With NSX-T logical networking the Tier-0 uplinks become the central passage for all of the North-South traffic—i.e., traffic between the NSX-T logical networks and the physical network.
A critical point in the NSX-T data plane and one that we might want to place under a magnifying glass from time to time.
In this short article I’ll walk through setting up and managing packet captures on Tier-0 uplinks.
1 – Identify active SR location
This step is relevant when the Tier-0 gateway is running in Active-Passive HA mode. Most of the time the interesting packets will be on the active uplinks and we need to figure out where these are situated.
With Active-Active HA mode all of the Tier-0 uplinks are involved in forwarding traffic and therefore points of interest when it comes to capturing packets
In the NSX Manager UI, navigate to Advanced Networking & Security > Networking > Routers. Click the Active-Standby link for the Tier-0 gateway:
Here the active Tier-0 SR is located on edgevm01.
2 – Identify interface ID
Also under Advanced Networking & Security > Networking > Routers we click the name link of the Tier-0 gateway. This opens up the details pane where we choose Configuration > Router Ports:
Copy the ID of the uplink interfaces that use the Edge node with the active Tier-0 SR:
3 – Start capture session
SSH into the Edge node with the active Tier-0 SR. To capture 50 outgoing/northbound packets run the following command:
start capture interface <ID> direction output count 50 file capture.pcap
4 – Copy capture file
The resulting capture.pcap file can now be copied to an SFTP server. For example:
copy file capture.pcap url scp://firstname.lastname@example.org/captures
After a successful copy you might want to delete the capture.pcap file from the Edge node’s file store:
del file capture.pcap
5 – Open capture file
Open the capture file in a packet analyzer like Wireshark to start investigating the captured packets:
And that’s how easy it is to capture traffic on Tier-0 uplinks.
It’s not uncommon that you need to capture network traffic as part of investigating some kind of application issue. For that reason I recommend that you document the IDs of the Tier-0 uplink interfaces in advance and have an SFTP server ready to go so that you don’t have to waste valuable time on preparing the packet capture itself.
Thanks for reading.