前言
遇到網絡問題時,擷取 Packet 來做 troubleshooting 是一個解決困難的好辦法。如果在 PC 上我們可以用 Wireshark 這一類工具來做擷取,但如果要擷取的位置是在一些不方便插進 PC 的地方,例如在 Core Network 的 Router 中,我們就要使用 IOS 內建的 Packet Capture 功能了。Cisco IOS 在 Version 12.4(20) 以後開始支緩這個功能。不過,要在 IOS 上Capture Packet 真是複雜到不行!請細心閱讀。
Step 1: 設定 Buffer
由於 Capture 到的 Packet 會儲存在 Buffer 之中,我們首先要為 Buffer 定義一些參數。請使用 monitor capture buffer <word> 指令,<word> 是你為這 buffer 定義的名稱。
Router#monitor capture buffer BUFFER_1 ? circular Circular Buffer clear Clear contents of capture buffer export Export in Pcap format filter Configure filters limit Limit the packets dumped to the buffer linear Linear Buffer(Default) max-size Maximum size of element in the buffer (in bytes) size Packet Dump buffer size (in Kbytes) <cr>
首先要設定的是 Linear 還是 Circular?
- Linear 的意思是這個 buffer 如果滿了,Capture 就會自動停止。
- Circular 就是 buffer 會被循環使用,如果 buffer 滿了的話,舊的 capture 會被新的 capture 覆蓋。
Router#monitor capture buffer BUFFER_1 ? circular Circular Buffer clear Clear contents of capture buffer export Export in Pcap format filter Configure filters limit Limit the packets dumped to the buffer linear Linear Buffer(Default) max-size Maximum size of element in the buffer (in bytes) size Packet Dump buffer size (in Kbytes) <cr>
在我們的例子中,我們嘗試使用 Linear 設定。
Router#monitor capture buffer BUFFER_1 linear
然後要定義 Size 和 Max-size
- Size 是為 buffer 設定容量。
- Max-size 則設定每一個被 capture 的 packet 容量的最大限制,packet 太大超過了這個容量的話,超過了的部份就不會被 capture。
Router#monitor capture buffer BUFFER_1 ? circular Circular Buffer clear Clear contents of capture buffer export Export in Pcap format filter Configure filters limit Limit the packets dumped to the buffer linear Linear Buffer(Default) max-size Maximum size of element in the buffer (in bytes) size Packet Dump buffer size (in Kbytes) <cr>
我們試試把 size 設為 4096,max-size 設為 1024。
Router#monitor capture buffer BUFFER_1 size ? <256-102400> Buffer size in Kbytes : 102400K or less (default is 1024K) Router#monitor capture buffer BUFFER_1 size 4096 Router# Router#monitor capture buffer BUFFER_1 max-size ? <68-9500> Element size in bytes : 9500 bytes or less (default is 68 bytes) Router#monitor capture buffer BUFFER_1 max-size 1024
接下來是考慮是否要加入 Filter,加入 Filter 可以讓 buffer 縮細捕捉範圍,只紀錄 Access-list 所包含的 Packets,加入 Access-list 可以使分析時更加容易找出想要的結果。加入 Filter 前別忘記要先定義好 Access-list 喔。
Router#monitor capture buffer BUFFER_1 ?
circular Circular Buffer
clear Clear contents of capture buffer
export Export in Pcap format
filter Configure filters
limit Limit the packets dumped to the buffer
linear Linear Buffer(Default)
max-size Maximum size of element in the buffer (in bytes)
size Packet Dump buffer size (in Kbytes)
<cr>
Router#monitor capture buffer BUFFER_1 filter access-list ? <1-199> IP access list <1300-2699> IP expanded access list WORD Access-list name Router#monitor capture buffer BUFFER_1 filter access-list 100
最後,我們用 show monitor capture buffer <word> parameters 來驗證一下 Buffer 的設定。留意 Associated Capture Points 一欄是空的,因為我們下一步才定義 Capture Point。
Router#show monitor capture buffer BUFFER_1 parameters
Capture buffer BUFFER_1 (linear buffer)
Buffer Size : 4194304 bytes, Max Element Size : 1024 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Configuration:
monitor capture buffer BUFFER_1 size 4096 max-size 1024 linear
monitor capture buffer BUFFER_1 filter access-list 100
Step 2: 設定 Capture Point
Capture Point 就是你需要擷取 Packet 的位置。使用的指令是 monitor capture point……。
Router#monitor capture point ? associate Associate capture point with capture buffer disassociate Dis-associate capture point from capture buffer ip IPv4 ipv6 IPv6 start Enable Capture Point stop Disable Capture Point
要擷取的是 IPv4 還是 IPv6 的 Packet?
Router#monitor capture point ? associate Associate capture point with capture buffer disassociate Dis-associate capture point from capture buffer ip IPv4 ipv6 IPv6 start Enable Capture Point stop Disable Capture Point
再來是請問你是擷取的 Packet Flow 是使用 CEF 還是 process switching?
Router#monitor capture point ip ? cef IPv4 CEF process-switched Process switched packets
然後就可以為這個 Capture Point 的定義一個名稱,最後才輸入要 Capture 的位置和方向。
Router#monitor capture point ip cef POINT_1 gigabitEthernet 0/0 ? both capture ingress and egress in capture on ingress out capture on egress
在這個測試中,我們嘗試定義兩個 Capture Point。
Router#monitor capture point ip cef POINT_1 gigabitEthernet 0/0 both Router# Jul 17 06:05:51.715: %BUFCAP-6-CREATE: Capture Point POINT_1 created. Router#monitor capture point ip cef POINT_2 gigabitEthernet 0/1 both Router# Jul 17 06:08:02.419: %BUFCAP-6-CREATE: Capture Point POINT_2 created.
最後用 show monitor capture point all 指令檢查一下剛才的設定。留意此時 Capture Point 狀態是 Inactive 即是說設定是設定好了,但仍未被啟動。
Router#show monitor capture point all Status Information for Capture Point POINT_1 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: None Status : Inactive Configuration: monitor capture point ip cef POINT_1 GigabitEthernet0/0 both Status Information for Capture Point POINT_2 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: None Status : Inactive Configuration: monitor capture point ip cef POINT_2 GigabitEthernet0/1 both
Step 3: Associate
把兩個 Capture Point 連到 Buffer。
Router#monitor capture point associate POINT_1 BUFFER_1 Router#monitor capture point associate POINT_2 BUFFER_1
然後再檢查 Buffer 的設定,看到有 Associated Capture Points了,意思是 在 POINT_1 和 POINT_2 這兩個位置 Capture 的 Packet 將會放進 BUFFER_1 之中。
Router#show monitor capture buffer BUFFER_1 parameters Capture buffer BUFFER_1 (linear buffer) Buffer Size : 4194304 bytes, Max Element Size : 1024 bytes, Packets : 0 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : POINT_1, Status : Inactive Name : POINT_2, Status : Inactive Configuration: monitor capture buffer BUFFER_1 size 4096 max-size 1024 linear monitor capture point associate POINT_1 BUFFER_1 monitor capture point associate POINT_2 BUFFER_1 monitor capture buffer BUFFER_1 filter access-list 100
Step 4: 啟動與停止
一切準備就緒,現在可以啟動 Packet Capture。
你可以選擇逐一啟動:
Router#monitor capture point start POINT_1 Router#monitor capture point start POINT_2
或干脆一次過啟動全部:
Router#monitor capture point start all Router# Jul 17 06:15:58.263: %BUFCAP-6-ENABLE: Capture Point POINT_1 enabled. Jul 17 06:15:58.263: %BUFCAP-6-ENABLE: Capture Point POINT_2 enabled.
現在可以見到 Capture Point 已經啟動了。
Router#show monitor capture point all Status Information for Capture Point POINT_1 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: BUFFER_1 Status : Active Configuration: monitor capture point ip cef POINT_1 GigabitEthernet0/0 both Status Information for Capture Point POINT_2 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: BUFFER_1 Status : Active Configuration: monitor capture point ip cef POINT_2 GigabitEthernet0/1 both
當你覺得可以停止時,可以手動停止 Packet Capture:
Router#monitor capture point stop all Router# Jul 17 06:16:13.983: %BUFCAP-6-DISABLE: Capture Point POINT_1 disabled. Jul 17 06:16:13.983: %BUFCAP-6-DISABLE: Capture Point POINT_2 disabled.
或等到 Buffer 全滿了,Capture 會自動停止,因為我們在 Step 1 設定 Buffer 時選擇了使用 Linear。
Router# Jul 17 06:20:57.775: %BUFCAP-5-ELEM_TRIMMED: Element trimmed as there was not enough space in capture buffer BUFFER_1. Original Size: 1024; Copied Size: 388. Jul 17 06:20:57.775: %BUFCAP-6-DISABLE: Capture Point POINT_1 disabled. Jul 17 06:20:57.775: %BUFCAP-6-DISABLE: Capture Point POINT_2 disabled. Jul 17 06:20:57.775: %BUFCAP-5-BUFFER_FULL: Linear Buffer associated with capture buffer BUFFER_1 is full.
Step 5: 查看結果
用 show monitor capture buffer <word> dump 指令可以看看結果。
Router#show monitor capture buffer BUFFER_1 dump 06:17:34.495 UTC Jul 17 2014 : IPv4 LES CEF : Gi0/0 None 28DD4590: D48CB5F6 DD4018A9 05E7A35C T.5v]@.).g#\ 28DD45A0: 08004500 003C3381 00007F01 83EBC0A8 ..E..<3......k@( 28DD45B0: 0102C0A8 02020800 1FB90001 2DA26162 ..@(.....9..-"ab 28DD45C0: 63646566 6768696A 6B6C6D6E 6F707172 cdefghijklmnopqr 28DD45D0: 73747576 77616263 64656667 686900 stuvwabcdefghi. 06:17:34.495 UTC Jul 17 2014 : IPv4 LES CEF : Gi0/0 Gi0/1 28DD4590: D48CB5F6 DDE0D48C B5F6DD41 T.5v]`T.5v]A 28DD45A0: 08004500 003C3381 00007F01 83EBC0A8 ..E..<3......k@( 28DD45B0: 0102C0A8 02020800 1FB90001 2DA26162 ..@(.....9..-"ab 28DD45C0: 63646566 6768696A 6B6C6D6E 6F707172 cdefghijklmnopqr 28DD45D0: 73747576 77616263 64656667 686900 stuvwabcdefghi. 06:17:34.495 UTC Jul 17 2014 : IPv4 LES CEF : Gi0/1 None 28DD4590: D48CB5F6 DD41D48C B5F6DDE0 T.5v]AT.5v]` 28DD45A0: 08004500 003C3381 0000FE01 04EBC0A8 ..E..<3...~..k@( 28DD45B0: 0202C0A8 01020000 27B90001 2DA26162 ..@(....'9..-"ab 28DD45C0: 63646566 6768696A 6B6C6D6E 6F707172 cdefghijklmnopqr 28DD45D0: 73747576 77616263 64656667 686900 stuvwabcdefghi. --More--
唔……似乎不是常人可以理解的 😖,最好還是把結果 export 到 PC,然後放進 Wireshark 慢慢觀摩吧。
Router#monitor capture buffer BUFFER_1 export ? ftp: Location to dump buffer http: Location to dump buffer https: Location to dump buffer rcp: Location to dump buffer scp: Location to dump buffer tftp: Location to dump buffer
因為 buffer 滿了,如果需要重新 Capture 的話,必需先把 buffer 清除後,再啟動 Capture。
Router#monitor capture buffer BUFFER_1 clear
相關主題
Jan Ho 2014-07-28
Posted In: 網絡服務 Services
發佈留言