SD-WAN

 View Only
last person joined: 6 hours ago 

Ask questions and share experiences with SD-WAN and Session Smart Router (formerly 128T).

Guide: Enable Packet Capture 

05-17-2019 10:47

Each interface on the 128T router can perform packet capture functions, to record traffic to persistent storage for troubleshooting purposes. Within the device-interface configuration, administrators may set a capture filter, using 128T Berkeley Packet Filter Syntax Guide, to specify which packets to capture and record.

The 128T router uses a subset of the overall BPF grammar; for a comprehensive list of the supported BPF grammar, please refer to the 128T Configuration Reference Guide 3.2.

In order to turn on packet capture on a device-interface, just add your filter to the capture-filter field. 

We’ll start with a simple example, capture all packets on device-interface 10:

admin@conductor1.nycsite1# configure authority router seattlesite1
admin@conductor1.nycsite1 (router[name=seattlesite1])# node branchoffice1
admin@conductor1.nycsite1 (node[name=branchoffice1])# device-interface 10
admin@conductor1.nycsite1 (device-interface[name=10])# capture-filter len>0
admin@conductor1.nycsite1 (device-interface[name=10])# show
name               10
type               ethernet
pci-address        0000:00:04.0
capture-filter len>0
network-interface  dc1
    name                   dc1
    global-id              1
    type                   external
    inter-router-security  aes1

    address                10.0.128.0
        ip-address     10.0.128.0
        prefix-length  31
        gateway        10.0.128.1
    exit

    adjacency              10.0.128.1
        ip-address             10.0.128.1
        peer                   bostonsite1
        inter-router-security  aes1
    exit
exit
Capturing will begin once this configuration is committed.

The capture files are stored in the standard PCAP format, and are placed in the same default location as the 128T router’s log files: /var/log/128technology 
[t128@conductor ~]$ ls -al /var/log/128technology/128T*
-rw-r--r--     1 root root 131153 Mar 29 19:38 /var/log/128technology/128T_10.pcap
-rw-rwxr--+ 1 root root         24 Mar 26 18:44 /var/log/128technology/128T.pcap
An interface may have multiple capture-filter arguments specified. When more than one are configured, a packet will be captured into the PCAP file if ANY of the criteria are matched (logically, capture-filter elements are joined with an “or”; i.e., statement1 or statement2 or statement3, etc.). 

To disable the packet capture feature, just remove the capture-filter:
admin@conductor1.nycsite1# configure authority router seattlesite1 
admin@conductor1.nycsite1 (router[name=seattlesite1])# node branchoffice1 
admin@conductor1.nycsite1 (node[name=branchoffice1])# device-interface 10
admin@conductor1.nycsite1 (device-interface[name=10])# delete capture-filter len>0
Are you sure you want to delete values ['len>0'] from list 'capture-filter'? [y/N]: y

#BerkeleyPacketFilter
#PCLI

Statistics
0 Favorited
3 Views
1 Files
0 Shares
2 Downloads
Attachment(s)
docx file
128T Guide - Enable Packet Capture.docx   150 KB   1 version
Uploaded - 09-17-2021

Related Entries and Links

No Related Resource entered.