Packet capture on the NSX Edge is relatively simple and can be helpful during troubleshooting process. In this blog I will go through required steps to run packet capture and export a file to external ftp server to view it in the Wireshark.
In my example I have few interfaces on the NSX Edge as shown below.
I am going to run packet capture on the DMZ interface which is vNic_1. You can check the interface status on the NSX Edge running following command show interface vNic_1
IEDP02-CLOUDCONNECT-GW-01-0> sh interface vNic_1 vNic_1 Link encap:Ethernet HWaddr 00:50:56:92:99:B5 inet addr:172.26.15.1 Bcast:172.26.15.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:fe92:99b5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:241702797 errors:0 dropped:457 overruns:0 frame:0 TX packets:242476827 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:228090070639 (217523.6 Mb) TX bytes:295997348264 (282285.0 Mb)
To run packet capture and save the output to the file run the following command shown below. In addition, NSX Edge gives you information how to stop the capture.
IEDP02-CLOUDCONNECT-GW-01-0> debug packet capture interface vNic_1 Packet capture has started on interface vNic_1. To stop the capture, invoke 'no debug packet capture interface vNic_1'. IEDP02-CLOUDCONNECT-GW-01-0> no debug packet capture interface vNic_1
You can display file name of taken capture running below command
IEDP02-CLOUDCONNECT-GW-01-0> debug show files total 3.0M -rw-r--r-- 1 1.7M Jan 8 12:20 tcpdump_vNic_0.0 -rw------- 1 1.3M Jan 9 07:45 tcpdump_vNic_1.0
To transfer a packet capture file to the ftp server run following command
IEDP02-CLOUDCONNECT-GW-01-0> debug copy ftp firstname.lastname@example.org:/ tcpdump_vNic_1.0 Password: ***** tcpdump_vNic_1.0: ETA: 0:00 0.03/ 1.29 MB 538.79 MB/s
Now you can get open your file with Wireshark
You can display packet capture directly on the console as follow and apply any specific filter you want. One thing to remember is that if you need to apply a filter ‘space’ is replace with ‘_’ as shown below. Below example display OSPF packet in verbose mode.
IEDP02-CLOUDCONNECT-GW-01-0> debug packet display interface vNic_1 proto_89_-vvv Use CTRL+C to stop packet capture. tcpdump: listening on vNic_1, link-type EN10MB (Ethernet), capture size 262144 bytes 07:59:48.819960 IP (tos 0xc0, ttl 1, id 37838, offset 0, flags [none], proto OSPF (89), length 64) 172.26.15.1 > 184.108.40.206: OSPFv2, Hello, length 44 Router-ID 10.1.3.6, Area 0.0.0.1, Authentication Type: none (0) Options [External] Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 128 Designated Router 172.26.15.1
This is another example how to apply the filter. In this example filter display only ssh packets.
IEDP02-CLOUDCONNECT-GW-01-0> debug packet display interface vNic_2 tcp_and_port_22 Use CTRL+C to stop packet capture. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vNic_2, link-type EN10MB (Ethernet), capture size 262144 bytes 08:07:58.469038 IP 172.26.15.1.22 > 172.29.80.22.55613: Flags [P.], seq 3438836096:3438836292, ack 477698481, win 2035, length 196
As you can see packet capture on the NSX Edge is straightforwad and can be really usful if you need to troubleshoot some connectivity issue on your Edge appliance.