The Nortel Ethernet Routing Switch 8600 supports utilizing the standby CPU to capture (PCAP) both ingress and egress (E-modules only) packets on selected I/O ports. The switch must have a standby CPU in order to perform PCAP.
You can configure IP/MAC filters to be applied to the PCAP engine but for this article I’ll just show you how to perform the basic packet capture and how to retrieve the data so it can be analyzed with either Wireshark or OmniPeek. I currently use both applications for their different strengths and weaknesses.
First we’ll configure the basic PCAP engine settings which should be fairly straight forward. The buffer-size is measured in megabytes so we’ll be specifying 10MBs. The fragment-size is specified in bytes and in this example we want to capture the entire frame.
ERS-8600:5# config diag pcap buffer-wrap false ERS-8600:5# config diag pcap buffer-size 10 ERS-8600:5# config diag pcap fragment-size 1522
Now we need to enable PCAP on the specific switch ports we’re interested in capturing. We also want to specify the mode as both (both = ingress and egress packets | rx = ingress packets | tx = egress packets).
ERS-8600:5# config ethernet 2/1 pcap enable mode both
Now we’re ready to start the capture.
ERS-8600:5# config diag pcap enable true
Now see if we’re actually capturing any packets with the following command;
ERS-8600:5# show diag pcap stats Stat Information for PCAP ========================= Packet Capacity Count : 340909 Number of packets received in PCAP engine : 10 Number of packets accumulated in PCAP engine : 10 Number of packets dropped in PCAP engine by filters : 0 Number of packets dropped in Hardware : 0
Now stop the packet capture and retrieve it from the switch;
ERS-8606:5# config diag pcap enable false
Now you just need to copy the contents of the PCAP engine to the PCMCIA card;
ERS-8606:5# copy PCAP00 /pcmcia/capture.cap
You can now remove the PCMCIA card from the CPU and load it into your laptop or better yet you can just FTP the file from the PCMCIA card by making an FTP connection to the switch (you’ll need to have FTP enabled in the boot.cfg file).
When your ready to capture again don’t forget to resetting the PCAP engine with the following commands;
ERS-8606:5# config diag pcap enable false ERS-8606:5# config diag pcap reset-stat
If something happens to the PCAP engine (which occasionally happens to me) you can usually resolve the problem by resetting the standby CPU. You can access the stanby CPU from the console port by telneting into it from the primary CPU. You can use the peer telnet command;
ERS-8606:5# peer telnet Trying 127.0.0.6 ... Connected to 127.0.0.6 ********************************************* * Copyright (c) 2003 Nortel Networks, Inc. * * All Rights Reserved * * ERS 8006 * * Software Release 4.1.1.0 * ********************************************* Login: rwa Password: *** @ERS-8606:6#
Note: You might notice that the primary CPU (slot 5 in the chassis) has the internal IP address of 127.0.0.5 while the standby CPU (slot 6 in the chassis) has the internal IP address of 127.0.0.6.
I don’t believe you can perform PCAP with the new R modules although I could be wrong.
Cheers!