Edge抓包
今天在客户端进行故障排除时,我需要在环境中的一个边缘服务网关上执行包捕获。在诊断一系列不同的问题时,执行包捕获通常非常有用。
要启动包捕获,您可以跳到ESG的控制台,或者像我在本例中所做的那样,打开ESG的SSH会话。您需要知道在哪个接口上运行捕获,
因此运行以下命令列出所有接口(为了便于阅读/1,已经从输出中删除了所有显示在/下面的接口)
vShield-edge-3-0> show interface
Interface VDR is up, line protocol is up
index 2 metric 1 mtu 1500 <UP,BROADCAST,RUNNING,NOARP>
HWaddr: 12:ee:19:2e:18:f6
inet6 fe80::10ee:19ff:fe2e:18f6/64
proxy_arp: disabled
Auto-duplex (Full), Auto-speed (2157Mb/s)
input packets 0, bytes 0, dropped 0, multicast packets 0
input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0
output packets 0, bytes 0, dropped 0
output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
collisions 0
Interface br-sub is up, line protocol is up
index 13 metric 1 mtu 1500 <UP,BROADCAST,RUNNING,MULTICAST>
inet6 fe80::5890:b7ff:fecd:6c9c/64
proxy_arp: disabled
Auto-duplex (Full), Auto-speed (2157Mb/s)
input packets 0, bytes 0, dropped 0, multicast packets 0
input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0
output packets 319, bytes 27498, dropped 0
output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
collisions 0
Interface lo is up, line protocol is up
index 1 metric 1 mtu 16436 <UP,LOOPBACK,RUNNING>
inet 127.0.0.1/8
inet6 ::1/128
proxy_arp: disabled
Auto-duplex (Full), Auto-speed (2157Mb/s)
input packets 10738, bytes 1550427, dropped 0, multicast packets 0
input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0
output packets 10738, bytes 1550427, dropped 0
output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
collisions 0
Interface vNic_0 is up, line protocol is up
index 3 metric 1 mtu 1500 <UP,BROADCAST,RUNNING,MULTICAST>
HWaddr: 00:50:56:9d:74:93
inet6 fe80::250:56ff:fe9d:7493/64
inet 10.29.254.241/24
proxy_arp: disabled
Auto-duplex (Full), Auto-speed (2157Mb/s)
input packets 22451, bytes 4017743, dropped 1535, multicast packets 4540
input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0
output packets 44431, bytes 7692037, dropped 0
output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
collisions 0
Interface vNic_1 is up, line protocol is up
index 6 metric 1 mtu 1500 <UP,BROADCAST,RUNNING,MULTICAST>
HWaddr: 00:50:56:9d:0e:30
inet 10.29.2.241/28
inet6 fe80::250:56ff:fe9d:e30/64
proxy_arp: disabled
Auto-duplex (Full), Auto-speed (2157Mb/s)
input packets 54060, bytes 5087410, dropped 2, multicast packets 26763
input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0
output packets 13694, bytes 1282604, dropped 0
output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
collisions 0
在这个例子中,我想看看在vNic o上发生了什么。我建议(VMware也是这么建议的)不要在流量很大的生产环境中运行这个命令,
因为它会向屏幕输出大量数据,并可能在ESG上导致性能问题
debug packet display interface vNic_0
您可以使用以下命令将输出保存在捕获文件中,而不是在屏幕上显示输出。
vShield-edge-3-0> debug packet capture interface vNic_0
/blue_lane/bin/run_tcpdump: line 24: kill: (25763) - No such process
tcpdump: listening on vNic_0, link-type EN10MB (Ethernet), capture size 65535 bytes
您甚至可以在幕后看到它正在运行的tcpdump,这意味着您还可以编写很酷的表达式或过滤器。
下面的命令将与我的IP地址(10.29.16.70)之间的SSH连接排除在捕获之外。在表达式的单词之间必须使用下划线。
vShield-edge-3-0> debug packet display interface vNic_0 not_port_22_and_not_host_10.29.17.60
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vNic_0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:49:51.551162 IP 10.29.64.240 > 10.29.16.70: ICMP echo reply, id 26207, seq 19278, length 64
05:49:51.980973 IP 10.29.2.254 > 10.29.16.70: ICMP echo reply, id 36695, seq 19879, length 64
在对文件执行捕获之后,可以使用以下命令列出所有捕获文件
vShield-edge-3-0> debug show files
total 1.0K
-rw------- 1 708 Mar 16 05:45 tcpdump_vNic_0.0
这一切都很好,但做一个目录列表并不能真正帮助我读取文件,所以要复制它,您需要使用以下命令之一,基于您想要使用的传输协议类型。选择是SCP或FTP。下面是如何使用SCP从ESG中复制捕获文件的示例。
vShield-edge-3-0> debug copy scp sneaku@10.29.4.1:/Users/sneaku/tcpdump_vNic_0.0 tcpdump_vNic_0.0
The authenticity of host '10.29.4.1 (10.29.4.1)' can't be established.
RSA key fingerprint is c3:63:18:0b:a8:c0:f0:ed:5b:44:db:ae:61:db:9b:b6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.29.4.1' (RSA) to the list of known hosts.
Password:
tcpdump_vNic_0.0 100% 864 0.8KB/s 00:00
如果您喜欢,或者需要使用FTP,只需将命令中的协议选择SCP替换为FTP。
一旦您将文件从ESG中取出并放到您可以访问的位置,您就可以使用Wireshark打开捕获文件。