Embedded Packet Capture (EPC) 嵌入式封包擷取

前言

遇到網絡問題時,擷取 Packet 來做 troubleshooting 是一個解決困難的好辦法。如果在 PC 上我們可以用 Wireshark 這一類工具來做擷取,但如果要擷取的位置是在一些不方便插進 PC 的地方,例如在 Core Network 的 Router 中,我們就要使用 IOS 內建的 Packet Capture 功能了。Cisco IOS 在 Version 12.4(20) 以後開始支緩這個功能。不過,要在 IOS 上Capture Packet 真是複雜到不行!請細心閱讀。

Step 1: 設定 Buffer

由於 Capture 到的 Packet 會儲存在 Buffer 之中,我們首先要為 Buffer 定義一些參數。請使用 monitor capture buffer <word> 指令,<word> 是你為這 buffer 定義的名稱。

Router#monitor capture buffer BUFFER_1 ?
  circular  Circular Buffer
  clear     Clear contents of capture buffer
  export    Export in Pcap format
  filter    Configure filters
  limit     Limit the packets dumped to the buffer
  linear    Linear Buffer(Default)
  max-size  Maximum size of element in the buffer (in bytes)
  size      Packet Dump buffer size (in Kbytes)
  <cr>

首先要設定的是 Linear 還是 Circular?

  • Linear 的意思是這個 buffer 如果滿了,Capture 就會自動停止。
  • Circular 就是 buffer 會被循環使用,如果 buffer 滿了的話,舊的 capture 會被新的 capture 覆蓋。
Router#monitor capture buffer BUFFER_1 ?
  circular  Circular Buffer
  clear     Clear contents of capture buffer
  export    Export in Pcap format
  filter    Configure filters
  limit     Limit the packets dumped to the buffer
  linear    Linear Buffer(Default)
  max-size  Maximum size of element in the buffer (in bytes)
  size      Packet Dump buffer size (in Kbytes)
  <cr>

在我們的例子中,我們嘗試使用 Linear 設定。

Router#monitor capture buffer BUFFER_1 linear

然後要定義 Size 和 Max-size

  • Size 是為 buffer 設定容量。
  • Max-size 則設定每一個被 capture 的 packet 容量的最大限制,packet 太大超過了這個容量的話,超過了的部份就不會被 capture。
Router#monitor capture buffer BUFFER_1 ?
  circular  Circular Buffer
  clear     Clear contents of capture buffer
  export    Export in Pcap format
  filter    Configure filters
  limit     Limit the packets dumped to the buffer
  linear    Linear Buffer(Default)
  max-size  Maximum size of element in the buffer (in bytes)
  size      Packet Dump buffer size (in Kbytes)
  <cr>

我們試試把 size 設為 4096,max-size 設為 1024。

Router#monitor capture buffer BUFFER_1 size ?
  <256-102400>  Buffer size in Kbytes : 102400K or less (default is 1024K)

Router#monitor capture buffer BUFFER_1 size 4096
Router#
Router#monitor capture buffer BUFFER_1 max-size ?
  <68-9500>  Element size in bytes : 9500 bytes or less (default is 68 bytes)

Router#monitor capture buffer BUFFER_1 max-size 1024

接下來是考慮是否要加入 Filter,加入 Filter 可以讓 buffer 縮細捕捉範圍,只紀錄 Access-list 所包含的 Packets,加入 Access-list 可以使分析時更加容易找出想要的結果。加入 Filter 前別忘記要先定義好 Access-list 喔。

Router#monitor capture buffer BUFFER_1 ?
  circular  Circular Buffer
  clear     Clear contents of capture buffer
  export    Export in Pcap format
  filter    Configure filters
  limit     Limit the packets dumped to the buffer
  linear    Linear Buffer(Default)
  max-size  Maximum size of element in the buffer (in bytes)
  size      Packet Dump buffer size (in Kbytes)
  <cr>
Router#monitor capture buffer BUFFER_1 filter access-list ?
  <1-199>      IP access list
  <1300-2699>  IP expanded access list
  WORD         Access-list name

Router#monitor capture buffer BUFFER_1 filter access-list 100

最後,我們用 show monitor capture buffer <word> parameters 來驗證一下 Buffer 的設定。留意 Associated Capture Points 一欄是空的,因為我們下一步才定義 Capture Point。

Router#show monitor capture buffer BUFFER_1 parameters
Capture buffer BUFFER_1 (linear buffer)
Buffer Size : 4194304 bytes, Max Element Size : 1024 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Configuration:
monitor capture buffer BUFFER_1 size 4096 max-size 1024 linear
monitor capture buffer BUFFER_1 filter access-list 100

Step 2: 設定 Capture Point

Capture Point 就是你需要擷取 Packet 的位置。使用的指令是 monitor capture point……

Router#monitor capture point ?
  associate     Associate capture point with capture buffer
  disassociate  Dis-associate capture point from capture buffer
  ip            IPv4
  ipv6          IPv6
  start         Enable Capture Point
  stop          Disable Capture Point

要擷取的是 IPv4 還是 IPv6 的 Packet?

Router#monitor capture point ?
  associate     Associate capture point with capture buffer
  disassociate  Dis-associate capture point from capture buffer
  ip            IPv4
  ipv6          IPv6
  start         Enable Capture Point
  stop          Disable Capture Point

再來是請問你是擷取的 Packet Flow 是使用 CEF 還是 process switching?

Router#monitor capture point ip ?
  cef               IPv4 CEF
  process-switched  Process switched packets

然後就可以為這個 Capture Point 的定義一個名稱,最後才輸入要 Capture 的位置和方向。

Router#monitor capture point ip cef POINT_1 gigabitEthernet 0/0 ?
  both  capture ingress and egress
  in    capture on ingress
  out   capture on egress

在這個測試中,我們嘗試定義兩個 Capture Point。

Router#monitor capture point ip cef POINT_1 gigabitEthernet 0/0 both
Router#
Jul 17 06:05:51.715: %BUFCAP-6-CREATE: Capture Point POINT_1 created.
Router#monitor capture point ip cef POINT_2 gigabitEthernet 0/1 both
Router#
Jul 17 06:08:02.419: %BUFCAP-6-CREATE: Capture Point POINT_2 created.

最後用 show monitor capture point all 指令檢查一下剛才的設定。留意此時 Capture Point 狀態是 Inactive 即是說設定是設定好了,但仍未被啟動。

Router#show monitor capture point all
Status Information for Capture Point POINT_1
IPv4 CEF
Switch Path: IPv4 CEF            , Capture Buffer: None
Status : Inactive

Configuration:
monitor capture point ip cef POINT_1 GigabitEthernet0/0 both

Status Information for Capture Point POINT_2
IPv4 CEF
Switch Path: IPv4 CEF            , Capture Buffer: None
Status : Inactive

Configuration:
monitor capture point ip cef POINT_2 GigabitEthernet0/1 both

Step 3: Associate

把兩個 Capture Point 連到 Buffer。

Router#monitor capture point associate POINT_1 BUFFER_1
Router#monitor capture point associate POINT_2 BUFFER_1

然後再檢查 Buffer 的設定,看到有 Associated Capture Points了,意思是 在 POINT_1 和 POINT_2 這兩個位置 Capture 的 Packet 將會放進 BUFFER_1 之中。

Router#show monitor capture buffer BUFFER_1 parameters
Capture buffer BUFFER_1 (linear buffer)
Buffer Size : 4194304 bytes, Max Element Size : 1024 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : POINT_1, Status : Inactive
Name : POINT_2, Status : Inactive
Configuration:
monitor capture buffer BUFFER_1 size 4096 max-size 1024 linear
monitor capture point associate POINT_1 BUFFER_1
monitor capture point associate POINT_2 BUFFER_1
monitor capture buffer BUFFER_1 filter access-list 100

Step 4: 啟動與停止

一切準備就緒,現在可以啟動 Packet Capture。

你可以選擇逐一啟動:

Router#monitor capture point start POINT_1
Router#monitor capture point start POINT_2

或干脆一次過啟動全部:

Router#monitor capture point start all
Router#
Jul 17 06:15:58.263: %BUFCAP-6-ENABLE: Capture Point POINT_1 enabled.
Jul 17 06:15:58.263: %BUFCAP-6-ENABLE: Capture Point POINT_2 enabled.

現在可以見到 Capture Point 已經啟動了。

Router#show monitor capture point all
Status Information for Capture Point POINT_1
IPv4 CEF
Switch Path: IPv4 CEF            , Capture Buffer: BUFFER_1
Status : Active

Configuration:
monitor capture point ip cef POINT_1 GigabitEthernet0/0 both

Status Information for Capture Point POINT_2
IPv4 CEF
Switch Path: IPv4 CEF            , Capture Buffer: BUFFER_1
Status : Active

Configuration:
monitor capture point ip cef POINT_2 GigabitEthernet0/1 both

當你覺得可以停止時,可以手動停止 Packet Capture:

Router#monitor capture point stop all
Router#
Jul 17 06:16:13.983: %BUFCAP-6-DISABLE: Capture Point POINT_1 disabled.
Jul 17 06:16:13.983: %BUFCAP-6-DISABLE: Capture Point POINT_2 disabled.

或等到 Buffer 全滿了,Capture 會自動停止,因為我們在 Step 1 設定 Buffer 時選擇了使用 Linear。

Router#
Jul 17 06:20:57.775: %BUFCAP-5-ELEM_TRIMMED: Element trimmed as there was not enough space in capture buffer BUFFER_1. Original Size: 1024; Copied Size: 388.
Jul 17 06:20:57.775: %BUFCAP-6-DISABLE: Capture Point POINT_1 disabled.
Jul 17 06:20:57.775: %BUFCAP-6-DISABLE: Capture Point POINT_2 disabled.
Jul 17 06:20:57.775: %BUFCAP-5-BUFFER_FULL: Linear Buffer associated with capture buffer BUFFER_1 is full.

Step 5: 查看結果

show monitor capture buffer <word> dump 指令可以看看結果。

Router#show monitor capture buffer BUFFER_1 dump
06:17:34.495 UTC Jul 17 2014 : IPv4 LES CEF    : Gi0/0 None

28DD4590:          D48CB5F6 DD4018A9 05E7A35C      T.5v]@.).g#\
28DD45A0: 08004500 003C3381 00007F01 83EBC0A8  ..E..<3......k@(
28DD45B0: 0102C0A8 02020800 1FB90001 2DA26162  ..@(.....9..-"ab
28DD45C0: 63646566 6768696A 6B6C6D6E 6F707172  cdefghijklmnopqr
28DD45D0: 73747576 77616263 64656667 686900    stuvwabcdefghi.

06:17:34.495 UTC Jul 17 2014 : IPv4 LES CEF    : Gi0/0 Gi0/1

28DD4590:          D48CB5F6 DDE0D48C B5F6DD41      T.5v]`T.5v]A
28DD45A0: 08004500 003C3381 00007F01 83EBC0A8  ..E..<3......k@(
28DD45B0: 0102C0A8 02020800 1FB90001 2DA26162  ..@(.....9..-"ab
28DD45C0: 63646566 6768696A 6B6C6D6E 6F707172  cdefghijklmnopqr
28DD45D0: 73747576 77616263 64656667 686900    stuvwabcdefghi.

06:17:34.495 UTC Jul 17 2014 : IPv4 LES CEF    : Gi0/1 None

28DD4590:          D48CB5F6 DD41D48C B5F6DDE0      T.5v]AT.5v]`
28DD45A0: 08004500 003C3381 0000FE01 04EBC0A8  ..E..<3...~..k@(
28DD45B0: 0202C0A8 01020000 27B90001 2DA26162  ..@(....'9..-"ab
28DD45C0: 63646566 6768696A 6B6C6D6E 6F707172  cdefghijklmnopqr
28DD45D0: 73747576 77616263 64656667 686900    stuvwabcdefghi.

 --More--

唔……似乎不是常人可以理解的 😖,最好還是把結果 export 到 PC,然後放進 Wireshark 慢慢觀摩吧。

Router#monitor capture buffer BUFFER_1 export ?
  ftp:    Location to dump buffer
  http:   Location to dump buffer
  https:  Location to dump buffer
  rcp:    Location to dump buffer
  scp:    Location to dump buffer
  tftp:   Location to dump buffer

因為 buffer 滿了,如果需要重新 Capture 的話,必需先把 buffer 清除後,再啟動 Capture。

Router#monitor capture buffer BUFFER_1 clear

相關主題

發佈留言

2014-07-28

Posted In: 網絡服務 Services

Leave a Comment