NX-OS has had the great Ethanalyzer feature since very early versions. It allows you to perform limited packet captures directly on your NX-OS based switch!

white_paper_c11-554444_0

It is however a pain to use practically and has lots of limitations. One of the biggest limitations is that it can only capture traffic hitting the CPU – so you are limited to control plane and management plane traffic only. That however is key to solving many problems that are often associated with (or blamed on) the network.

Here is an example that captures, displays and filters ARP packets processed through the switch these commands are being performed on.

  • To initiate an ARP only capture for the first 400 packets:
ethanalyzer local interface inband capture-filter arp limit-captured-frames 400 write bootflash:arp.pcap
  • To view the capture:
ethanalyzer local read bootflash:arp.pcap detail
  • To only display limited 10.1.101.5 packets:
ethanalyzer local read bootflash:arp.pcap display-filter "arp.src.proto_ipv4==10.1.101.5" detail

 

The filters used in the above examples are definitely cryptic. The good news however is that if you are familiar with Wireshark, you can build the filter in the Wireshark GUI and then you can copy/paste the filters directly into the filter options shown above.

You can see more filter examples here and here.

You can read more about Ethanalyzer here – with many more great practical examples.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s