How to capture packets that dropped by NP/CPU?

之前讨论过在XR上,当我们遇到与本设备交互的TCP/UDP和RAW有问题时,可以用下面方法抓下来,然后分析《How to decode TCP, UDP and RAW for IOS-XR》。在76/65上,可以用Netdr,ELAM,CPU span,PB capture,那在咱们的ASR9k上是否有类似好用的工具?答案当然是肯定的,在咱们ASR9k上有两个方法可以抓punt到CPU的包:

1. 在4.3.1以后,咱们的XR支持NP Monitor

详细的可以看下面文章: https://supportforums.cisco.com/docs/DOC-29010
这里要注意的是:Note that a captured packet will be DROPPED!
所以一定要注意在选择monitor的counter时,要选择真正的drop counter,而不要把正常的counter给monitor了,那样数据转发就会受影响了。暂时没有测试环境,没法贴出详细测试步骤,文档写的很清楚,详细看上面的文档。

2. 通过SPP monitor,这是ASR9k特有的

下面是一个抓包实例:

RP/0/RSP0/CPU0:ASR9K.18#run attach 0/6/cpu0
Sat Oct 19 01:15:36.985 UTC

attach: Starting session 1 to node 0/6/cpu0

# spp_ui
spp-ui> node counter
copp_sampler
     Disable messages received:               1
-------------------------------
port3/classify
                     forwarded:           59294
Punted to default punt process:            2264
-------------------------------
port3/rx
           whole pkts received:          768891
      begin fragments received:             500
      total fragments received:            1248
        end fragments received:             500
           RX bailout/longjmps:          765405
incomplete chopper ctx after b:              40
-------------------------------
port2/tx
           packets transmitted:            1136
-------------------------------
port3/tx
           packets transmitted:            1139
-------------------------------
client/inject
               inject to port2:            1136
               inject to port3:            1139
-------------------------------
client/punt
              punted to client:          769391
-------------------------------
spp-ui>
spp-ui> trace start 100
spp-ui> trace stop
spp-ui> trace print
Packet serial 2
client/punt:
  length 128 phys_int_index 1 next_ctx 0xdeadbeef

下面拿出一个包来详细说明:
用SPP抓包最好的方法就是先抓一些包下来,然后看看offset,根据具体的需求,用过滤的方法注意过滤,然后最终抓到想要的包。因为不同的平台,不同的包,offset是不一样的,所以要现抓样本分析。

Packet serial 4
client/punt:
length 128 phys_int_index 1 next_ctx 0xdeadbeef
00: 00 70 72 00 00 03 00 65 7a 00 00 03 05 09 ff ff
10: 08 00 00 00 05 02 0f 00 00 00 00 00 02 00 10 00
20: 00 c0 00 00 c7 de 00 00 09 01 00 1f 00 03 0e 01
30: 00 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00
40: 00 07 02 ff 00 26 98 29 4c e8 01 25 68 98 cf a6
50: 08 00 45 00 00 2e 00 00 00 00 40 06 64 b5 03 03
60: 03 03 08 08 08 08 01 4d 03 e7 00 00 00 00 00 00
70: 00 00 50 00 00 00 8e 8c 00 00 00 01 02 03 04 05
80: 09 8b 66 5d 00 00 00 00 00 00 00 00 00 00 00 00
90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
c0: 01 00 00 20 43 00 00 00 d3 5c 02 df 00 00 00 00
d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

下面是常用过滤方法和offset的使用方法:
spp-ui> trace filter set 94 2 0x0303
!—src address, 94=0x50+dec14=dec(5*16+0)+dec14
spp-ui> trace filter set 98 2 0x0808
!—dst address, 有时候设置长度2或4都有问题,只能是1
spp-ui> trace filter set 91 1 0x06
!—TCP flag
spp-ui> trace filter show
!—查看定义的过滤表项
spp-ui> trace filter clear 94
!—清掉之前设置的offset过滤
spp-ui> trace ascii save
!—自动保存到 /tmp/spp_packet_trace_ascii,用“q”退出spp_ui,用more命令查看也可以

注意:在用第二种方法时,尽量控制在100个包以内,防止影响正常业务。

anyShare分享到:
你可以留言,或者trackback 从你的网站

留言哦