如何在交换机上抓包

在交换机上抓包，一般可排查一些网络问题。

下面是总结的在各厂商交换机上抓包方式。

H3C交换机抓包：

在华三交换机上可使用：packet-capture 命令，在用户视图下执行。

具体操作可查看这：https://www.h3c.com/cn/d_202009/1327093_30005_0.htm

#做流统匹配抓包流量
acl advanced 3000
description test 
 rule 0 permit ip source 192.168.1.1 0 destination 192.168.2.1 0
traffic classifier class_test operator and
 if-match acl 3000

affic behavior behavior_test
accounting packet             # 做流量统计
mirror-to cpu                 # 镜像到CPU，必须镜像到CPU才能抓包

qos policy policy_test
 classifier class_test behavior behavior_test
 
interface Ten-GigabitEthernet1/3/1
  qos apply policy policy_test inbound 
packet-capture local  interface  Ten-GigabitEthernet  1/3/1 autostop  filesize  50000 write  flash:/isp1.cap
packet-capture stop              # 及时停止。

需要注意的几点：

  1.抓包时尽量使用acl匹配精确的流
  2.在traffic behavior中，必须配置流量镜向到CPU。mirror-to cpu, 否则不能抓到包。
  3.抓包时做好文件大小限制，autostop filesze 50000, 因为交换机的硬盘都很小，防止把交换机硬盘打满。
  4.抓包时尽量选择流量低峰期。
  5.配置accounting packet 流量统计后，可通过display qos policy interface 查看匹配情况。

华为交换机抓包：

华为交换机抓包使用：capture-packet 命令，在用户视图下执行。
https://support.huawei.com/hedex/hdx.do?lib=EDOC110010122531180BDB&docid=EDOC1100101225&lang=zh&v=02&tocLib=EDOC110010122531180BDB&tocV=02&id=ZH-CN_CLIREF_0141119899&tocURL=resources%252fdc%252fcapture%252dpacket%252ehtml&p=t&fe=1&ui=3&keyword=capture

capture-packet interface  10GE  1/0/5  acl 3000 destination  file  file.cap packet-num 1000 packet-len 1000 
undo capture-packet       # 关闭报文捕获。

注意事项：做好抓包限制，防止打满硬盘。

锐捷交换机抓包：

锐捷交换机抓包使用packet captur命令，在用户视图下执行。

packet capture  ?
 file  Packet capture file #设置抓包文件保存路径
 point  Packet capture point
 rule  Packet capture rule  # 抓包规则
 start  Start to capture packets # 开启抓包
 stop  Stop to capture packets  # 停止抓包
packet capture  file ?
 flash:  Save info into the flash file system
 sata0:  Save info into the sata file system
 sd0:   Save info into the sd0 file system
 tmp:   Save info into the tmp file system
 usb0:  Save info into the usb file system
packet capture  rule  test filter  ?
 acl      Debug efmp packet acl
 dst_mac    Destination MAC address
 etype     Specify eth type
 icmpv4_code  ICMP code
 icmpv4_type  ICMP type
 icmpv6_code  ICMPv6 code
 icmpv6_type  ICMPv6 type
 ipv4_dip   Destination IP address
 ipv4_dport  IPv4 destination port
 ipv4_sip   Source IP address
 ipv4_sport  IPv4 source port
 ipv6_dip   Destination IPv6 address
 ipv6_dport  IPv6 destination port
 ipv6_sip   Source IPv6 address
 ipv6_sport  IPv6 source port
 src_mac    Source MAC address
 v4_protocol  IP protocol
 v6_protocol  IPv6 protocol

Arista交换机抓包：

Arista抓包是需要进入bash，使用linux命令tcpdump来抓包。

Arista#
**bash**
Arista Networks EOS shell
[admin@Arista ~]$ 
**tcpdump -****help**
tcpdump version 4.2.1
libpcap version 1.1.1
Usage: tcpdump [-aAbdDefhHIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
       [ -C file_size ] [ -E algo:secret ] [ -F file ]
       [ -G seconds ]
       [ -i interface ] [ -M secret ]
       [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
       [ -W filecount ] [ -y datalinktype ] [ -z command ]
       [ -Z user ] [ -@ file_index ] [ expression ]

Cisco交换机抓包：

Cisco nexus 抓包使用ethanalyze命令。在用户视图下执行。

注：该命令只能捕获去交换机自身和自身发出去的流量。

不能捕获：捕获在硬件中转发的数据平面流量。不支持特定于接口的捕获

如果需要抓取CPU的流量，需要将端口流量镜像到CPU，然后使用ethanalyze抓取。

在抓端口镜像（转发层面的）包时，设备不能配置sflow。

ERROR: SFLOW is configured. Please delete all SFLOW data sources before configuring SPANs
https://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/215329-nexus-9000-cloud-scale-asic-nx-os-span-t.html?dtid=osscdc000283

https://www.cisco.com/c/en/us/support/docs/switches/nexus-7000-series-switches/116136-trouble-ethanalyzer-nexus7000-00.html

 ethanalyzer local  interface inband ?
 <CR>          
 >            Redirect it to a file
 >>           Redirect it to a file in append mode
 autostop        Capture autostop condition
 capture-filter     Filter on ethanalyzer capture
 capture-ring-buffer   Capture ring buffer option
 decode-internal     Include internal system header decoding
 detail         Display detailed protocol information 
 display-filter     Display filter on frames captured
 limit-captured-frames  Maximum number of frames to be captured (default is 10)
 limit-frame-size    Capture only a subset of a frame
 mirror         Filter mirrored packets
 raw           Hex/Ascii dump the packet with possibly one line summary
 write          Filename to save capture to
 |            Pipe command output to filter
# 配置SPAN到CPU的监视器会话
N9K# **configure terminal** 
Enter configuration commands, one per line. End with CNTL/Z.
N9K-1(config)# **monitor session 1** N9K-1(config-monitor)# **source interface Ethernet1/10 rx**N9K-1(config-monitor)# **destination interface sup-eth0** N9K-1(config-monitor)# **no shut**
N9K-1(config-monitor)# **end**
# 确认SPAN到CPU监视器会话已启动
N9K# **show running-config monitor**  
N9K# **show monitor**
# 在控制平面中查看复制的数据包
# ethanalyze 可以用来复制到思科Nexus 9000设备的控制平面视图流量。Ethanalyzer命令中的**mirror**关键字可以过滤流量，以便仅显示SPAN到CPU监视器会话复制的流量。Ethanalyzer捕获和显示过滤器可用于进一步限制显示的流量。
9K# **ethanalyzer** **local** **interface inband mirror display-filter** **"icmp && ip.addr==192.168.10.10"** **limit-captured-frames 0** 
# 使用Control-C组合键可以退出Ethanalyzer控制平面数据包捕获实用程序。
# 通过在Ethanalyzer命令中包含**detail**关键字，可以查看有关此流量的详细信息。下面显示了单个ICMP Echo Request数据包的示例。
N9K# **ethanalyzer** **local** **interface inband mirror display-filter** **"icmp && ip.addr==192.168.10.10"** **limit-captured-frames 0 detail** 
# 以管理方式关闭SPAN到CPU监视器会话
 # 在SPAN到CPU监视器会话的上下文中使用**shutdown** configuration命令可以正常关闭SPAN到CPU监视器会话，并停止将流量复制到Cisco Nexus 9000设备的控制平面。
N9K# **configure terminal**
Enter configuration commands, one per line. End with CNTL/Z.
N9K-1(config)# **monitor session 1** N9K-1(config-monitor)# **shut**
N9K-1(config-monitor)# **end**
N9K#