Packet Capture On Tier-0 Uplinks

With NSX-T logical networking the Tier-0 uplinks become the central passage for all of the North-South traffic—i.e., traffic between the NSX-T logical networks and the physical network.

A critical point in the NSX-T data plane and one that we might want to place under a magnifying glass from time to time.

In this short article I’ll walk through setting up and managing packet captures on Tier-0 uplinks.

1 – Identify active SR location

This step is relevant when the Tier-0 gateway is running in Active-Passive HA mode. Most of the time the interesting packets will be on the active uplinks and we need to figure out where these are situated.

With Active-Active HA mode all of the Tier-0 uplinks are involved in forwarding traffic and therefore points of interest when it comes to capturing packets

In the NSX Manager UI, navigate to Advanced Networking & Security > Networking > Routers. Click the Active-Standby link for the Tier-0 gateway:

Here the active Tier-0 SR is located on edgevm01.

2 – Identify interface ID

Also under Advanced Networking & Security > Networking > Routers we click the name link of the Tier-0 gateway. This opens up the details pane where we choose Configuration > Router Ports:

Copy the ID of the uplink interfaces that use the Edge node with the active Tier-0 SR:

3 – Start capture session

SSH into the Edge node with the active Tier-0 SR. To capture 50 outgoing/northbound packets run the following command:

start capture interface <ID> direction output count 50 file capture.pcap

For example:

4 – Copy capture file

The resulting capture.pcap file can now be copied to an SFTP server. For example:

copy file capture.pcap url scp://root@sftp.demo.local/captures 

After a successful copy you might want to delete the capture.pcap file from the Edge node’s file store:

del file capture.pcap

5 – Open capture file

Open the capture file in a packet analyzer like Wireshark to start investigating the captured packets:


And that’s how easy it is to capture traffic on Tier-0 uplinks.

It’s not uncommon that you need to capture network traffic as part of investigating some kind of application issue. For that reason I recommend that you document the IDs of the Tier-0 uplink interfaces in advance and have an SFTP server ready to go so that you don’t have to waste valuable time on preparing the packet capture itself.

Thanks for reading.

1 Comment

Leave a Reply to garyhills738 Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.