Login
- Table of Contents
-
- 13-Network Management and Monitoring Configuration Guide
- 00-Preface
- 01-System maintenance and debugging configuration
- 02-NQA configuration
- 03-iNQA configuration
- 04-NTP configuration
- 05-PTP configuration
- 06-SNMP configuration
- 07-RMON configuration
- 08-NETCONF configuration
- 09-EAA configuration
- 10-Process monitoring and maintenance configuration
- 11-Sampler configuration
- 12-Mirroring configuration
- 13-sFlow configuration
- 14-Information center configuration
- 15-GOLD configuration
- 16-Packet capture configuration
- 17-VCF fabric configuration
- 18-CWMP configuration
- 19-SmartMC configuration
- 20-Event MIB configuration
- 21-SQA configuration
- 22-eMDI configuration
- 23-Performance management configuration
- 24-Ansible configuration
- 25-EPS agent configuration
- 26-Cloud connection configuration
- 27-EPA configuration
- 28-Packet trace configuration
- 29-IPv6 NetStream configuration
- 30-NetStream configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 16-Packet capture configuration | 226.88 KB |
Configuring the packet capture
Building a capture filter rule
Capture filter rule expressions
Building a display filter rule
Display filter rule expressions
Restrictions and guidelines: Packet capture
Configuring local packet capture
Configuring remote packet capture
Configuring feature image-based packet capture
Saving captured packets to a file
Displaying specific captured packets
Displaying the contents in a packet file
Display and maintenance commands for packet capture
Packet capture configuration examples
Example: Configuring remote packet capture
Example: Configuring feature image-based packet capture
Configuring the packet capture
About packet capture
The packet capture feature captures incoming packets. It can display the captured packets in real time, or save the captured packets to a .pcap file for future analysis.
Packet capture modes
The device supports the following packet capture modes: local packet capture, remote packet capture, and feature image-based packet capture.
Local packet capture
Local packet capture saves captured packets to a remote file on an FTP server or to a local file.
Remote packet capture
Remote packet capture sends captured packets to a remote packet analyzer (for example, Wireshark).
|
|
IMPORTANT: The remote packet analyzer must support the Remote Capture Protocol (RPCAP). |
Feature image-based packet capture
Feature image-based packet capture saves the captured packets to a local file or displays the captured packets on the terminal. This mode can also display contents of .pcap and .pcapng files.
Feature image-based packet capture requires you to install a specific image called the packet feature image.
Only feature image-based packet capture requires the packet feature image.
Filter rule elements
Packet capture supports using a capture filter rule to filter packets to be captured or using a display filter rule to filter packets to be displayed.
A filter rule is represented by a filter expression. A filter expression contains a keyword string or multiple keyword strings that are connected by operators.
Keywords include the following types:
· Qualifiers—Fixed keyword strings. To use a qualifier, you must enter the qualifier literally as shown.
· Variables—Values assigned in the required format.
Operators include the following types:
· Logical operators—Perform logical operations, such as the AND operation.
· Arithmetic operators—Perform arithmetic operations, such as the ADD operation.
· Relational operators—Indicate the relation between keyword strings. For example, the = operator indicates equality.
For more information about capture and display filters, go to the following websites:
· http://wiki.wireshark.org/CaptureFilters
· http://wiki.wireshark.org/DisplayFilters
Building a capture filter rule
Capture filter rule keywords
Qualifiers
Table 1 Qualifiers for capture filter rules
|
Category |
Description |
Examples |
|
Protocol |
Matches a protocol. If you do not specify a protocol qualifier, the filter matches any supported protocols. |
· arp—Matches ARP. · icmp—Matches ICMP. · ip—Matches IPv4. · ip6—Matches IPv6. · tcp—Matches TCP. · udp—Matches UDP. |
|
Direction |
Matches packets based on its source or destination location (an IP address or port number). If you do not specify a direction qualifier, the src or dst qualifier applies. For example, port 23 is equivalent to src or dst port 23. |
· src—Matches the source IP address field. · dst—Matches the destination IP address field. · src or dst—Matches the source or destination IP address field. |
|
Type |
Specifies the direction type. The host qualifier applies if you do not specify any type qualifier. For example, src 2.2.2.2 is equivalent to src host 2.2.2.2. |
· host—Matches the IP address of a host. · net—Matches an IP subnet. · port—Matches a service port number. · portrange—Matches a service port range. |
|
Others |
Any other qualifiers than the previously described qualifiers. |
· broadcast—Matches broadcast packets. · multicast—Matches multicast and broadcast packets. · less—Matches packets that are less than or equal to a specific size. · greater—Matches packets that are greater than or equal to a specific size. · len—Matches the packet length. · vlan—Matches VLAN packets. |
Variables
A capture filter variable must be modified by one or more qualifiers.
The broadcast, multicast, and all protocol qualifiers cannot modify variables. The other qualifiers must be followed by variables.
Table 2 Variable types for capture filter rules
|
Variable type |
Description |
Examples |
|
|
Integer |
Represented in binary, octal, decimal, or hexadecimal notation. |
The port 23 expression matches traffic sent to or from port number 23. |
|
|
Integer range |
Represented by hyphenated integers. |
The portrange 100-200 expression matches traffic sent to or from any ports in the range of 100 to 200. |
|
|
IPv4 address |
Represented in dotted decimal notation. |
The src 1.1.1.1 expression matches traffic sent from the IPv4 host at 1.1.1.1. |
|
|
IPv6 address |
Represented in colon hexadecimal notation. |
The dst host 1::1 expression matches traffic sent to the IPv6 host at 1::1. |
|
|
IPv4 subnet |
Represented by an IPv4 network ID or an IPv4 address with a mask. |
Both of the following expressions match traffic sent to or from the IPv4 subnet 1.1.1.0/24: · src 1.1.1. · src net 1.1.1.0/24. |
|
|
IPv6 network segment |
Represented by an IPv6 address with a prefix length. |
The dst net 1::/64 expression matches traffic sent to the IPv6 network 1::/64. |
|
Capture filter rule operators
Logical operators
Logical operators are left associative. They group from left to right. The not operator has the highest priority. The and and or operators have the same priority.
Table 3 Logical operators for capture filter rules
|
Nonalphanumeric symbol |
Alphanumeric symbol |
Description |
|
! |
not |
Reverses the result of a condition. Use this operator to capture traffic that matches the opposite value of a condition. For example, to capture non-HTTP traffic, use not port 80. |
|
&& |
and |
Joins two conditions. Use this operator to capture traffic that matches both conditions. For example, to capture non-HTTP traffic that is sent to or from 1.1.1.1, use host 1.1.1.1 and not port 80. |
|
|| |
or |
Joins two conditions. Use this operator to capture traffic that matches either of the conditions. For example, to capture traffic that is sent to or from 1.1.1.1 or 2.2.2.2, use host 1.1.1.1 or host 2.2.2.2. |
Arithmetic operators
Table 4 Arithmetic operators for capture filter rules
|
Nonalphanumeric symbol |
Description |
|
+ |
Adds two values. |
|
- |
Subtracts one value from another. |
|
* |
Multiplies one value by another. |
|
/ |
Divides the value on the left by the value on the right. |
|
& |
Returns the result of the bitwise AND operation on two integral values in binary form. |
|
| |
Returns the result of the bitwise OR operation on two integral values in binary form. |
|
<< |
Performs the bitwise left shift operation on the operand to the left of the operator. The right-hand operand specifies the number of bits to shift. |
|
>> |
Performs the bitwise right shift operation on the operand to the left of the operator. The right-hand operand specifies the number of bits to shift. |
|
[ ] |
Specifies a byte offset relative to a protocol layer. This offset indicates the byte where the matching begins. You must enclose the offset value in the brackets and specify a protocol qualifier. For example, ip[6] matches the seventh byte of payload in IPv4 packets (the byte that is six bytes away from the beginning of the IPv4 payload). |
Relational operators
Table 5 Relational operators for capture filter rules
|
Nonalphanumeric symbol |
Description |
|
= |
Equal to. For example, ip[6]=0x1c matches an IPv4 packet if its seventh byte of payload is equal to 0x1c. |
|
!= |
Not equal to. For example, len!=60 matches a packet if its length is not equal to 60 bytes. |
|
> |
Greater than. For example, len>100 matches a packet if its length is greater than 100 bytes. |
|
< |
Less than. For example, len<100 matches a packet if its length is less than 100 bytes. |
|
>= |
Greater than or equal to. For example, len>=100 matches a packet if its length is greater than or equal to 100 bytes. |
|
<= |
Less than or equal to. For example, len<=100 matches a packet if its length is less than or equal to 100 bytes. |
Capture filter rule expressions
Logical expression
Use this type of expression to capture packets that match the result of logical operations.
Logical expressions contain keywords and logical operators. For example:
· not port 23 and not port 22—Captures packets with a port number that is not 23 or 22.
· port 23 or icmp—Captures packets with a port number 23 or ICMP packets.
In a logical expression, a qualifier can modify more than one variable connected by its nearest logical operator. For example, to capture packets sourced from IPv4 address 192.168.56.1 or IPv4 network 192.168.27, use either of the following expressions:
· src 192.168.56.1 or 192.168.27.
· src 192.168.56.1 or src 192.168.27.
The expr relop expr expression
Use this type of expression to capture packets that match the result of arithmetic operations.
This expression contains keywords, arithmetic operators (expr), and relational operators (relop). For example, len+100>=200 captures packets that are greater than or equal to 100 bytes.
The proto[expr:size] expression
Use this type of expression to capture packets that match the result of arithmetic operations on a number of bytes relative to a protocol layer.
This type of expression contains the following elements:
· proto—Specifies a protocol layer.
· []—Performs arithmetic operations on a number of bytes relative to the protocol layer.
· expr—Specifies the arithmetic expression.
· size—Specifies the byte offset. This offset indicates the number of bytes relative to the protocol layer. The operation is performed on the specified bytes. The offset is set to 1 byte if you do not specify an offset.
For example, ip[0]&0xf !=5 captures an IP packet if the result of ANDing the first byte with 0x0f is not 5.
To match a field, you can specify a field name for expr:size. For example, icmp[icmptype]=0x08 captures ICMP packets that contain a value of 0x08 in the Type field.
The vlan vlan_id expression
Use this type of expression to capture 802.1Q tagged VLAN traffic.
This type of expression contains the vlan vlan_id keywords and logical operators. The vlan_id variable is an integer that specifies a VLAN ID. For example, vlan 1 and ip captures IPv4 packets in VLAN 1.
To capture packets of a VLAN, set a capture filter as follows:
· To capture tagged packets that are permitted on the interface, you must use the vlan vlan_id expression prior to any other expressions. For example, use the vlan 3 and src 192.168.1.10 and dst 192.168.1.1 expression to capture packets of VLAN 3 that are sent from 192.168.1.10 to 192.168.1.1.
· To capture an untagged packet that is received on the interface, follow these rules:
¡ If the device adds a VLAN tag to the packet header, add vlan vlan_id to the capture filter expression. For Layer 3 packets, the vlan_id represents the default VLAN ID of the outgoing interface. For Layer 2 packets, the vlan_id represents the default VLAN ID of the incoming interface.
¡ If the device does not add a VLAN tag to the packet header, do not add vlan vlan_id to the capture filter expression.
Building a display filter rule
A display filter rule only identifies the packets to display. It does not affect which packets to save in a file.
Display filter rule keywords
Qualifiers
Table 6 Qualifiers for display filter rules
|
Category |
Description |
Examples |
|
Protocol |
Matches a protocol. If you do not specify a protocol qualifier, the filter matches any supported protocols. |
· eth—Matches Ethernet. · ftp—Matches FTP. · http—Matches HTTP. · icmp—Matches ICMP. · ip—Matches IPv4. · ipv6—Matches IPv6. · tcp—Matches TCP. · telnet—Matches Telnet. · udp—Matches UDP. |
|
Packet field |
Matches a field in packets by using a dotted string in the protocol.field[.level1-subfield]…[.leveln-subfield] format. |
· tcp.flags.syn—Matches the SYN bit in the flags field of TCP. · tcp.port—Matches the source or destination port field of TCP. |
Variables
A packet field qualifier requires a variable.
Table 7 Variable types for display filter rules
|
Variable type |
Description |
|
Integer |
Represented in binary, octal, decimal, or hexadecimal notation. For example, to display IP packets that are less than or equal to 1500 bytes, use one of the following expressions: · ip.len le 1500. · ip.len le 02734. · ip.len le 0x436. |
|
Boolean |
This variable type has two values: true or false. This variable type applies if you use a packet field string alone to identify the presence of a field in a packet. · If the field is present, the match result is true. The filter displays the packet. · If the field is not present, the match result is false. The filter does not display the packet. For example, to display TCP packets that contain the SYN field, use tcp.flags.syn. |
|
MAC address (6 bytes) |
Uses colons (:), dots (.), or hyphens (-) to break up the MAC address into two or four segments. For example, to display packets that contain a destination MAC address of ffff.ffff.ffff, use one of the following expressions: · eth.dst==ff:ff:ff:ff:ff:ff. · eth.dst==ff-ff-ff-ff-ff-ff. · eth.dst ==ffff.ffff.ffff. |
|
IPv4 address |
Represented in dotted decimal notation. For example: · To display IPv4 packets that are sent to or from 192.168.0.1, use ip.addr==192.168.0.1. · To display IPv4 packets that are sent to or from 129.111.0.0/16, use ip.addr==129.111.0.0/16. |
|
IPv6 address |
Represented in colon hexadecimal notation. For example: · To display IPv6 packets that are sent to or from 1::1, use ipv6.addr==1::1. · To display IPv6 packets that are sent to or from 1::/64, use ipv6.addr==1::/64. |
|
String |
Character string. For example, to display HTTP packets that contain the string HTTP/1.1 for the request version field, use http.request version=="HTTP/1.1". |
Display filter rule operators
Logical operators are left associative. They group from left to right. The [ ] operator has the highest priority. The not operator has the highest priority. The and and or operators have the same priority.
Logical operators
Table 8 Logical operators for display filter rules
|
Nonalphanumeric symbol |
Alphanumeric symbol |
Description |
|
[ ] |
No alphanumeric symbol is available. |
Used with protocol qualifiers. For more information, see "The proto[…] expression." |
|
! |
not |
Displays packets that do not match the condition connected to this operator. |
|
&& |
and |
Joins two conditions. Use this operator to display traffic that matches both conditions. |
|
|| |
or |
Joins two conditions. Use this operator to display traffic that matches either of the conditions. |
Relational operators
Table 9 Relational operators for display filter rules
|
Nonalphanumeric symbol |
Alphanumeric symbol |
Description |
|
== |
eq |
Equal to. For example, ip.src==10.0.0.5 displays packets with the source IP address as 10.0.0.5. |
|
!= |
ne |
Not equal to. For example, ip.src!=10.0.0.5 displays packets whose source IP address is not 10.0.0.5. |
|
> |
gt |
Greater than. For example, frame.len>100 displays frames with a length greater than 100 bytes. |
|
< |
lt |
Less than. For example, frame.len<100 displays frames with a length less than 100 bytes. |
|
>= |
ge |
Greater than or equal to. For example, frame.len ge 0x100 displays frames with a length greater than or equal to 256 bytes. |
|
<= |
le |
Less than or equal to. For example, frame.len le 0x100 displays frames with a length less than or equal to 256 bytes. |
Display filter rule expressions
Logical expression
Use this type of expression to display packets that match the result of logical operations.
Logical expressions contain keywords and logical operators. For example, ftp or icmp displays all FTP packets and ICMP packets.
Relational expression
Use this type of expression to display packets that match the result of comparison operations.
Relational expressions contain keywords and relational operators. For example, ip.len<=28 displays IP packets that contain a value of 28 or fewer bytes in the length field.
Packet field expression
Use this type of expression to display packets that contain a specific field.
Packet field expressions contain only packet field strings. For example, tcp.flags.syn displays all TCP packets that contain the SYN bit field.
The proto[…] expression
Use this type of expression to display packets that contain specific field values.
This type of expression contains the following elements:
· proto—Specifies a protocol layer or packet field.
· […]—Matches a number of bytes relative to a protocol layer or packet field. Values for the bytes to be matched must be a hexadecimal integer string. The expression in brackets can use the following formats:
¡ [n:m]—Matches a total of m bytes after an offset of n bytes from the beginning of the specified protocol layer or field. To match only 1 byte, you can use both [n] and [n:1] formats. For example, eth.src[0:3]==00:00:83 matches an Ethernet frame if the first three bytes of its source MAC address are 0x00, 0x00, and 0x83. The eth.src[2] == 83 expression matches an Ethernet frame if the third byte of its source MAC address is 0x83.
¡ [n-m]—Matches a total of (m-n+1) bytes, starting from the (n+1)th byte relative to the beginning of the specified protocol layer or packet field. For example, eth.src[1-2]==00:83 matches an Ethernet frame if the second and third bytes of its source MAC address are 0x00 and 0x83, respectively.
Restrictions and guidelines: Packet capture
To capture packets forwarded through chips, first configure a traffic behavior to mirror the traffic to the CPU.
To capture packets forwarded by the CPU, enable packet capture directly.
The packet capture feature can capture only packets of a frame length equal to or less than 9196 bytes. If the frame length of a packet exceeds 9196 bytes, the system does not capture the packet.
Configuring local packet capture
To configure local packet capture, execute the following command in user view:
packet-capture local interface interface-type interface-number [ capture-filter capt-expression | limit-frame-size bytes | autostop filesize kilobytes | autostop duration seconds ] * write { filepath | url url [ username username [ password { cipher | simple } string ] ] }
The packet capture is executed in the background. After issuing this command, you can continue to configure other commands.
Configuring remote packet capture
About this task
To capture packets on an interface and send them to a remote packet analyzer (for example, Wireshark), perform this task. With remote packet capture, the analyzer must establish an RPCAP connection to the default or specified RPCAP service port on the device to receive captured packets.
To make sure a packet analyzer can establish an RPCAP connection to receive packets captured from an interface on the device, use the following procedure to configure remote packet capture:
1. Configure remote packet capture for the interface before you connect the packet analyzer to the device.
2. Configure the device as a server on the packet analyzer and connect the packet analyzer to the device. When you configure the device as a server, specify its IP address and make sure the RPCAP port number is the same as that configured on the device for the interface.
Procedure
1. Configure remote packet capture for an interface in user view:
packet-capture remote interface interface-type interface-number [ port port ]
2. Connect the packet analyzer (for example, Wireshark) to the AC. For more information about the packet analyzer, see its documentation.
Configuring feature image-based packet capture
Restrictions and guidelines
After configuring feature image-based packet capture, you cannot configure any other commands at the CLI until the capture finishes or is stopped.
There might be a delay for the capture to stop because of heavy traffic.
Prerequisites
1. Use the display boot-loader command to check whether the packet capture feature image is installed.
2. If the image is not installed, install the image by using the boot-loader, install, or issu command series.
3. Log out of the device and then log in again.
For more information about the commands, see Fundamentals Command Reference.
Saving captured packets to a file
To configure feature image-based packet capture and save the captured packets to a file, execute the following command in user view:
packet-capture interface interface-type interface-number [ capture-filter capt-expression | limit-captured-frames limit | limit-frame-size bytes | autostop filesize kilobytes | autostop duration seconds | autostop files numbers | capture-ring-buffer filesize kilobytes | capture-ring-buffer duration seconds | capture-ring-buffer files numbers ] * write filepath [ raw | { brief | verbose } ] *
Displaying specific captured packets
To configure feature image-based packet capture and display specific packet data, execute the following command in user view:
packet-capture interface interface-type interface-number [ capture-filter capt-expression | display-filter disp-expression | limit-captured-frames limit | limit-frame-size bytes | autostop duration seconds ] * [ raw | { brief | verbose } ] *
Stopping packet capture
About this task
Use this task to manually stop packet capture.
Procedure
Choose one option as needed:
· Stop local or remote packet capture.
packet-capture stop
Execute this command in user view.
· Stop feature image-based packet capture.
Press Ctrl+C.
Displaying the contents in a packet file
About this task
Use this task to display the contents of a .pcap or .pcapng file on the device. Alternatively, you can transfer the file to a PC and use Wireshark to display the file content.
Prerequisites
1. Use the display boot-loader command to check whether the packet capture feature image is installed.
2. If the image is not installed, install the image by using boot-loader, install, or issu commands.
3. Log out of the device and then log in again.
For more information about the commands, see Fundamentals Command Reference.
Restrictions and guidelines
To stop displaying the contents, press Ctrl+C.
Procedure
To display the contents in a local packet file, execute the following command in user view:
packet-capture read filepath [ display-filter disp-expression ] [ raw | { brief | verbose } ] *
Display and maintenance commands for packet capture
Execute display commands in any view.
|
Command |
|
|
Display status information about local or remote packet capture. |
display packet-capture status |
Packet capture configuration examples
Example: Configuring remote packet capture
Network configuration
As shown in Figure 1, capture packets forwarded through the CPU or chips on Layer 2 interface HundredGigE 3/0/1. Use Wireshark to display the captured packets.
Procedure
1. Configure the device:
# Apply a QoS policy to the incoming direction of HundredGigE 3/0/1 to capture packets destined for the 20.1.1.0/16 network that are forwarded through chips.
a. Create an IPv4 advanced ACL to match packets that are sent to the 20.1.1.0/16 network.
<Device> system-view
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule permit ip destination 20.1.1.0 255.255.0.0
[Device-acl-ipv4-adv-3000] quit
b. Configure a traffic behavior to mirror traffic to the CPU.
[Device] traffic behavior behavior1
[Device-behavior-behavior1] mirror-to cpu
[Device-behavior-behavior1] quit
c. Configure a traffic class to use the ACL to match traffic.
[Device] traffic classifier classifier1
[Device-classifier-class1] if-match acl 3000
[Device-classifier-class1] quit
d. Configure a QoS policy. Associate the traffic class with the traffic behavior.
[Device] qos policy user1
[Device-qospolicy-user1] classifier classifier1 behavior behavior1
[Device-qospolicy-user1] quit
e. Apply the QoS policy to the incoming direction of HundredGigE 3/0/1.
[Device] interface hundredgige 3/0/1
[Device-HundredGigE3/0/1] qos apply policy user1 inbound
[Device-HundredGigE3/0/1] quit
[Device] quit
# Configure remote packet capture on HundredGigE 3/0/1. Set the RPCAP service port number to 2014.
<Device> packet-capture remote interface hundredgige 3/0/1 port 2014
2. Configure Wireshark:
a. Start Wireshark on the PC and select Capture > Options.
b. Select Remote from the Interface list.
c. Enter the IP address of the device 10.1.1.1 and the RPCAP service port number 2014. Make sure there are routes available between the IP address and the PC.
d. Click OK and then click Start.
The captured packets are displayed on the Wireshark.
|
|
NOTE: Options and option placement available with Wireshark might differ depending on its version. |
Example: Configuring feature image-based packet capture
Network configuration
As shown in Figure 2, capture incoming IP packets of VLAN 3 on Layer 2 interface HundredGigE 3/0/1 that meet the following conditions:
· Sent from 192.168.1.10 or 192.168.1.11 to 192.168.1.1.
· Forwarded through the CPU or chips.
Procedure
1. Install the packet capture feature.
# Identify versions of the boot and system images running on the device. Prepare a packet capture feature image that is compatible with the current boot and system images.
<Device> display version
H3C Comware Software, Version 7.1.070, Demo 01
Copyright (c) 2004-2020 New H3C Technologies Co., Ltd. All rights reserved.
H3C S12516G-AF uptime is 0 weeks, 0 days, 5 hours, 33 minutes
Last reboot reason : Cold reboot
Boot image: flash:/boot-01.bin
Boot image version: 7.1.070, Demo 01
Compiled Jan 14 2020 11:00:00
System image: flash:/system-01.bin
System image version: 7.1.070, Demo 01
Compiled Jan 14 2020 11:00:00
...
# Download the packet capture feature image to the device. In this example, the packet-capture-01.bin image is stored on the TFTP server at 192.168.1.1.
<Device> tftp 192.168.1.1 get packet-capture-01.bin
Press CTRL+C to abort.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11.3M 0 11.3M 0 0 155k 0 --:--:-- 0:01:14 --:--:-- 194k
Writing file...Done.
# (In standalone mode.) Install the packet capture feature image on each MPU and commit the software change. In this example, the device has two MPUs.
<Device> install activate feature flash:/packet-capture-01.bin slot 0
Verifying the file flash:/packet-capture-01.bin on slot 0....Done.
Identifying the upgrade methods....Done.
Upgrade summary according to following table:
flash:/packet-capture-01.bin
Running Version New Version
None Demo 01
Slot Upgrade Way
0 Service Upgrade
Upgrading software images to compatible versions. Continue? [Y/N]:y
This operation might take several minutes, please wait....................Done.
<Device> install activate feature flash:/packet-capture-01.bin slot 1
Verifying the file flash:/packet-capture-01.bin on slot 1....Done.
Identifying the upgrade methods....Done.
Upgrade summary according to following table:
flash:/packet-capture-01.bin
Running Version New Version
None Demo 01
Slot Upgrade Way
1 Service Upgrade
Upgrading software images to compatible versions. Continue? [Y/N]:y
This operation might take several minutes, please wait....................Done.
<Device> install commit
This operation will take several minutes, please wait.......................Done.
# Log out and then log in to the device again so you can execute the packet-capture interface and packet-capture read commands.
2. Apply a QoS policy to the incoming direction of HundredGigE 3/0/1 to capture packets from 192.168.1.10 or 192.168.1.11 to 192.168.1.1 that are forwarded through chips.
# Create an IPv4 advanced ACL to match packets that are sent from 192.168.1.10 or 192.168.1.11 to 192.168.1.1.
<Device> system-view
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.1.10 0 destination 192.168.1.1 0
[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.1.11 0 destination 192.168.1.1 0
[Device-acl-ipv4-adv-3000] quit
# Configure a traffic behavior to mirror traffic to the CPU.
[Device] traffic behavior behavior1
[Device-behavior-behavior1] mirror-to cpu
[Device-behavior-behavior1] quit
# Configure a traffic class to use the ACL to match traffic.
[Device] traffic classifier classifier1
[Device-classifier-class1] if-match acl 3000
[Device-classifier-class1] quit
# Configure a QoS policy. Associate the traffic class with the traffic behavior.
[Device] qos policy user1
[Device-qospolicy-user1] classifier classifier1 behavior behavior1
[Device-qospolicy-user1] quit
# Apply the QoS policy to the incoming direction of HundredGigE 3/0/1.
[Device] interface hundredgige 3/0/1
[Device-HundredGigE3/0/1] qos apply policy user1 inbound
[Device-HundredGigE3/0/1] quit
[Device] quit
3. Enable packet capture.
# Capture incoming traffic on HundredGigE 3/0/1. Set the maximum number of captured packets to 10. Save the captured packets to the flash:/a.pcap file.
<Device> packet-capture interface hundredgige 3/0/1 capture-filter "vlan 3 and src 192.168.1.10 or 192.168.1.11 and dst 192.168.1.1" limit-captured-frames 10 write flash:/a.pcap
Capturing on 'HundredGigE3/0/1'
10
Verifying the configuration
# Telnet to 192.168.1.1 from 192.168.1.10. (Details not shown.)
# Display the contents in the packet file on the device.
<Device> packet-capture read flash:/a.pcap
1 0.000000 192.168.1.10 -> 192.168.1.1 TCP 62 6325 > telnet [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1
2 0.000061 192.168.1.10 -> 192.168.1.1 TCP 60 6325 > telnet [ACK] Seq=1 Ack=1 Win=65535 Len=0
3 0.024370 192.168.1.10 -> 192.168.1.1 TELNET 60 Telnet Data ...
4 0.024449 192.168.1.10 -> 192.168.1.1 TELNET 78 Telnet Data ...
5 0.025766 192.168.1.10 -> 192.168.1.1 TELNET 65 Telnet Data ...
6 0.035096 192.168.1.10 -> 192.168.1.1 TELNET 60 Telnet Data ...
7 0.047317 192.168.1.10 -> 192.168.1.1 TCP 60 6325 > telnet [ACK] Seq=42 Ack=434 Win=65102 Len=0
8 0.050994 192.168.1.10 -> 192.168.1.1 TCP 60 6325 > telnet [ACK] Seq=42 Ack=436 Win=65100 Len=0
9 0.052401 192.168.1.10 -> 192.168.1.1 TCP 60 6325 > telnet [ACK] Seq=42 Ack=438 Win=65098 Len=0
10 0.057736 192.168.1.10 -> 192.168.1.1 TCP 60 6325 > telnet [ACK] Seq=42 Ack=440 Win=65096 Len=0
