Capturing network traffic and
downloading .pcap file is kind of must know thing when we do any network
troubleshooting in NSX environment.
To do so, you need to follow below
steps in order-
Step 1: Take console or putty of
NSX edge device
Step 2: login with admin credentials
(username "root" doesn't work in NSX :))
#Hopefully you know how to
know\reset credentials of NSX edge. If not, let me know.
#When we say that capture the
traffic, it does mean that traffic is flowing. If not then initiate a traffic
first between source and destination. If both are VMs, then start a ping from
source VM to destination VM.
Step 3: Run below command on NSX
edge (putty\console)to start capturing the traffic
debug packet capture interface
vNic_0
Please note:
1. After few seconds, stop the
capture by pressing CTRL+C.
2. Output will looks like as shown
below
3. Above command will capture all
the traffic hitting on vNic_0 of this edge and will save a file in appliance
storage only. That is why, it should not keep running for longer period of time
like 1-2 hours. Which will further creates edge performance related issue.
Step 4: Run below command
debug
copy ftp gjohar@ftp server IP address:/ tcpdump_vNic_4.0
For
example : debug copy ftp gjohar@100.0.0.10:/ tcpdump_vNic_4.0
Please
note:
1.
gjohar - username created on ftp server
2.
FTP should be accessible from internet and should be reachable by NSX edge on
ping etc.
3.
tcpdump_vNic_4.0 - It is the file to download which automatically named while
creation. Name can be different in your case so to confirm the file name you
can simply run below command after stop capturing
Step
4.1 : debug show files
Once
you run the command show in step4, you will see this file in your FTP server.
Now you can open, share and check the file as per your wish.
Dig
in bit deeper
In
above steps, I have explained capturing all the traffic on an interface. Now
let's see how to capture a particular IP's traffic on this
interface that is vNic_0
You
just need to modify the capture command as below.
#debug
packet capture interface vNic_0 -n_src_host_1.2.3.4
Please
note:
1.2.3.4
- It is the IP address which we want to capture.
Dig
in bit more deeper
I want to capture a packet with source and destination information.
#debug
packet capture interface vNic_0 host_192.168.11.3_and_host_192.168.11.41
Please note:
192.168.11.3
- Source
92.168.11.41
- Destination
Let's
Dig in little more deeper
Now,
I want to see if source and destination are communicating over port number 80
(or any other)
#debug
packet display interface vNic_0 host_192.168.11.3_and_host_192.168.11.41_and_port_80
Please
note:
1. I
have used vNic_0 just for example purpose. You need to change it as per your
requirement and as per egress or ingress traffic. For example, if two VMs are
in same subnet, both will communicate over same logical switch but if these are
in different subnets then traffic first will be in and out from and to one
interface (vNic_0) and then in and out from and to second interface (vNic_1)
2.
If you just want display the traffic and don't want to capture them then just
replace the work capture with display in all the above commands.
That's
it folks for now!
Any
doubt, want to ask?
Thank you,
Team vCloudNotes
0 Comments:
Post a Comment