NSX Edge Packet Capture

Packet capture on the NSX Edge is relatively simple and can be helpful during troubleshooting process. In this blog I will go through required steps to run packet capture and export a file to external ftp server to view it in the Wireshark.

In my example I have few interfaces on the NSX Edge as shown below.

I am going to run packet capture on the DMZ interface which is vNic_1. You can check the interface status on the NSX Edge running following command show interface vNic_1


IEDP02-CLOUDCONNECT-GW-01-0> sh interface vNic_1
vNic_1    Link encap:Ethernet  HWaddr 00:50:56:92:99:B5  
          inet addr:172.26.15.1  Bcast:172.26.15.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fe92:99b5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:241702797 errors:0 dropped:457 overruns:0 frame:0
          TX packets:242476827 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:228090070639 (217523.6 Mb)  TX bytes:295997348264 (282285.0 Mb)

To run packet capture and save the output to the file run the following command shown below. In addition, NSX Edge gives you information how to stop the capture.

IEDP02-CLOUDCONNECT-GW-01-0> debug packet capture interface vNic_1
Packet capture has started on interface vNic_1.
To stop the capture, invoke 'no debug packet capture interface vNic_1'.


IEDP02-CLOUDCONNECT-GW-01-0> no debug packet capture interface vNic_1

You can display file name of taken capture running below command

IEDP02-CLOUDCONNECT-GW-01-0> debug show files 
total 3.0M
-rw-r--r-- 1 1.7M Jan  8 12:20 tcpdump_vNic_0.0
-rw------- 1 1.3M Jan  9 07:45 tcpdump_vNic_1.0

To transfer a packet capture file to the ftp server run following command

IEDP02-CLOUDCONNECT-GW-01-0> debug copy ftp cisco@172.26.128.242:/ tcpdump_vNic_1.0
Password: *****
tcpdump_vNic_1.0:                  ETA:   0:00    0.03/  1.29 MB  538.79 MB/s  

Now you can get open your file with Wireshark

You can display packet capture directly on the console as follow and apply any specific filter you want. One thing to remember is that if you need to apply a filter ‘space’ is replace with ‘_’ as shown below. Below example display OSPF packet in verbose mode.

IEDP02-CLOUDCONNECT-GW-01-0> debug packet display interface vNic_1 proto_89_-vvv
Use CTRL+C to stop packet capture.
tcpdump: listening on vNic_1, link-type EN10MB (Ethernet), capture size 262144 bytes
07:59:48.819960 IP (tos 0xc0, ttl 1, id 37838, offset 0, flags [none], proto OSPF (89), length 64)
    172.26.15.1 > 224.0.0.5: OSPFv2, Hello, length 44
        Router-ID 10.1.3.6, Area 0.0.0.1, Authentication Type: none (0)
        Options [External]
          Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 128
          Designated Router 172.26.15.1

This is another example how to apply the filter. In this example filter display only ssh packets.

IEDP02-CLOUDCONNECT-GW-01-0> debug packet display interface vNic_2 tcp_and_port_22
Use CTRL+C to stop packet capture.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vNic_2, link-type EN10MB (Ethernet), capture size 262144 bytes
08:07:58.469038 IP 172.26.15.1.22 > 172.29.80.22.55613: Flags [P.], seq 3438836096:3438836292, ack 477698481, win 2035, length 196

As you can see packet capture on the NSX Edge is straightforwad and can be really usful if you need to troubleshoot some connectivity issue on your Edge appliance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s