Traffic capture

1. Switch port analyzer (SPAN)
   1. Remote SPAN (RSPAN)
   2. ERSPAN
      1. ERSPAN II header
      2. ERSPAN III header
2. Inline capture
3. Router IP traffic export (RITE)
4. Embedded packet capture (EPC)

Switch port analyzer (SPAN)

• source:
  • Etherchannel (link, bundle)
  • ≠ dst
• destination:
  • only 1 SPAN session
  • cannot be Etherchannel (neither links nor bundle)
  • does not participate in STP, CDP, VTP, DTP, PAgP, LACP
    • not captured by SPAN by default
• if port → RSPAN and RSPAN → mirror, then port →× mirror
• does not capture traffic, routed into source VLAN
• copying:
  • Rx: before VACL, QoS, policing
  • Tx: after VACL, QoS, policing
• ERSPAN ≡ SPAN in GRE

; default – both directions
(config)# monitor session <N> source interface <INTF>

; SRC port sacrifices own resources for SPAN
(config)# monitor session <N> destination interface <INTF> [reflector-port <SRC>]

(config)# monitor session <N> filter vlan <LIST>

; NX-OS, SPAN dst port
(config-if)# switchport monitor

Remote SPAN (RSPAN)

• learning is disabled in RSPAN VLAN
• STP is active in RSPAN VLAN
• only trunks (access ports not supported)

(config-vlan)# remote-span

ERSPAN

(config)# monitor session <N> type erspan-source
(config-mon-erspan-src)# source <INTF>
(config-mon-erspan-src)# no shutdown
(config-mon-erspan-src)# destination

; ID must match on src and dst
(config-mon-erspan-src-dst)# erspan-id <ID>
(config-mon-erspan-src-dst)# ip address <IP>
(config-mon-erspan-src-dst)# origin ip address <SRC_IP>

(config)# monitor session <N> type erspan-destination
(config-mon-erspan-dst)# destination <INTF>
(config-mon-erspan-dst)# no shutdown
(config-mon-erspan-dst)# source
(config-mon-erspan-dst-src)# erspan-id <ID>
(config-mon-erspan-dst-src)# ip address <IP>

; NX-OS, sourcefor ERSPAN packets, any value
(config)# monitor erspan origin ip-address <IP>

ERSPAN II header

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|          VLAN         | CoS |En |T|     Session ID    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Reserved            |             Index             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\                                                               \
/                             Frame                             /
\                                                               \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                              CRC                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Version: 0x1
T: truncated, 1 ≡ did not squeeze into MTU
En:

• 00: originally without VLAN tag
• 01: ISL
• 10: 802.1Q
• 11: VLAN tag preserved

ERSPAN III header

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|          VLAN         | CoS |BSO|T|     Session ID    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                           Timestamp                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|              SGT              |P|   FT    |    HWID   |D|Gra|O|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+
| Platform ID |                                                 |   \
+-+-+-+-+-+-+-+            Platform specific info               +    > optional
|                                                               |   /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+
\                                                               \
/                             Frame                             /
\                                                               \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                              CRC                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Version: 0x2
BSO: bad/short/oversize

• 00: good frame
• 01: short frame
• 10: oversized
• 11: CRC/alignment error

P: 1 ≡ Ethernet frame
FT: frame type

• 0: Ethernet
• 1: IP

D: direction, 0 ≡ ingress, 1 ≡ egress
Gra: timestamp granularity

• 00: 100ms
• 01: 100ns
• 10: PTP
• 11: user configured

O: 1 ≡ optional header present

Inline capture

• traffic analyzer is tapped into wire
• disruptive, can affect issue being diagnosed
• captures all frames, including low level primitives
• can detect L1 fault
• expensive

Router IP traffic export (RITE)

• SPAN alternative for routers

(config)# ip traffic-export profile <NAME>

; destination interface forexport
(conf-rite)# interface <INTF>

; collector MAC for Ethernet destination
(conf-rite)# mac-address <MAC>

; inbound default
(conf-rite)# bidirectional

(conf-rite)# incoming access-list <ACL>
(conf-rite)# outgoing access-list <OUT>

(config-if)# ip traffic-export apply <NAME>

Embedded packet capture (EPC)

• mcast: only ingress, does not capture replicated packets
• 1 capture buffer per capture point
• several capture points per interface

# monitor capture buffer <BUFFER> [export <URL>]
# monitor capture buffer <BUFFER> filter <ACL>

; buffer size, 1 MB default
# monitor capture buffer <BUFFER> size <N>

; element size
# monitor capture buffer <BUFFER> max-size <N>

; linear default
# monitor capture buffer <BUFFER> circular|linear
# monitor capture point ip|ipv6 <CAPTURE> <INTF> both|in|out
# monitor capture point associate <CAPTURE> <BUFFER>
# monitor capture point start|stop <CAPTURE>|all

# show monitor capture buffer [dump]
# show monitor capture point

# debug packet-capture