前言
遇到网络问题时,撷取 Packet 来做 troubleshooting 是一个解决困难的好办法。如果在 PC 上我们可以用 Wireshark 这一类工具来做撷取,但如果要撷取的位置是在一些不方便插进 PC 的地方,例如在 Core Network 的 Router 中,我们就要使用 IOS 内建的 Packet Capture 功能了。Cisco IOS 在 Version 12.4(20) 以後开始支缓这个功能。不过,要在 IOS 上Capture Packet 真是复杂到不行!请细心阅读。
Step 1: 设定 Buffer
由於 Capture 到的 Packet 会储存在 Buffer 之中,我们首先要为 Buffer 定义一些参数。请使用 monitor capture buffer <word> 指令,<word> 是你为这 buffer 定义的名称。
Router#monitor capture buffer BUFFER_1 ? circular Circular Buffer clear Clear contents of capture buffer export Export in Pcap format filter Configure filters limit Limit the packets dumped to the buffer linear Linear Buffer(Default) max-size Maximum size of element in the buffer (in bytes) size Packet Dump buffer size (in Kbytes) <cr>
首先要设定的是 Linear 还是 Circular?
- Linear 的意思是这个 buffer 如果满了,Capture 就会自动停止。
- Circular 就是 buffer 会被循环使用,如果 buffer 满了的话,旧的 capture 会被新的 capture 覆盖。
Router#monitor capture buffer BUFFER_1 ? circular Circular Buffer clear Clear contents of capture buffer export Export in Pcap format filter Configure filters limit Limit the packets dumped to the buffer linear Linear Buffer(Default) max-size Maximum size of element in the buffer (in bytes) size Packet Dump buffer size (in Kbytes) <cr>
在我们的例子中,我们尝试使用 Linear 设定。
Router#monitor capture buffer BUFFER_1 linear
然後要定义 Size 和 Max-size
- Size 是为 buffer 设定容量。
- Max-size 则设定每一个被 capture 的 packet 容量的最大限制,packet 太大超过了这个容量的话,超过了的部份就不会被 capture。
Router#monitor capture buffer BUFFER_1 ? circular Circular Buffer clear Clear contents of capture buffer export Export in Pcap format filter Configure filters limit Limit the packets dumped to the buffer linear Linear Buffer(Default) max-size Maximum size of element in the buffer (in bytes) size Packet Dump buffer size (in Kbytes) <cr>
我们试试把 size 设为 4096,max-size 设为 1024。
Router#monitor capture buffer BUFFER_1 size ? <256-102400> Buffer size in Kbytes : 102400K or less (default is 1024K) Router#monitor capture buffer BUFFER_1 size 4096 Router# Router#monitor capture buffer BUFFER_1 max-size ? <68-9500> Element size in bytes : 9500 bytes or less (default is 68 bytes) Router#monitor capture buffer BUFFER_1 max-size 1024
接下来是考虑是否要加入 Filter,加入 Filter 可以让 buffer 缩细捕捉范围,只纪录 Access-list 所包含的 Packets,加入 Access-list 可以使分析时更加容易找出想要的结果。加入 Filter 前别忘记要先定义好 Access-list 喔。
Router#monitor capture buffer BUFFER_1 ?
circular Circular Buffer
clear Clear contents of capture buffer
export Export in Pcap format
filter Configure filters
limit Limit the packets dumped to the buffer
linear Linear Buffer(Default)
max-size Maximum size of element in the buffer (in bytes)
size Packet Dump buffer size (in Kbytes)
<cr>
Router#monitor capture buffer BUFFER_1 filter access-list ? <1-199> IP access list <1300-2699> IP expanded access list WORD Access-list name Router#monitor capture buffer BUFFER_1 filter access-list 100
最後,我们用 show monitor capture buffer <word> parameters 来验证一下 Buffer 的设定。留意 Associated Capture Points 一栏是空的,因为我们下一步才定义 Capture Point。
Router#show monitor capture buffer BUFFER_1 parameters
Capture buffer BUFFER_1 (linear buffer)
Buffer Size : 4194304 bytes, Max Element Size : 1024 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Configuration:
monitor capture buffer BUFFER_1 size 4096 max-size 1024 linear
monitor capture buffer BUFFER_1 filter access-list 100
Step 2: 设定 Capture Point
Capture Point 就是你需要撷取 Packet 的位置。使用的指令是 monitor capture point……。
Router#monitor capture point ? associate Associate capture point with capture buffer disassociate Dis-associate capture point from capture buffer ip IPv4 ipv6 IPv6 start Enable Capture Point stop Disable Capture Point
要撷取的是 IPv4 还是 IPv6 的 Packet?
Router#monitor capture point ? associate Associate capture point with capture buffer disassociate Dis-associate capture point from capture buffer ip IPv4 ipv6 IPv6 start Enable Capture Point stop Disable Capture Point
再来是请问你是撷取的 Packet Flow 是使用 CEF 还是 process switching?
Router#monitor capture point ip ? cef IPv4 CEF process-switched Process switched packets
然後就可以为这个 Capture Point 的定义一个名称,最後才输入要 Capture 的位置和方向。
Router#monitor capture point ip cef POINT_1 gigabitEthernet 0/0 ? both capture ingress and egress in capture on ingress out capture on egress
在这个测试中,我们尝试定义两个 Capture Point。
Router#monitor capture point ip cef POINT_1 gigabitEthernet 0/0 both Router# Jul 17 06:05:51.715: %BUFCAP-6-CREATE: Capture Point POINT_1 created. Router#monitor capture point ip cef POINT_2 gigabitEthernet 0/1 both Router# Jul 17 06:08:02.419: %BUFCAP-6-CREATE: Capture Point POINT_2 created.
最後用 show monitor capture point all 指令检查一下刚才的设定。留意此时 Capture Point 状态是 Inactive 即是说设定是设定好了,但仍未被启动。
Router#show monitor capture point all Status Information for Capture Point POINT_1 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: None Status : Inactive Configuration: monitor capture point ip cef POINT_1 GigabitEthernet0/0 both Status Information for Capture Point POINT_2 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: None Status : Inactive Configuration: monitor capture point ip cef POINT_2 GigabitEthernet0/1 both
Step 3: Associate
把两个 Capture Point 连到 Buffer。
Router#monitor capture point associate POINT_1 BUFFER_1 Router#monitor capture point associate POINT_2 BUFFER_1
然後再检查 Buffer 的设定,看到有 Associated Capture Points了,意思是 在 POINT_1 和 POINT_2 这两个位置 Capture 的 Packet 将会放进 BUFFER_1 之中。
Router#show monitor capture buffer BUFFER_1 parameters Capture buffer BUFFER_1 (linear buffer) Buffer Size : 4194304 bytes, Max Element Size : 1024 bytes, Packets : 0 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : POINT_1, Status : Inactive Name : POINT_2, Status : Inactive Configuration: monitor capture buffer BUFFER_1 size 4096 max-size 1024 linear monitor capture point associate POINT_1 BUFFER_1 monitor capture point associate POINT_2 BUFFER_1 monitor capture buffer BUFFER_1 filter access-list 100
Step 4: 启动与停止
一切准备就绪,现在可以启动 Packet Capture。
你可以选择逐一启动:
Router#monitor capture point start POINT_1 Router#monitor capture point start POINT_2
或干脆一次过启动全部:
Router#monitor capture point start all Router# Jul 17 06:15:58.263: %BUFCAP-6-ENABLE: Capture Point POINT_1 enabled. Jul 17 06:15:58.263: %BUFCAP-6-ENABLE: Capture Point POINT_2 enabled.
现在可以见到 Capture Point 已经启动了。
Router#show monitor capture point all Status Information for Capture Point POINT_1 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: BUFFER_1 Status : Active Configuration: monitor capture point ip cef POINT_1 GigabitEthernet0/0 both Status Information for Capture Point POINT_2 IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: BUFFER_1 Status : Active Configuration: monitor capture point ip cef POINT_2 GigabitEthernet0/1 both
当你觉得可以停止时,可以手动停止 Packet Capture:
Router#monitor capture point stop all Router# Jul 17 06:16:13.983: %BUFCAP-6-DISABLE: Capture Point POINT_1 disabled. Jul 17 06:16:13.983: %BUFCAP-6-DISABLE: Capture Point POINT_2 disabled.
或等到 Buffer 全满了,Capture 会自动停止,因为我们在 Step 1 设定 Buffer 时选择了使用 Linear。
Router# Jul 17 06:20:57.775: %BUFCAP-5-ELEM_TRIMMED: Element trimmed as there was not enough space in capture buffer BUFFER_1. Original Size: 1024; Copied Size: 388. Jul 17 06:20:57.775: %BUFCAP-6-DISABLE: Capture Point POINT_1 disabled. Jul 17 06:20:57.775: %BUFCAP-6-DISABLE: Capture Point POINT_2 disabled. Jul 17 06:20:57.775: %BUFCAP-5-BUFFER_FULL: Linear Buffer associated with capture buffer BUFFER_1 is full.
Step 5: 查看结果
用 show monitor capture buffer <word> dump 指令可以看看结果。
Router#show monitor capture buffer BUFFER_1 dump 06:17:34.495 UTC Jul 17 2014 : IPv4 LES CEF : Gi0/0 None 28DD4590: D48CB5F6 DD4018A9 05E7A35C T.5v]@.).g#\ 28DD45A0: 08004500 003C3381 00007F01 83EBC0A8 ..E..<3......k@( 28DD45B0: 0102C0A8 02020800 1FB90001 2DA26162 ..@(.....9..-"ab 28DD45C0: 63646566 6768696A 6B6C6D6E 6F707172 cdefghijklmnopqr 28DD45D0: 73747576 77616263 64656667 686900 stuvwabcdefghi. 06:17:34.495 UTC Jul 17 2014 : IPv4 LES CEF : Gi0/0 Gi0/1 28DD4590: D48CB5F6 DDE0D48C B5F6DD41 T.5v]`T.5v]A 28DD45A0: 08004500 003C3381 00007F01 83EBC0A8 ..E..<3......k@( 28DD45B0: 0102C0A8 02020800 1FB90001 2DA26162 ..@(.....9..-"ab 28DD45C0: 63646566 6768696A 6B6C6D6E 6F707172 cdefghijklmnopqr 28DD45D0: 73747576 77616263 64656667 686900 stuvwabcdefghi. 06:17:34.495 UTC Jul 17 2014 : IPv4 LES CEF : Gi0/1 None 28DD4590: D48CB5F6 DD41D48C B5F6DDE0 T.5v]AT.5v]` 28DD45A0: 08004500 003C3381 0000FE01 04EBC0A8 ..E..<3...~..k@( 28DD45B0: 0202C0A8 01020000 27B90001 2DA26162 ..@(....'9..-"ab 28DD45C0: 63646566 6768696A 6B6C6D6E 6F707172 cdefghijklmnopqr 28DD45D0: 73747576 77616263 64656667 686900 stuvwabcdefghi. --More--
唔……似乎不是常人可以理解的 😖,最好还是把结果 export 到 PC,然後放进 Wireshark 慢慢观摩吧。
Router#monitor capture buffer BUFFER_1 export ? ftp: Location to dump buffer http: Location to dump buffer https: Location to dump buffer rcp: Location to dump buffer scp: Location to dump buffer tftp: Location to dump buffer
因为 buffer 满了,如果需要重新 Capture 的话,必需先把 buffer 清除後,再启动 Capture。
Router#monitor capture buffer BUFFER_1 clear
相關主題
Jan Ho 2021-07-22
Posted In: 网络服务 Services
发表回复