NX-OS has had the great Ethanalyzer feature since very early versions. It allows you to perform limited packet captures directly on your NX-OS based switch!
It is however a pain to use practically and has lots of limitations. One of the biggest limitations is that it can only capture traffic hitting the CPU – so you are limited to control plane and management plane traffic only. That however is key to solving many problems that are often associated with (or blamed on) the network.
Here is an example that captures, displays and filters ARP packets processed through the switch these commands are being performed on.
- To initiate an ARP only capture for the first 400 packets:
ethanalyzer local interface inband capture-filter arp limit-captured-frames 400 write bootflash:arp.pcap
- To view the capture:
ethanalyzer local read bootflash:arp.pcap detail
- To only display limited 10.1.101.5 packets:
ethanalyzer local read bootflash:arp.pcap display-filter "arp.src.proto_ipv4==10.1.101.5" detail
The filters used in the above examples are definitely cryptic. The good news however is that if you are familiar with Wireshark, you can build the filter in the Wireshark GUI and then you can copy/paste the filters directly into the filter options shown above.
You can see more filter examples here and here.
You can read more about Ethanalyzer here – with many more great practical examples.
Salman Naqvi - 2xCCIE 
Leave a Reply