Genie's Tech Blog

Where knowledge has no dimensions

Packet Capture on ASR1k

Hi Guys,

Recently I came across a Cisco's Packet Capture tool on ASR1000 platform. You can capture the packet both in the ingress and the egress direction. The packet capture is done on the Quantum Flow Processor (QFP) Asic of the ESP card. Please note that the packet capture is shown on the IOS-XE version 3.3.1. Below is an example for the same.

If you want to capture a packet between ASR1k and any other router say

ASR1k ------- ASR9k

(Please remember that the ASR9k is a IOS-XR based router) and they are connected over a TenGigabitEthernet Link. Then to capture the RX (Ingress) traffic you need to enable the following commands:

1. debug plat har qfp active data packet ip interface TenGigabitEthernet0/1/0 input

By default, this will capture all the packet that enter the plim. You can restrict the capture to a particular kind of traffic using an ACL as shown below:

debug plat har qfp active data packet ip interface TenGigabitEthernet0/1/0 input in-bfd

 

ip access-list extended in-bfd

 permit udp host 192.168.20.1 host 192.168.20.2 eq 3784

The above cli will capture any bfd packet sourced from the ip of ASR9k router destined to ASR1k router's ip on the connected interface TenGigabitEthernet0/1/0. In a similar way you can capture any other data and you can also capture the ipv6 data using the below cli:
 
debug plat har qfp active data packet ipv6 interface TenGigabitEthernet0/1/0 input in-v6bfd

In order to enable the packet capture you need to enable the following command:
 
debug plat har qfp active packet int TenGigabitEthernet0/1/0 entity PKT_TRACE packet-only input

The above command will start the packet capture. You can check the capture status of the QFP datapath using the below command:
 
show platform software debug fp active datapath summary
 
In order to look at the packet, you need to enter the Linux shell. Please remember that this is recommended to be used under Cisco Engineer's recommendation. Also, please remember that on ASR1000 platform, the IOS is run as a process on the Linux shell as a IOSD process. To enter into the shell mode, you need to enable the following command from the config mode:
 
platform shell
 
Now, in order to enter into the shell, please issue the following command:
 
ASR1000# request platform software system shell fp active

NOTE: Tracing output is stored in file /tmp/fp/trace/cpp_cp_F0-0.log on FP0 if the active FP is Fp0. Otherwise, it will be in /tmp/fp/trace/cpp_cp_F1-0.log of FP1. When these files reach a certain size, they are rotated, i.e. a timestamp is added to the name of the current file and a new one is opened.

You can view the contents of the file using the below command: 

F3.3.1>tail -n 50 /tmp/fp/trace/cpp_cp_F0-0.log

<Sample Data>

-PKT_DATA: 6c9ced16 8c80001d 707e1b10 080045c0 0034abb7 0000ff11 65edc0a8 1402c0a8 1401c000 0ec80020 5cff20c0 03180000 0001800d 000a0000 c3500000 c3500000 0000 
05/17 12:09:29.490 [(null)]: (debug): 
QFP:00 Thread:015 TS:00000119382827336304 RX PKT_TRACE TenGigabitEthernet0/1/0 len 66 IP PRI  
-PKT_DATA: 001d707e 1b106c9c ed168c80 080045c0 00340000 0000ff11 11a5c0a8 1401c0a8 1402c000 0ec80020 000020c8 0318800d 000a0000 00010000 c3500000 c3500000 0000 
05/17 12:09:29.500 [(null)]: (debug): 
QFP:00 Thread:144 TS:00000119382734576384 RX PKT_TRACE TenGigabitEthernet0/1/0 len 86 IPv6   
-PKT_DATA: 001d707e 1b106c9c ed168c80 86dd6c00 00000020 11fefe80 00000000 00000000 00000000 00e2fe80 00000000 00000000 00000000 00e1c000 0ec80020 078420c8 0318800d 000b0000 00030000 c3500000 c3500000 0000 
05/17 12:09:29.674 [(null)]: (debug): 
QFP:00 Thread:071 TS:00000119382734573572 RX PKT_TRACE TenGigabitEthernet0/1/0 len 66 IP PRI  
-PKT_DATA: 001d707e 1b106c9c ed168c80 080045c0 00340000 0000ff11 11a5c0a8 1401c0a8 1402c000 0ec80020 000020c8 0318800d 000a0000 00010000 c3500000 c3500000 0000
You can decode the above hex values using a hex2pcap linux based tool:
 
genie@cgt-lnx% hex2pcap -t EN10MB -l 6c9ced16 8c80001d 707e1b10 080045c0 0034ff8a 0000ff11 121ac0a8 1402c0a8 1401c000 0ec80020 5cff20c0 03180000 0001800d 000a0000 c3500000 c3500000 0000
Frame 1 (66 bytes on wire, 66 bytes captured)
    Arrival Time: Jan  1, 1970 01:00:00.000000000
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 66 bytes
    Capture Length: 66 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:bfd]
Ethernet II, Src: 00:1d:70:7e:1b:10 (00:1d:70:7e:1b:10), Dst: 6c:9c:ed:16:8c:80 (6c:9c:ed:16:8c:80)
    Destination: 6c:9c:ed:16:8c:80 (6c:9c:ed:16:8c:80)
        Address: 6c:9c:ed:16:8c:80 (6c:9c:ed:16:8c:80)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: 00:1d:70:7e:1b:10 (00:1d:70:7e:1b:10)
        Address: 00:1d:70:7e:1b:10 (00:1d:70:7e:1b:10)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.20.2 (192.168.20.2), Dst: 192.168.20.1 (192.168.20.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00)
        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (0x30)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 52
    Identification: 0xff8a (65418)
    Flags: 0x00
        0.. = Reserved bit: Not Set
        .0. = Don't fragment: Not Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 255
    Protocol: UDP (0x11)
    Header checksum: 0x121a [correct]
        [Good: True]
        [Bad : False]
    Source: 192.168.20.2 (192.168.20.2)
    Destination: 192.168.20.1 (192.168.20.1)
User Datagram Protocol, Src Port: 49152 (49152), Dst Port: 3784 (3784)
    Source port: 49152 (49152)
    Destination port: 3784 (3784)
    Length: 32
    Checksum: 0x5cff [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
BFD Control message
    001. .... = Protocol Version: 1
    ...0 0000 = Diagnostic Code: No Diagnostic (0x00)
    11.. .... = Session State: Up (0x03)
    Message Flags: 0x00
        0... .. = Poll: Not set
        .0.. .. = Final: Not set
        ..0. .. = Control Plane Independent: Not set
        ...0 .. = Authentication Present: Not set
        .... 0. = Demand: Not set
        .... .0 = Multipoint: Not set
    Detect Time Multiplier: 3 (= 150 ms Detection time)
    Message Length: 24 bytes
    My Discriminator: 0x00000001
    Your Discriminator: 0x800d000a
    Desired Min TX Interval:   50 ms (50000 us)
    Required Min RX Interval:   50 ms (50000 us)
    Required Min Echo Interval:    0 ms (0 us)

Comments (4) -

  • Avinash

    6/23/2012 2:19:24 PM |

    Hey
    thats really a cool stuff.. Thanks for sharing this.. worked fine for me. You answered all my questions...

    Thanks

    Avinash

  • Karan

    9/28/2012 10:31:31 PM |

    This is something that i have been looking for but couldn't find any documentation for the packet capture anywhere...
    Awesome work .. Smile

  • John

    11/14/2012 10:55:34 AM |

    You don't need to go through all these complicated techniques to capture packets. On the ASR-1K, packet capture is supported directly from the command line with no need for a shell. Refer to:
    www.cisco.com/.../nm-packet-capture-xe.html

  • Bikramjit

    10/2/2013 7:49:10 AM |

    Awesome article! Very helpful.

Comments are closed