Capturing packets on the NSX Edge is relatively simple, the ESG uses similar capture syntax to that of TCPDUMP with a few minor caveats, which I will cover in this post.
When doing a packet capture, the primary thing to do is to identify the interface you want to capture traffic on and then define the traffic capture filter, which will ensure you only capture the packets that your interested in. This will cut down the noise and leave you with a fairly clean packet capture, however there is no reason you can’t just capture everything.
To identify the interface, you can either use the NSX UI or the ESG CLI, I prefer the second option as I am normally already on the CLI if I am going to be performing this function:
show interface Interface vNic_0 is up, line protocol is up index 3 metric 1 mtu 1500 <up,broadcast,running,multicast> HWaddr: 00:50:56:8e:b9:5d inet6 fe80::250:56ff:fe8e:b95d/64 inet 192.168.255.1/30 proxy_arp: disabled Auto-duplex (Full), Auto-speed (2808Mb/s) input packets 14548, bytes 1576398, dropped 0, multicast packets 0 input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0 output packets 14629, bytes 1463170, dropped 0 output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0 collisions 0
You will get all the interfaces configured on the ESG, so you will need to scroll through and find your NIC name, in this case it’s vNic_0
Once we have the NIC name, let’s create a packet capture to see if we are getting any VPN (ISAKMP & IPSEC) packets to the ESG from our remote host.
The specifics of our syntax is:
- Remote host IP: 192.168.255.2
- IPSEC ports – UDP/500 (ISAKMP) or UDP/4500 (IPSEC)
The actual filter syntax is similar to TCPDUMP but spaces have been replaced with underscores. So our syntax to display the filter on the console is as follows:
ESG-VPN-01-0> debug packet display interface vNic_0 host_192.168.255.2_and_udp_port_500_or_udp_port_4500 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vNic_0, link-type EN10MB (Ethernet), capture size 65535 bytes 04:32:12.444728 IP 192.168.255.1.500 > 192.168.255.2.500: isakmp: phase 1 I ident 04:32:12.451511 IP 192.168.255.2.500 > 192.168.255.1.500: isakmp: phase 1 R ident 04:32:12.453122 IP 192.168.255.1.500 > 192.168.255.2.500: isakmp: phase 1 I ident 04:32:12.456742 IP 192.168.255.2.500 > 192.168.255.1.500: isakmp: phase 1 R ident 04:32:12.457774 IP 192.168.255.1.500 > 192.168.255.2.500: isakmp: phase 1 I ident[E] 04:32:13.463003 IP 192.168.255.2.500 > 192.168.255.1.500: isakmp: phase 1 R ident
Using the debug packet display function is useful to see the packet capture on the console and to verify your syntax is correct. When your ready to save it to file, use the syntax below:
ESG-VPN-01-0> debug packet capture interface vNic_0 host_192.168.255.2_and_udp_port_500_or_udp_port_4500 /blue_lane/bin/run_tcpdump: line 24: kill: (31737) - No such process ESG-VPN-01-0> tcpdump: listening on vNic_0, link-type EN10MB (Ethernet), capture size 65535 bytes 41 packets captured 41 packets received by filter 0 packets dropped by kernel ^C
Use the Ctrl C, to break the capture.
Next let’s have a look at our file, which can be displayed with the following command:
ESG-VPN-01-0> debug show files total 11K -rw------- 1 11K Sep 14 04:39 tcpdump_vNic_0.0
Ok so we have our file, but ideally we want to view this in a tool like WireShark, which means exporting the capture via ftp/scp to a remote host. To do this use the syntax as follows, where the filename is that of the output shown with the debug show files command.
ESG-VPN-01-0> debug copy ftp URL user@<remote-host>:<path-to> FILENAME ESG-VPN-01-0> debug copy ftp email@example.com:/ tcpdump_vNic_0.0 Password: ***** tcpdump_vNic_0.0: 10.66 kB 248.44 kB/s ESG-VPN-01-0>
On our remote host, remember to change the filename extension to .pcap so it will open in WireShark.