Packet Capture On Tier-0 Uplinks

Posted by

With NSX-T logical networking the Tier-0 uplinks become the central passage for all of the North-South traffic—i.e., traffic between the NSX-T logical networks and the physical network.

A critical point in the NSX-T data plane and one that we might want to place under a magnifying glass from time to time.

In this short article I’ll walk through setting up and managing packet captures on Tier-0 uplinks.

1 – Identify active SR location

This step is relevant when the Tier-0 gateway is running in Active-Passive HA mode. Most of the time the interesting packets will be on the active uplinks and we need to figure out where these are situated.

With Active-Active HA mode all of the Tier-0 uplinks are involved in forwarding traffic and therefore points of interest when it comes to capturing packets

In the NSX Manager UI, navigate to Advanced Networking & Security > Networking > Routers. Click the Active-Standby link for the Tier-0 gateway:

Here the active Tier-0 SR is located on edgevm01.

2 – Identify interface ID

Also under Advanced Networking & Security > Networking > Routers we click the name link of the Tier-0 gateway. This opens up the details pane where we choose Configuration > Router Ports:

Copy the ID of the uplink interfaces that use the Edge node with the active Tier-0 SR:

3 – Start capture session

SSH into the Edge node with the active Tier-0 SR. To capture 50 outgoing/northbound packets run the following command:

start capture interface <ID> direction output count 50 file capture.pcap

For example:

4 – Copy capture file

The resulting capture.pcap file can now be copied to an SFTP server. For example:

copy file capture.pcap url scp://root@sftp.demo.local/captures 

After a successful copy you might want to delete the capture.pcap file from the Edge node’s file store:

del file capture.pcap

5 – Open capture file

Open the capture file in a packet analyzer like Wireshark to start investigating the captured packets:

Summary

And that’s how easy it is to capture traffic on Tier-0 uplinks.

It’s not uncommon that you need to capture network traffic as part of investigating some kind of application issue. For that reason I recommend that you document the IDs of the Tier-0 uplink interfaces in advance and have an SFTP server ready to go so that you don’t have to waste valuable time on preparing the packet capture itself.

Thanks for reading.

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.