Remote Packet Capture (rpcap)
How it Works
- Set the mirror on BOLT
- This defines what traffic will be mirrored to the target port.
- Eth2 is the port on the OLT that is used for capture
- Standard Port 2002 is used on OLT for remote wireshark connection
- Enable rpcap - this begins exposing the wireshark interface to the user.
- Start wireshark on the remote computer.
- Use wireshark remote pcap interface to connect to the OLT.
- Connect to eth2, port 2002.
- Perform capture.
- Disable RPCAP on the OLT.
Video
Command Syntax
Mirror Command
- Tolt diagnostics flowmirror
- Dir – ingress/egress/both, defines the direction to mirror.
- Mac-filter – A mac to filter on so can constrain to a single source/destination.
- Net-interface – Use a NET as the source of the mirror.
- Nni-interface – Mirror an individual uplink port.
- Pon-interface – Mirror a PON port's traffic
- Target – The target port to send the mirror to. Default is the cpu (eth2). It can also mirror to ports to allow surveillance for applications such as forescout.
- Vlan – A vlan number 2..4094 or any.
Rpcap Command
- Tolt diagnostics rpcap
- Enable – Enable the OLT to expose rpcap interface
- Disable – Disable rpcap and close rpcap port
Remote Packet Capture Example
The following example will show how to capture a packet from the BOLT.
- The first step will display the available completions of the flowmirror command.
- From the MDS1-ESUA# command line, input tolt diagnostics flowmirror enable, and question mark Output similar to the following is displayed showing all the action parameters:
MDS1-ESUA# tolt diagnostics flowmirror enable <enter>
Possible completions:
dir Traffic direction of source interface to mirror from.
mac-fiIter
net-interface Select a NET interface to mirror packet flows from
Nmi-interface Select an NNI interface to mirror packet flows from.
pon-interface Select a PON interface to mirror packet flows from
target Select an NNI interface as mirror-to target (CPU is used if target is not selected).
vlan VLAN ID or 'any' for untagged/mixed traffic.
MDSl-ESUA#_
|
- The next step will enable packets in both directions on net-interface NET1 and display the available completions of the target action.
- From the MDS1-ESUA# command line, input tolt diagnostics flowmirror enable dir both net-interface NET1 target?, and press Enter. Output similar to the following is displayed:
MDS1-ESUA# tolt diagnostics flowmirror enable dir both net-interface NET1 target ? <enter> Possible completions: Description: Select an NNI interface as mirror-to target(CPU is used if target is not selected). QSFPl-2-1 QSFPl-2-2 QSFPl-2-3 QSFPl-2-4 QSFPl-2-5 QSFPl-2-6 SFPl-1-1 SFPl-1-2 SFPl-1-3 SFPl-1-4 MDS1-ESUA# _
Note: Should no target be selected, the system will default the target as the cpu (eth2)
- The next step will enable packets in both directions on net-interface NET1 and capture all the vlans.
The following are the caprure options. Only one can be used at a time.- net-interface – will capture all the vlan packets
- nni-interface – will capture packets a single uplink port
- pon-interface – will capture what packets are going up and down the pon.
- From the MDS1-ESUA# command line, input tolt diagnostics flowmirror enable dir both net-interface NET1 vlan any, and press Enter. Output similar to the following is displayed:
MDS1-ESUA# tolt diagnostics flowmirror enable dir both net-interface NET1 vlan any <enter> Action success true reason MDS1-ESUA# _ - Success true, validates that the flowmirror is running with all traffic on the selected uplink going to the cpu.
- Now that the flowmirror is set up, we will enable rpcap.
- From the MDS1-ESUA# command line, input tolt diagnostics rpcap enable, and press Enter. Output similar to the following is displayed:
MDS1-ESUA# tolt diagnostics rpcap enable rpcap <enter> Action success true reason MDS1-ESUA# _ - The next steps will use Wireshark on a remote computer to view the captured packets.
- Click on an interface to display the Capture Options.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy80MTcwMy81NDk1Mi9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNi9pbWFnZSgyMykucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzgwOTYyOTY0fX19XX0_&Signature=hgD0r7a4Y3taga3fmO3mjhZ9F9qE10jyo4h42KEQz0UQf3s3eCIiBOEDqHBj8E1b0lKU-AV8F~ZKWoo2VAKX8~pXTWvOXEP-3N4lhldbTh8oO6P3VWGLAA4t9UB5H3fJsnr4J1XR~ZW0kIQRF5pnLgETwsFluEMB1w-~y2iiHBJwzkD2xYeAkm7m00inXihix6T7-WUQ4GWffqy8kIsQhJ4e5FURwR~6~r0wpb7eQyIF0CL15dRLgFDV0WqpWRSPsLs3oaK3XVx~Fcmk4~a6ukighaHXSVIdpRKbKrxikMnPLytPm0Wfn89-HZs6fIna6cLK18irkkZ3XF46fdn8Ww__&Key-Pair-Id=K2TK3EG287XSFC)
- Click on the Manage Interfaces button to access Remote Interfaces.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy80MTcwMy81NDk1Mi9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNi9pbWFnZSgyNCkucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzgwOTYyOTY0fX19XX0_&Signature=dFGfh8-bkm6gHq1FDCknPk4X-r9INBW2SwzcNVZuge7kJ0q~jGUuy4khCyds3WjdpL03GeWjTbcPjhdQLmyyS~NsGL5Hiod69uHLY2p~~2PWhDCkIukg6jTu~FAhnFnBIE1pffSH4VzjwSTbHSV7pr1d0CKvwfu9R-N7WWhxj6jtG4ou1BZ9lQyqk~VIRgRFvc~lmhClVXNPLC4IdKDXGJc-tasqNFYJyIIjLN63KvxDtOOL7tSdUuUVgeNQj0YxcF5EGeMlbyLp7c9RV4JS1Lmasiq3k4qcc8b~LOesogcLoGv59jYmsqFE4xr626e~IdOQyHWS9Gzt6~~j-3itJQ__&Key-Pair-Id=K2TK3EG287XSFC)
- Click on the Remote Interfaces button to add an interface.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy80MTcwMy81NDk1Mi9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNi9pbWFnZSgxNSkucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzgwOTYyOTY0fX19XX0_&Signature=VcqbWPiN9~7O46vHetcpYRo7vZR2KeeoVCEpDq90oIzalOFYQ7IkwV8KpYxac9Igp8XxfN6YuALpcQCq5suGeQrV2XGOzqux9j8pf-z6wU94XPIU1~oq7jhr-hITSWORk-8WhmU16o39aXzEvS2X-RLEAZ65T9Gpr68hvE2UX~KUzfyIngn4eFreeuxdqbqAa0yhmT12KZZ0O89Uy0KC4-kBv77WWBId2XyHPm14-bESafdmTqdTPrjVHRm2Lx7YYrQm-~d5inC3PJUhT3V7a-c01UAOyIH-1S7AEcfJjOP9gQz-Ku9G7Oq4-Jt8a2TQuEthlGhIqwf7HyJsH4SqEg__&Key-Pair-Id=K2TK3EG287XSFC)
. - Add an interface.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy80MTcwMy81NDk1Mi9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNi9pbWFnZSgxNikucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzgwOTYyOTY0fX19XX0_&Signature=mprUVYb~3~qeIyYBkRTWOT~oyNqKLoE4h917yZpUavCxnuGGrEY5Zf3Ddc2~iWy0p3dkBu~dB7UIgLeFPeXs1YiA0yTgNLOuo3BsSimCTyTUE~kKFO-nAJDxH~9-0reS687mNSlxYdwYnGF5oV6DOdGqsQnvhOWl5DoN8xeXxMitwfnLw8wZ~x9VvK-CmuiPov~lNzrsxOJ8GMJR7-CfBrM2rweG63nAUeZxWO-BhrGeG6chFZHqn-pLvPJx69Sxa5ukt0AHe1cB4ypii-cIuFQ9G7p4ToBtWWOrLRGJulgPN~Lxf7rJ8lRJb26D4TFfwP0dIZ6HOXDrcc7uhoaE2w__&Key-Pair-Id=K2TK3EG287XSFC)
- Add the IP address of the Host. In this case, it will be the IP address of the OLT (i.e. 172.29.122.141).
- The port number will be the default Wireshark port of 2002.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy80MTcwMy81NDk1Mi9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNi9pbWFnZSgxNykucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzgwOTYyOTY0fX19XX0_&Signature=g3IG7JQdqxunVKWflCMSYI7rot00DrSFzFdDck3wY6NeLRT-7U9M5hzhlBjmFv-0-NlK06RDB4-1N2XhTV4RoQHNXZDxEDFoOEKcVMQPgeo9yRU2vsL4FOO1QRv1amTWfPdgBaOWvtGMZ~4hPSlysy7zIC727yHUizU5Bq7hpvYyB7OqZ~AVzKjqgVTogjCXT291VZmgm4BlrswmdGQ3jFXznUQKZNB0PivRWmXt1hvhYhbNtJVAjXeDc6LWk71IdA02leJ8QvBOz6W7gi~MDIIQgSfCgBBDDBQGU~3zWwS7qzGjB6TguzPLV~XC9OzcG5vUSOG2wk5tpYYWCXpi6g__&Key-Pair-Id=K2TK3EG287XSFC)
- There will be a short delay while Wireshark connects to the OLT, then all the interfaces are displayed.
- We will want to click on eth2 (cpu), which is our mirror target, then select the OK button.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy80MTcwMy81NDk1Mi9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNi9pbWFnZSgxOCkucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzgwOTYyOTY0fX19XX0_&Signature=HdYU3sUiaJQNT59SyEXng4q7d7K42cdMyqI3PWmOLASvW68HZlq-WCFxUrMIKSh0XdHLYOzuHw2qnFtJGf5oZ2yiHI3bee5MoStz3W4IUzoyL1KajR0IjgP8tu6FAROvjALNukBIqfWPJCvTUVxEm~8igdHiGpmeDGyclM0jk9Gu-AGAQXvQkvBzFPDuo7rSzYI4OdLMIjFb8R-rJ4QN5P5UXumj6C7FxSMCn4WgXcimAJpMrYwfCd5LdkaFnvjskj1cC3OeHBf~-UCdswsOHij8J6796~to2dOq2gx2dx1eYneHpOAURHit0RvRRUNvwoC3LOlm2edG8Q32WjgrUA__&Key-Pair-Id=K2TK3EG287XSFC)
- The next screen will display the available interfaces. Scroll down to display eth2 and double-click to access live captures of the uplink.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy80MTcwMy81NDk1Mi9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNi9pbWFnZSgxOSkucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzgwOTYyOTY0fX19XX0_&Signature=QWnsmV6bCTI5y8oYjIeSEDBKvmsBLxW1D-ov0Gk7zrFUDxH7Mq0ovvTsuJSVtkRc8anfsUsDmq4BuhfIfXXqUPH-WPSxR0~uktrlfFw7v2stouS-L~IM9sI~~HgOc6gq-BleJ7~epA58Y4xiVzZUHHGezssUCP-pnkEfoVS94Iny4z06GKJpXbbP8WfupdbeWLxShNJShvICYYK2IohPoxUtwyKJmQ3f1WHJTgAPX-6RS5fasHArc7VMJjxoWbePlFsGYFplU6T1K3-mR-3nxypHP580QUmhGHnEjKtUnr4NAgEibCIN0FzArBQdgRZSS8CwwvqfRdwn2XHmWZgHEg__&Key-Pair-Id=K2TK3EG287XSFC)
- We are now getting live captures of our uplink.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy80MTcwMy81NDk1Mi9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNi9pbWFnZSgyMCkucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzgwOTYyOTY0fX19XX0_&Signature=HptHzhZRfY0uExC32mpIcshBnznK~MY2E2DRfC9PodvjQD6SSgh9WLNReXW5i0bx1k0Nhs4XI5SJyfwwPuuEOv9HuOMU86RcfxHRz6KsJj6XqEnocBsgcDN5RbLgwNoa1XaJwWFkAtne3T83InPBBK86Pki3pkzIPGH7DH1jppTKqXP2291gXalHq0mmTcKnByI50GqsfjsIefRV1TXvi2-ZCoFAT-XjQrYmxrKHpovBERB5V1ENkgIkO6Vty01NCs1CJyDox1sEu~-N4kcfJd5YDlMmGe9rBhm8R2uM50Ls1V7SEP1VZdCRkGphuSd6ijcqf6eMxiVQRy2ZO8YWKg__&Key-Pair-Id=K2TK3EG287XSFC)
- We will now validate the connection by pinging the OLT by going to the command screen and ping our gateway.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy80MTcwMy81NDk1Mi9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNi9pbWFnZSgyMSkucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzgwOTYyOTY0fX19XX0_&Signature=F6IknxlmzCjudkQOATSSqGT47qmSNRD0K8MYtkEM-rX3oyadIyW0~8ROSzi9BvBP6cLdYz-PwSXdiuocphzIeqYkdlJ4opNnntKNXUyh~MsvRt8wfMiSXeZcLGqWPRjJZe~YJhNfTnQ8qlGpslzuzqeEjxR8pi3P7cDf~~73Xnlna41ARW6cH5dzqWi46hXAL1sGofXAIyidVkqLWWtdsTKe~a0QX7brDi56lNffz85vZDIRLw0skOumsScLWlXq9tgbkViorw2uUZ7bho3hCkGze7sJWsmgAcwEzaI8CLaEfUhaYP2HP6HvmyOkclMsHhhGU8urCAVV-l03wV-yTA__&Key-Pair-Id=K2TK3EG287XSFC)
- On Wireshark the display screen will display, in real time, the ping activity.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy80MTcwMy81NDk1Mi9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNi9pbWFnZSgyMikucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzgwOTYyOTY0fX19XX0_&Signature=OIVwXIQ8H9GXm2EaQGoqS25KY0lmtMB2-DxxnJEyQ~6tpSe0khnd0uSROwAttm8CiACtdmk6y5YV~fGBzb-S1ZJUmliuZym2Lr6hNWlmR4smMd4FSrVUzn8JY3IAWeGwerutp0qA-YiOKNX2g1godQVOPmeiASMDFUad3wGygT8n6NCsYBIBGVyDRVMRtezwilgRhH7t6pmTccmLvo6sqs1gvRm9lglPU51ixEHDbQMacYPKsdy4LV1zVeKUlg1fh7YAypiBblN37HxFF5g4aDv17f~oaxsnDG7yho0X~2FlkoqQADRcifpDZq3FrWRgmfxnHNwGtWmXdjupzWj0Bg__&Key-Pair-Id=K2TK3EG287XSFC)
- When the session is complete, we will disable the rpcap and the flowmirror.
Note: Should the rpcap and flowmirror remain running, it will slow down the cpu and introduce unnecessary heat to the system.
- From the MDS1-ESUA# command line, input tolt diagnostics rpcap disable, and press Enter. Output similar to the following is displayed.
MDS1-ESUA# tolt diagnostics rpcap disable <enter>
action-success true
reason
MDS1-ESUA# _
|
- From the MDS1-ESUA# command line, input tolt diagnostics flowmirror disable, and press Enter. Output similar to the following is displayed.
MDS1-ESUA# tolt diagnostics flowmirror disable <enter>
action-success true
reason
MDS1-ESUA# _
|
- Session complete
FEEDBACK: Are you happy with this material?
Thank you Your feedback helps us to continually improve our content.