How to Capture Packets
Overview of Packet Capture
Security Declaration
The packet capture function is mainly used for network detection and fault management and may involve personal communication information. Huawei cannot collect or store user communication information without permission. It is recommended that relevant functions used to collect or store user communication information be enabled in adherence with applicable laws and regulations. During the usage and storage of user communication information, measures must be taken to protect user communication information.
This document uses S series switches of V200R013C00 as an example.
Definition
Packet capture technology captures packets from devices and provides a way to locate network problems.
Benefits
Maintenance personnel can view captured packets on the command line interface (CLI), save captured packets in a specified file, and download the captured packets to a local PC for analysis. This greatly improves maintenance efficiency and reduces maintenance costs.
Classification
The switch can capture the following types of packets:
- Service packets
- Packets sent to the CPU
Capturing Service Packets
You can run the capture-packet { interface interface-type interface-number | acl { ipv4-acl | ipv6 ipv6-acl } } * [ vlan vlan-id | cvlan cvlan-id ] * destination { file file-name | terminal } * [ car cir car-value | time-out time-out-value | packet-num number | packet-len length | { inbound | outbound } ] * [ packet-info ] command in the system view or diagnostic view to capture service packets that match specified rules.
Parameters
Parameter |
Description |
Value |
|---|---|---|
interface interface-type interface-number |
Captures packets on a specified interface.
|
The interface must exist on the switch and cannot be a management interface. |
acl { ipv4-acl | ipv6 ipv6-acl } |
Captures packets matching a specified ACL or ACL6. The specified ACL or ACL6 and the corresponding rules must have been created. For other fixed switches excluding the S5720EI, S5720HI, S5730HI, S6720EI, S6720HI, and S6720S-EI, the destination IPv6 address cannot be specified in an ACL6 rule. Otherwise, packets cannot be captured. |
|
vlan vlan-id |
Captures packets from a specified VLAN. |
The value is an integer in the range from 1 to 4094. |
cvlan cvlan-id |
Captures packets with a specified inner VLAN ID. Only the S5720EI, S5720HI, S5730HI, S6720EI, S6720HI, S6720S-EI, and modular switches support this parameter. |
The value is an integer in the range from 1 to 4094. |
destination { file file-name | terminal } * |
Indicates the mode in which captured packets are stored:
|
The value of file-name is a string of 5 to 63 characters. |
car cir car-value |
Specifies the rate at which packets are captured, that is, the total number of bytes of packets that can be captured by the device in a unit of time (1s). Only the S5720EI, S5720HI, S5730HI, S6720EI, S6720HI, S6720S-EI, and modular switches support this parameter. |
The value is an integer in the range from 8 to 256, in kbit/s. The default value is 64. |
time-out time-out-value |
Specifies the timeout interval for capturing packets. The system stops capturing packets after the specified timeout interval expires. |
The value is an integer in the range from 1 to 300, in seconds. The default value is 60. |
packet-num number |
Specifies the number of packets to be captured. The system stops capturing packets after the specified number of packets are captured. |
The value is an integer in the range from 1 to 1000. The default value is 100. |
packet-len length |
Specifies the length of captured packets. |
The value is an integer in the range from 20 to 64, in bytes. The default value is 64. |
inbound |
Captures packets received on an interface. Only the S5720HI, S5730HI, and S6720HI, and LE1D2S04SEC0 card, LE1D2X32SEC0 card, LE1D2H02QEC0 card, and X series cards on modular switches support inbound and outbound parameters. If inbound and outbound are not specified, both packets received and sent by an interface are captured. Other cards and fixed switches do not support inbound or outbound and can only capture packets received by interfaces. |
- |
outbound |
Captures packets sent by an interface. |
- |
packet-info |
Parses basic information about captured packets, such as the source and destination MAC addresses or IP addresses. This parameter can be specified only when this command is run in the diagnostic view. The switch can parse basic information about the captured packets only when this parameter is specified and the length of the captured packet is greater than or equal to 48 bytes (that is, the value of packet-len length is greater than or equal to 48). |
- |
Feature Limitations
- S series switches cannot capture packets on the management interface, ICMP packets of fast ICMP reply, BFD packets, 802.1ag packets, and VBST BPDUs.
- The packet capture configuration is not saved in the configuration file, and becomes invalid when packet capture is complete. Before current packet capture is complete, packet capture cannot be reconfigured.
- If IP addresses of ARP packets on the control plane match a basic or advanced ACL rule, the ARP packets can still be captured.
Example
# Capture packets on GE0/0/1, parse basic information, and display the information on the terminal (packet capture in the diagnostic view of the S5720HI is used as an example).
<HUAWEI> system-view
[HUAWEI] diagnose
[HUAWEI-diagnose] capture-packet interface gigabitethernet 0/0/1 destination terminal packet-num 1 packet-len 48 packet-info
[HUAWEI-diagnose]
Packet(inbound): 1
-------------------------------------------------------
01 00 5e 0b 01 72 78 1d ba 32 04 a1 81 00 00 01
08 00 45 00 05 4c 00 00 40 00 7d 11 fa 66 0a f0
02 cd ef 0b 01 72 1f 6a 56 ce 05 38 e2 d7 80 21
-------------------------------------------------------
DMAC: 0100-5e0b-0172 SMAC: 781d-ba32-04a1
VLAN: 1 8021P: 0
IPv4 Next Proto: 17 TTL: 125 DSCP: 0
SIP: 10.240.2.205 DIP: 10.11.1.114
UDP Multicast Packet RTP SEQ: 23354
UDP Multicast Packet Time Stamp: 2018/12/11 23:02:40
-------------------------------------------------------
-----------------packet getting report-----------------
file: NULL
packets getting: interface GigabitEthernet0/0/1
acl: -
vlan: - cvlan: -
car: 64kbps timeout: 60s
packets: 1 (expected)
1 (inbound actual) 0 (outbound actual)
length: 48 (expected)
------------------------------------------------------
Item |
Description |
|---|---|
Packet(inbound): i |
ith captured (incoming/outgoing) packet.
|
DMAC |
Destination MAC address. |
SMAC |
Source MAC address. |
VLAN |
VLAN ID. |
8021P |
802.1p priority. |
IPv4 Next Proto |
Protocol number used by the data in a data packet. |
TTL |
TTL value. |
DSCP |
DSCP value. |
SIP |
Source IP address. |
DIP |
Destination IP address. |
UDP Multicast Packet RTP SEQ |
Sequence number of a multicast RTP packet. This field is displayed only when multicast packets are captured. |
UDP Multicast Packet Time Stamp |
Time when the first byte in a multicast RTP packet is sampled. This field is displayed only when multicast packets are captured. |
Packet Protocol = 0x86dd is IPv6 Packet. |
IPv6 packet indicated by the protocol type value of 0x86dd. |
file |
Local path that stores captured packets. |
packets getting |
|
acl |
ACL number matched by captured packets. |
acl ipv6 |
ACL6 number matched by captured packets. |
vlan |
VLAN ID of captured packets. |
cvlan |
Inner VLAN ID of captured packets. |
car |
Rate of captured packets. |
timeout |
Timeout interval of packet capture. The system stops capturing packets after the specified time interval. |
packets |
|
length |
Length of captured packets. |
Capturing Packets Sent to the CPU
You can run the capture-packet cpu [ vlan vlan-id | acl { ipv4-acl | ipv6 ipv6-acl } ] * destination { file file-name | terminal } * [ time-out time-out-value | packet-num number | packet-len length ] * packet-info command in the system view or diagnostic view to capture packets sent to the CPU.
Parameters
Parameter |
Description |
Value |
|---|---|---|
vlan vlan-id |
Captures packets from a specified VLAN. |
The value is an integer in the range from 1 to 4094. |
acl { ipv4-acl | ipv6 ipv6-acl } |
Captures packets matching a specified ACL or ACL6. The specified ACL or ACL6 and the corresponding rules must have been created. For other fixed switches excluding the S5720EI, S5720HI, S5730HI, S6720EI, S6720HI, and S6720S-EI, the destination IPv6 address cannot be specified in an ACL6 rule. Otherwise, packets cannot be captured. |
|
destination { file file-name | terminal } * |
Indicates the mode in which captured packets are stored:
|
The value of file-name is a string of 5 to 63 characters. |
time-out time-out-value |
Specifies the timeout interval for capturing packets. The system stops capturing packets after the specified timeout interval expires. |
The value is an integer in the range from 1 to 300, in seconds. The default value is 60. |
packet-num number |
Specifies the number of packets to be captured. The system stops capturing packets after the specified number of packets are captured. |
The value is an integer in the range from 1 to 1000. The default value is 100. |
packet-len length |
Specifies the length of captured packets. |
The value is an integer in the range from 20 to 64, in bytes. The default value is 64. |
packet-info |
Parses basic information about captured packets, such as the source and destination MAC addresses or IP addresses. This parameter can be specified only when this command is run in the diagnostic view. The switch can parse basic information about the captured packets only when this parameter is specified and the length of the captured packet is greater than or equal to 48 bytes (that is, the value of packet-lenlength is greater than or equal to 48). |
- |
Feature Limitations
The packet capture configuration is not saved in the configuration file, and becomes invalid when packet capture is complete. Before current packet capture is complete, packet capture cannot be reconfigured.
Example
# Capture packets sent to the CPU, parse basic information, and display the information on the terminal (packet captured in the diagnostic view of the S5720HI is used as an example).
<HUAWEI> system-view [HUAWEI] diagnose [HUAWEI-diagnose] capture-packet cpu destination terminal packet-num 1 packet-info [HUAWEI-diagnose] Packet: 1 ------------------------------------------------------- ff ff ff ff ff ff 00 00 c1 0e 01 02 81 00 00 c8 08 00 45 00 00 52 00 00 00 00 40 11 f6 7b c1 0e 01 02 c1 0e 01 01 00 44 00 43 00 3e 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 ------------------------------------------------------- DMAC: ffff-ffff-ffff SMAC: 0000-c10e-0102 VLAN: 2048 8021P: 6 IPv4 Next Proto: 17 TTL: 64 DSCP: 0 SIP: 192.168.1.2 DIP: 192.168.1.1 ------------------------------------------------------- -----------------packet getting report----------------- file: NULL packets getting: cpu acl: - vlan: - cvlan: - car: -- timeout: 60s packets: 1 (expected) 1 (actual) length: 64 (expected) -------------------------------------------------------
Item |
Description |
|---|---|
Packet: i |
ith captured packet. |
DMAC |
Destination MAC address. |
SMAC |
Source MAC address. |
VLAN |
VLAN ID. |
8021P |
802.1p priority. |
IPv4 Next Proto |
Protocol number used by the data in a data packet. |
TTL |
TTL value. |
DSCP |
DSCP value. |
SIP |
Source IP address. |
DIP |
Destination IP address. |
UDP Multicast Packet RTP SEQ |
Sequence number of a multicast RTP packet. This field is displayed only when multicast packets are captured. |
UDP Multicast Packet Time Stamp |
Time when the first byte in a multicast RTP packet is sampled. This field is displayed only when multicast packets are captured. |
Packet Protocol = 0x86dd is IPv6 Packet. |
IPv6 packet indicated by the protocol type value of 0x86dd. |
file |
Local path that stores captured packets. |
packets getting |
The system captures the packets to be sent to the CPU. |
acl |
ACL number matched by captured packets. |
acl ipv6 |
ACL6 number matched by captured packets. |
vlan |
VLAN ID of captured packets. |
cvlan |
Inner VLAN ID of captured packets. |
car |
Rate of captured packets. |
timeout |
Timeout interval of packet capture. The system stops capturing packets after the specified time interval. |
packets |
|
length |
Length of captured packets. |
