.

MA5616(su)%ture start -c 10000  //-c 10000 indicates that the number of packets to be captured is 10000, and the default value is 100.

Step5: View the latest packet capture information.

MA5616(su)%%display capture                                                     
{ item<K>|statistics<K> }:

//Statistics indicates to query the latest packet capture statistics. Item indicates to query the specified rule item.

Step6: End packed capture.

MA5616(su)%ture stop

Step 7: Start the stream-based remote packet capture.

MA5616(su)%ture service-port                                                
{ index<U><0,999> }:0                                                           
{ <cr>|capture-count<K>|capture-time<K> }:
//capture-count indicates the number of packets that need to be captured. capture-time indicates the time that capture packets need to take.

Step 8: Stop the stream-based remote packet capture.

MA5616(su)%%undo capture service-port

Suggestion and Summary:

There are two sets of mechanisms for remote packet capture on the MxU:

The one is the mechanisms used by MA5610 in the LSW architecture which is used to filter packets captured from the CPU of the main control board through ACL software matching. The matched packets can be transmitted to the corresponding server through TFTP, FTP, or SFTP.

Another one is the mechanism used by the MA5616 in the FPGA architecture. It is a stream-based packet capture. All packets on the stream where remote packet capture is enabled are copied to the CPU and transmitted to the corresponding server through TFTP, FTP, or SFTP.

Thanks.