NSX-V Edge (ESG) Packet Capture

Capturing packets on the NSX Edge is relatively simple, the ESG uses similar capture syntax to that of TCPDUMP with a few minor caveats, which I will cover in this post.
When doing a packet capture, the primary thing to do is to identify the interface you want to capture traffic on and then define the traffic capture filter, which will ensure you only capture the packets that your interested in. This will cut down the noise and leave you with a fairly clean packet capture, however there is no reason you can’t just capture everything.

To identify the interface, you can either use the NSX UI or the ESG CLI, I prefer the second option as I am normally already on the CLI if I am going to be performing this function:

show interface

Interface vNic_0 is up, line protocol is up
  index 3 metric 1 mtu 1500 <up,broadcast,running,multicast>
  HWaddr: 00:50:56:8e:b9:5d
  inet6 fe80::250:56ff:fe8e:b95d/64
  proxy_arp: disabled
  Auto-duplex (Full), Auto-speed (2808Mb/s)
    input packets 14548, bytes 1576398, dropped 0, multicast packets 0
    input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0
    output packets 14629, bytes 1463170, dropped 0
    output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
    collisions 0

You will get all the interfaces configured on the ESG, so you will need to scroll through and find your NIC name, in this case it’s vNic_0

Once we have the NIC name, let’s create a packet capture to see if we are getting any VPN (ISAKMP & IPSEC) packets to the ESG from our remote host.

The specifics of our syntax is:

  • Remote host IP:
  • IPSEC ports – UDP/500 (ISAKMP) or UDP/4500 (IPSEC)

The actual filter syntax is similar to TCPDUMP but spaces have been replaced with underscores. So our syntax to display the filter on the console is as follows:

ESG-VPN-01-0> debug packet display interface vNic_0 host_192.168.255.2_and_udp_port_500_or_udp_port_4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vNic_0, link-type EN10MB (Ethernet), capture size 65535 bytes
04:32:12.444728 IP > isakmp: phase 1 I ident
04:32:12.451511 IP > isakmp: phase 1 R ident
04:32:12.453122 IP > isakmp: phase 1 I ident
04:32:12.456742 IP > isakmp: phase 1 R ident
04:32:12.457774 IP > isakmp: phase 1 I ident[E]
04:32:13.463003 IP > isakmp: phase 1 R ident

Using the debug packet display function is useful to see the packet capture on the console and to verify your syntax is correct. When your ready to save it to file, use the syntax below:

ESG-VPN-01-0> debug packet capture interface vNic_0 host_192.168.255.2_and_udp_port_500_or_udp_port_4500
/blue_lane/bin/run_tcpdump: line 24: kill: (31737) - No such process
ESG-VPN-01-0> tcpdump: listening on vNic_0, link-type EN10MB (Ethernet), capture size 65535 bytes
41 packets captured
41 packets received by filter
0 packets dropped by kernel

Use the Ctrl C, to break the capture.

Next let’s have a look at our file, which can be displayed with the following command:

ESG-VPN-01-0> debug show files
total 11K
-rw------- 1 11K Sep 14 04:39 tcpdump_vNic_0.0

Ok so we have our file, but ideally we want to view this in a tool like WireShark, which means exporting the capture via ftp/scp to a remote host. To do this use the syntax as follows, where the filename is that of the output shown with the debug show files command.

ESG-VPN-01-0> debug  copy ftp
  URL  user@<remote-host>:<path-to> FILENAME

ESG-VPN-01-0> debug copy ftp cisco@ tcpdump_vNic_0.0
Password: *****
tcpdump_vNic_0.0:                                       10.66 kB  248.44 kB/s

On our remote host, remember to change the filename extension to .pcap so it will open in WireShark.


2 thoughts on “NSX-V Edge (ESG) Packet Capture”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s