NSX-v Edge (ESG) Packet Capture
Capturing packets on the NSX Edge is relatively simple, the ESG uses similar capture syntax to that of TCPDUMP with a few minor caveats, which I will cover in this post.
When doing a packet capture, the primary thing to do is to identify the interface you want to capture traffic on and then define the traffic capture filter, which will ensure you only capture the packets that your interested in. This will cut down the noise and leave you with a fairly clean packet capture, however there is no reason you can’t just capture everything.
To identify the interface, you can either use the NSX UI or the ESG CLI, I prefer the second option as I am normally already on the CLI if I am going to be performing this function:
1show interface 2 3Interface vNic_0 is up, line protocol is up 4 index 3 metric 1 mtu 1500 <up,broadcast,running,multicast> 5 HWaddr: 00:50:56:8e:b9:5d 6 inet6 fe80::250:56ff:fe8e:b95d/64 7 inet 192.168.255.1/30 8 proxy_arp: disabled 9 Auto-duplex (Full), Auto-speed (2808Mb/s) 10 input packets 14548, bytes 1576398, dropped 0, multicast packets 0 11 input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0 12 output packets 14629, bytes 1463170, dropped 0 13 output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0 14 collisions 0
You will get all the interfaces configured on the ESG, so you will need to scroll through and find your NIC name, in this case it’s
Once we have the NIC name, let’s create a packet capture to see if we are getting any VPN (ISAKMP & IPSEC) packets to the ESG from our remote host.
The specifics of our syntax is:
- Remote host IP: 192.168.255.2
- IPSEC ports – UDP/500 (ISAKMP) or UDP/4500 (IPSEC)
The actual filter syntax is similar to TCPDUMP but spaces have been replaced with underscores. So our syntax to display the filter on the console is as follows:
1ESG-VPN-01-0> debug packet display interface vNic_0 host_192.168.255.2_and_udp_port_500_or_udp_port_4500 2tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 3listening on vNic_0, link-type EN10MB (Ethernet), capture size 65535 bytes 404:32:12.444728 IP 192.168.255.1.500 > 192.168.255.2.500: isakmp: phase 1 I ident 504:32:12.451511 IP 192.168.255.2.500 > 192.168.255.1.500: isakmp: phase 1 R ident 604:32:12.453122 IP 192.168.255.1.500 > 192.168.255.2.500: isakmp: phase 1 I ident 704:32:12.456742 IP 192.168.255.2.500 > 192.168.255.1.500: isakmp: phase 1 R ident 804:32:12.457774 IP 192.168.255.1.500 > 192.168.255.2.500: isakmp: phase 1 I ident[E] 904:32:13.463003 IP 192.168.255.2.500 > 192.168.255.1.500: isakmp: phase 1 R ident
debug packet display function is useful to see the packet capture on the console and to verify your syntax is correct. When your ready to save it to file, use the syntax below:
1ESG-VPN-01-0> debug packet capture interface vNic_0 host_192.168.255.2_and_udp_port_500_or_udp_port_4500 2/blue_lane/bin/run_tcpdump: line 24: kill: (31737) - No such process 3ESG-VPN-01-0> tcpdump: listening on vNic_0, link-type EN10MB (Ethernet), capture size 65535 bytes 441 packets captured 541 packets received by filter 60 packets dropped by kernel
Ctrl C, to break the capture.
Next let’s have a look at our file, which can be displayed with the following command:
1ESG-VPN-01-0> debug show files 2total 11K 3-rw------- 1 11K Sep 14 04:39 tcpdump_vNic_0.0
Ok so we have our file, but ideally we want to view this in a tool like WireShark, which means exporting the capture via ftp/scp to a remote host. To do this use the syntax as follows, where the filename is that of the output shown with the debug show files command.
1ESG-VPN-01-0> debug copy ftp 2 URL user@<remote-host>:<path-to> FILENAME 3 4ESG-VPN-01-0> debug copy ftp email@example.com:/ tcpdump_vNic_0.0 5Password: ***** 6tcpdump_vNic_0.0: 10.66 kB 248.44 kB/s 7ESG-VPN-01-0>
On our remote host, remember to change the filename extension to
.pcap so it will open in WireShark.