How to collect packet capture on Aruba CX switch

October 2, 2023 k2hiro Network 0

Sometimes you end up in a situation where you need to collect live packet captures during the course of your troubleshooting session. Normally, configuring a mirror port is the simplest way to do that. However, it requires physical access to the switch and the switch must have an interface that is compatible with your capture device (a laptop). You may not be able to connect your laptop to a switch with optical interfaces only.

In such situations, you can use the built-in tshark tool on CX switches to collect packet capture, without physical access to the switch. Let me show you how to do that.

mirror session 1
  source interface 1/1/1 both
  destination cpu
  enable
diagnostics                  -> enable diag tools
diag utilities tshark file   -> start packet capture on 1/1/1
<press Ctrl-C to stop tshark>
copy tshark-pcap tftp://<TFTP IP>/pcap.pcap   -> upload the pcap file to a TFTP server
diag utilities tshark delete-file  -> delete the pcap file

Please be aware that the traffic is processed by the control plane CPU for capturing and the CPU is easily overwhelmed if the bandwidth of the traffic gets higher. You can apply a filter as I’m going to explain below so the tshark tool will capture only the matching packets. You should note that the maximum size of the pcap file is 32MBytes.

Applying IP/MAC filter for packet capture

You can apply a classifier policy on an interface to capture only desired packets. Let’s see how to do that.

Here is a configuration example to capture ICMP, LLDP, and ARP packets on port 1/1/1.

class ip cls-icmp
    match icmp any any
class mac cls-arp-lldp
    match any any arp
    match any any lldp
policy pol-pcap
    class ip cls-icmp action mirror 1
    class mac cls-arp-lldp action mirror 1
interface 1/1/1
    apply policy pol-pcap in
    apply policy pol-pcap out
mirror session 1
    destination cpu
    enable

After you configure the above, you can start tshark with diag util tshark file to capture ICMP/LLDP/ARP packets only.

Here is another example. This will capture multicast packets and IGMP protocol only.

class ip cls-mcast
    match igmp any any
    match pim any any
    match ip any 224.0.0.0/4
policy pol-pcap
    class ip cls-mcast action mirror 1
interface 1/1/1
    apply policy pol-pcap in
    apply policy pol-pcap out
mirror session 1
    destination cpu
    enable

That’s it for today. Hope this helps!