NSX-v Edge (ESG) Packet Capture

Share on:

Capturing packets on the NSX Edge is relatively simple, the ESG uses similar capture syntax to that of TCPDUMP with a few minor caveats, which I will cover in this post.

When doing a packet capture, the primary thing to do is to identify the interface you want to capture traffic on and then define the traffic capture filter, which will ensure you only capture the packets that your interested in. This will cut down the noise and leave you with a fairly clean packet capture, however there is no reason you can’t just capture everything.

To identify the interface, you can either use the NSX UI or the ESG CLI, I prefer the second option as I am normally already on the CLI if I am going to be performing this function:

 1show interface
 3Interface vNic_0 is up, line protocol is up
 4  index 3 metric 1 mtu 1500 <up,broadcast,running,multicast>
 5  HWaddr: 00:50:56:8e:b9:5d
 6  inet6 fe80::250:56ff:fe8e:b95d/64
 7  inet
 8  proxy_arp: disabled
 9  Auto-duplex (Full), Auto-speed (2808Mb/s)
10    input packets 14548, bytes 1576398, dropped 0, multicast packets 0
11    input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0
12    output packets 14629, bytes 1463170, dropped 0
13    output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
14    collisions 0

You will get all the interfaces configured on the ESG, so you will need to scroll through and find your NIC name, in this case it’s vNic_0

Once we have the NIC name, let’s create a packet capture to see if we are getting any VPN (ISAKMP & IPSEC) packets to the ESG from our remote host.

The specifics of our syntax is:

  • Remote host IP:
  • IPSEC ports – UDP/500 (ISAKMP) or UDP/4500 (IPSEC)

The actual filter syntax is similar to TCPDUMP but spaces have been replaced with underscores. So our syntax to display the filter on the console is as follows:

1ESG-VPN-01-0> debug packet display interface vNic_0 host_192.168.255.2_and_udp_port_500_or_udp_port_4500
2tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
3listening on vNic_0, link-type EN10MB (Ethernet), capture size 65535 bytes
404:32:12.444728 IP > isakmp: phase 1 I ident
504:32:12.451511 IP > isakmp: phase 1 R ident
604:32:12.453122 IP > isakmp: phase 1 I ident
704:32:12.456742 IP > isakmp: phase 1 R ident
804:32:12.457774 IP > isakmp: phase 1 I ident[E]
904:32:13.463003 IP > isakmp: phase 1 R ident

Using the debug packet display function is useful to see the packet capture on the console and to verify your syntax is correct. When your ready to save it to file, use the syntax below:

1ESG-VPN-01-0> debug packet capture interface vNic_0 host_192.168.255.2_and_udp_port_500_or_udp_port_4500
2/blue_lane/bin/run_tcpdump: line 24: kill: (31737) - No such process
3ESG-VPN-01-0> tcpdump: listening on vNic_0, link-type EN10MB (Ethernet), capture size 65535 bytes
441 packets captured
541 packets received by filter
60 packets dropped by kernel

Use the Ctrl C, to break the capture.

Next let’s have a look at our file, which can be displayed with the following command:

1ESG-VPN-01-0> debug show files
2total 11K
3-rw------- 1 11K Sep 14 04:39 tcpdump_vNic_0.0

Ok so we have our file, but ideally we want to view this in a tool like WireShark, which means exporting the capture via ftp/scp to a remote host. To do this use the syntax as follows, where the filename is that of the output shown with the debug show files command.

1ESG-VPN-01-0> debug  copy ftp
2  URL  user@<remote-host>:<path-to> FILENAME
4ESG-VPN-01-0> debug copy ftp cisco@ tcpdump_vNic_0.0
5Password: *****
6tcpdump_vNic_0.0:                                       10.66 kB  248.44 kB/s

On our remote host, remember to change the filename extension to .pcap so it will open in WireShark.