如何在交换机上抓包,以H3C、华为、锐捷、Arista、Cisco为例 |
您所在的位置:网站首页 › 华为交换机刷新arp命令 › 如何在交换机上抓包,以H3C、华为、锐捷、Arista、Cisco为例 |
如何在交换机上抓包,以H3C、华为、锐捷、Arista、Cisco为例
|
在交换机上抓包,一般可排查一些网络问题。 下面是总结的在各厂商交换机上抓包方式。 H3C交换机抓包:在华三交换机上可使用:packet-capture 命令,在用户视图下执行。 具体操作可查看这:https://www.h3c.com/cn/d_202009/1327093_30005_0.htm #做流统匹配抓包流量 acl advanced 3000 description test rule 0 permit ip source 192.168.1.1 0 destination 192.168.2.1 0 traffic classifier class_test operator and if-match acl 3000 # traffic behavior behavior_test accounting packet # 做流量统计 mirror-to cpu # 镜像到CPU,必须镜像到CPU才能抓包 # qos policy policy_test classifier class_test behavior behavior_test # interface Ten-GigabitEthernet1/3/1 qos apply policy policy_test inbound packet-capture local interface Ten-GigabitEthernet 1/3/1 autostop filesize 50000 write flash:/isp1.cap packet-capture stop # 及时停止。需要注意的几点: 抓包时尽量使用acl匹配精确的流在traffic behavior中,必须配置流量镜向到CPU。mirror-to cpu, 否则不能抓到包。抓包时做好文件大小限制,autostop filesze 50000, 因为交换机的硬盘都很小,防止把交换机硬盘打满。抓包时尽量选择流量低峰期。配置accounting packet 流量统计后,可通过display qos policy interface 查看匹配情况。 华为交换机抓包:华为交换机抓包使用:capture-packet 命令,在用户视图下执行。 https://support.huawei.com/hedex/hdx.do?lib=EDOC110010122531180BDB&docid=EDOC1100101225&lang=zh&v=02&tocLib=EDOC110010122531180BDB&tocV=02&id=ZH-CN_CLIREF_0141119899&tocURL=resources%2fdc%2fcapture%2dpacket%2ehtml&p=t&fe=1&ui=3&keyword=capture capture-packet interface 10GE 1/0/5 acl 3000 destination file file.cap packet-num 1000 packet-len 1000 undo capture-packet # 关闭报文捕获。注意事项:做好抓包限制,防止打满硬盘。  锐捷交换机抓包:锐捷交换机抓包使用packet captur命令,在用户视图下执行。 packet capture ? file Packet capture file #设置抓包文件保存路径 point Packet capture point rule Packet capture rule # 抓包规则 start Start to capture packets # 开启抓包 stop Stop to capture packets # 停止抓包 packet capture file ? flash: Save info into the flash file system sata0: Save info into the sata file system sd0: Save info into the sd0 file system tmp: Save info into the tmp file system usb0: Save info into the usb file system packet capture rule test filter ? acl Debug efmp packet acl dst_mac Destination MAC address etype Specify eth type icmpv4_code ICMP code icmpv4_type ICMP type icmpv6_code ICMPv6 code icmpv6_type ICMPv6 type ipv4_dip Destination IP address ipv4_dport IPv4 destination port ipv4_sip Source IP address ipv4_sport IPv4 source port ipv6_dip Destination IPv6 address ipv6_dport IPv6 destination port ipv6_sip Source IPv6 address ipv6_sport IPv6 source port src_mac Source MAC address v4_protocol IP protocol v6_protocol IPv6 protocol Arista交换机抓包:Arista抓包是需要进入bash,使用linux命令tcpdump来抓包。 Arista# **bash** Arista Networks EOS shell [admin@Arista ~]$ **tcpdump -****help** tcpdump version 4.2.1 libpcap version 1.1.1 Usage: tcpdump [-aAbdDefhHIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ] [ -i interface ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ] [ -Z user ] [ -@ file_index ] [ expression ]Cisco交换机抓包:Cisco nexus 抓包使用ethanalyze命令。在用户视图下执行。 “ 注:该命令只能捕获去交换机自身和自身发出去的流量。 不能捕获:捕获在硬件中转发的数据平面流量。不支持特定于接口的捕获 如果需要抓取CPU的流量,需要将端口流量镜像到CPU,然后使用ethanalyze抓取。 在抓端口镜像(转发层面的)包时,设备不能配置sflow。 ERROR: SFLOW is configured. Please delete all SFLOW data sources before configuring SPANs ” “ https://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/215329-nexus-9000-cloud-scale-asic-nx-os-span-t.html?dtid=osscdc000283 ” https://www.cisco.com/c/en/us/support/docs/switches/nexus-7000-series-switches/116136-trouble-ethanalyzer-nexus7000-00.html ethanalyzer local interface inband ? > Redirect it to a file >> Redirect it to a file in append mode autostop Capture autostop condition capture-filter Filter on ethanalyzer capture capture-ring-buffer Capture ring buffer option decode-internal Include internal system header decoding detail Display detailed protocol information display-filter Display filter on frames captured limit-captured-frames Maximum number of frames to be captured (default is 10) limit-frame-size Capture only a subset of a frame mirror Filter mirrored packets raw Hex/Ascii dump the packet with possibly one line summary write Filename to save capture to | Pipe command output to filter # 配置SPAN到CPU的监视器会话 N9K# **configure terminal** Enter configuration commands, one per line. End with CNTL/Z. N9K-1(config)# **monitor session 1** N9K-1(config-monitor)# **source interface Ethernet1/10 rx**N9K-1(config-monitor)# **destination interface sup-eth0** N9K-1(config-monitor)# **no shut** N9K-1(config-monitor)# **end** # 确认SPAN到CPU监视器会话已启动 N9K# **show running-config monitor** N9K# **show monitor** # 在控制平面中查看复制的数据包 # ethanalyze 可以用来复制到思科Nexus 9000设备的控制平面视图流量。Ethanalyzer命令中的**mirror**关键字可以过滤流量,以便仅显示SPAN到CPU监视器会话复制的流量。Ethanalyzer捕获和显示过滤器可用于进一步限制显示的流量。 9K# **ethanalyzer** **local** **interface inband mirror display-filter** **"icmp && ip.addr==192.168.10.10"** **limit-captured-frames 0** # 使用Control-C组合键可以退出Ethanalyzer控制平面数据包捕获实用程序。 # 通过在Ethanalyzer命令中包含**detail**关键字,可以查看有关此流量的详细信息。下面显示了单个ICMP Echo Request数据包的示例。 N9K# **ethanalyzer** **local** **interface inband mirror display-filter** **"icmp && ip.addr==192.168.10.10"** **limit-captured-frames 0 detail** # 以管理方式关闭SPAN到CPU监视器会话 # 在SPAN到CPU监视器会话的上下文中使用**shutdown** configuration命令可以正常关闭SPAN到CPU监视器会话,并停止将流量复制到Cisco Nexus 9000设备的控制平面。 N9K# **configure terminal** Enter configuration commands, one per line. End with CNTL/Z. N9K-1(config)# **monitor session 1** N9K-1(config-monitor)# **shut** N9K-1(config-monitor)# **end** N9K# |
【本文地址】
今日新闻 |
推荐新闻 |