Remote Packet Capture (rpcap)

How it Works

• Set the mirror on BOLT
  • This defines what traffic will be mirrored to the target port.
  • Eth2 is the port on the OLT that is used for capture
  • Standard Port 2002 is used on OLT for remote wireshark connection
• Enable rpcap - this begins exposing the wireshark interface to the user.
• Start wireshark on the remote computer.
• Use wireshark remote pcap interface to connect to the OLT.
• Connect to eth2, port 2002.
• Perform capture.
• Disable RPCAP on the OLT.

Video

Command Syntax

Mirror Command

• Tolt diagnostics flowmirror
  • Dir – ingress/egress/both, defines the direction to mirror.
  • Mac-filter – A mac to filter on so can constrain to a single source/destination.
  • Net-interface – Use a NET as the source of the mirror.
  • Nni-interface – Mirror an individual uplink port.
  • Pon-interface – Mirror a PON port's traffic
  • Target – The target port to send the mirror to. Default is the cpu (eth2). It can also mirror to ports to allow surveillance for applications such as forescout. 
  • Vlan – A vlan number 2..4094 or any.

Rpcap Command

• Tolt diagnostics rpcap
  • Enable – Enable the OLT to expose rpcap interface
  • Disable – Disable rpcap and close rpcap port

Remote Packet Capture Example 

The following example will show how to capture a packet from the BOLT. 

1. The first step will display the available completions of the flowmirror command.
2. From the MDS1-ESUA# command line, input tolt diagnostics flowmirror enable, and question mark Output similar to the following is displayed showing all the action parameters:

MDS1-ESUA# tolt diagnostics flowmirror enable <enter>
Possible completions:
 dir            Traffic direction of source interface to mirror from.
 mac-fiIter
 net-interface  Select a NET interface to mirror packet flows from
 Nmi-interface  Select an NNI interface to mirror packet flows from.
pon-interface   Select a PON interface to mirror packet flows from
target          Select an NNI interface as mirror-to target (CPU is used if target is not selected).
vlan            VLAN ID or 'any' for untagged/mixed traffic.
MDSl-ESUA#_ 

3. The next step will enable packets in both directions on net-interface NET1 and display the available completions of the target action. 
4. From the MDS1-ESUA# command line, input tolt diagnostics flowmirror enable dir both net-interface NET1 target?, and press Enter. Output similar to the following is displayed:
    

   MDS1-ESUA# tolt diagnostics flowmirror enable dir both net-interface NET1 target ? <enter> Possible completions: Description: Select an NNI interface as mirror-to target(CPU is used if target is not selected). QSFPl-2-1 QSFPl-2-2 QSFPl-2-3 QSFPl-2-4 QSFPl-2-5 QSFPl-2-6 SFPl-1-1 SFPl-1-2 SFPl-1-3 SFPl-1-4 MDS1-ESUA# _

5. The next step will enable packets in both directions on net-interface NET1 and capture all the vlans.
   The following are the caprure options. Only one can be used at a time.
   1. net-interface – will capture all the vlan packets
   2. nni-interface – will capture packets a single uplink port
   3. pon-interface – will capture what packets are going up and down the pon.
6. From the MDS1-ESUA# command line, input tolt diagnostics flowmirror enable dir both net-interface NET1 vlan any, and press Enter. Output similar to the following is displayed:
    

   MDS1-ESUA# tolt diagnostics flowmirror enable dir both net-interface NET1 vlan any <enter> Action success true reason MDS1-ESUA# _

7. Success true, validates that the flowmirror is running with all traffic on the selected uplink going to the cpu.
8. Now that the flowmirror is set up, we will enable rpcap.
9. From the MDS1-ESUA# command line, input tolt diagnostics rpcap enable, and press Enter. Output similar to the following is displayed:
    

   MDS1-ESUA# tolt diagnostics rpcap enable rpcap <enter> Action success true reason MDS1-ESUA# _

10. The next steps will use Wireshark on a remote computer to view the captured packets.
11. Click on an interface to display the Capture Options.
    
12. Click on the Manage Interfaces button to access Remote Interfaces.
    
13. Click on the Remote Interfaces button to add an interface.
    .
14. Add an interface.
    
15. Add the IP address of the Host. In this case, it will be the IP address of the OLT (i.e. 172.29.122.141). 
16. The port number will be the default Wireshark port of 2002.
    
17. There will be a short delay while Wireshark connects to the OLT, then all the interfaces are displayed.
18. We will want to click on eth2 (cpu), which is our mirror target, then select the OK button.
    
19. The next screen will display the available interfaces. Scroll down to display eth2 and double-click to access live captures of the uplink.
    
20. We are now getting live captures of our uplink. 
    
21. We will now validate the connection by pinging the OLT by going to the command screen and ping our gateway.
    
22. On Wireshark the display screen will display, in real time, the ping activity.
    
23. When the session is complete, we will disable the rpcap and the flowmirror. 

24. From the MDS1-ESUA# command line, input tolt diagnostics rpcap disable, and press Enter. Output similar to the following is displayed.

MDS1-ESUA# tolt diagnostics rpcap disable <enter> 
action-success true
reason
MDS1-ESUA# _ 

25. From the MDS1-ESUA# command line, input tolt diagnostics flowmirror disable, and press Enter. Output similar to the following is displayed.

MDS1-ESUA# tolt diagnostics flowmirrordisable <enter> 
action-success true
reason
MDS1-ESUA# _ 

26. Session complete