Traffic capturing with the help of Cisco Nexus

Traffic sniffering can be performed not only on hardware firewalls Cisco PIX/ASA and ASR routers we described earlier, but also on switches of the same vendor. In this article we’re going to tell the readers how to perform traffic capturing on a Cisco Nexus switch. We’d like to point out from the start that what we’re talking about is capturing data transmitted through the control plane and management plane, i.e. data that have to be processed by the CPU. Among such data are messages of the following protocols: ARP, STP, ICMP, LACP, CDP and so on. Frames and packets switched through ASIC (not sent to the CPU) can’t be captured with the help of the method at hand; for this a SPAN-session has to be organized. Captured data can be analyzed locally (via a telnet-session or on the console), or sent to a remote server for further analysis. The functionality we’re describing is referred to as Ethanalyzer. We had a Nexus 5548UP at our disposal; its main characteristics are presented below.

nexus5548up# sho ver
Cisco Nexus Operating System (NX-OS) Software
TAC support:
Copyright (c) 2002-2013, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
BIOS: version 3.6.0
loader: version N/A
kickstart: version 6.0(2)N1(2)
system: version 6.0(2)N1(2)
Power Sequencer Firmware:
Module 1: version v1.0
Module 3: version v5.0
Microcontroller Firmware: version v1.2.0.1
SFP uC: Module 1: v1.0.0.0
QSFP uC: Module not detected
BIOS compile time: 05/09/2012
kickstart image file is: bootflash:///n5000-uk9-kickstart.6.0.2.N1.2.bin
kickstart compile time: 3/14/2013 1:00:00 [03/14/2013 08:53:55]
system image file is: bootflash:///n5000-uk9.6.0.2.N1.2.bin
system compile time: 3/14/2013 1:00:00 [03/14/2013 11:28:50]
cisco Nexus5548 Chassis ("O2 32X10GE/Modular Universal Platform Supervisor")
Intel(R) Xeon(R) CPU with 8262944 kB of memory.
Processor Board ID FOC16227FRP
Device name: nexus5548up
bootflash: 2007040 kB
Kernel uptime is 0 day(s), 2 hour(s), 53 minute(s), 48 second(s)
Last reset at 957034 usecs after Mon Apr 8 05:32:48 2013
Reason: Disruptive upgrade
System version: 5.2(1)N1(1a)
Core Plugin, Ethernet Plugin

On our platform, we’re using Linux Montavista kernel version 2.6.10 operating system, which means that add-ons can be installed on it. One of such add-ons is TShark which is part of the Wireshark utility (the former Ethereal).

nexus5548up# ethanalyzer ?
local Start local capture of frames to Sup
nexus5548up# ethanalyzer local ?
> Redirect it to a file
>> Redirect it to a file in append mode
interface A live capture will start on following interface
read Filename to read the captured packet
| Pipe command output to filter

Just like in Wireshark here one can use filters. Filters can be of two types: a display-filter and a capture-filter; their operation principles are the same as in Wireshark.

nexus5548up# ethanalyzer local interface mgmt ?
> Redirect it to a file
>> Redirect it to a file in append mode
autostop Capture autostop condition
capture-filter Filter on ethanalyzer capture
capture-ring-buffer Capture ring buffer option
detail Display detailed protocol information
display-filter Display filter on frames captured
limit-captured-frames Maximum number of frames to be captured (default is 10)
limit-frame-size Capture only a subset of a frame
raw Hex/Ascii dump the packet with possibly one line summary
write Filename to save capture to
| Pipe command output to filter

We’d like to say a couple of words about interfaces. Nexus 5548UP has three “interfaces”: inbound-hi for high-priority incoming traffic (LACP, CDP, FCoE, DCBX), inbound-low for low-priority traffic (IGMP, ARP) and mgmt for data coming through the switch Management interface.

nexus5548up# ethanalyzer local interface ?
inbound-hi Inbound(high priority) interface
inbound-low Inbound(low priority) interface
mgmt Management interface

By default, Ethanalyzer saves ten captured frames. This number can be changed with the help of the limit-captured-frames parameter.

Now let’s perform a sample capturing, for which we’ll display information about transmitted ICMP-packets in the command line interface. The result of capturing can be saved locally for further analysis with the help of the write option.

nexus5548up# ethanalyzer local interface mgmt capture-filter "icmp" write bootflash:foxtesticmp.cap
Capturing on mgmt0
2013-04-08 09:12:00.073872 -> ICMP Echo (ping) request
2013-04-08 09:12:00.073947 -> ICMP Echo (ping) reply
2013-04-08 09:12:01.075255 -> ICMP Echo (ping) request
2013-04-08 09:12:01.075451 -> ICMP Echo (ping) reply
2013-04-08 09:12:02.075737 -> ICMP Echo (ping) request
2013-04-08 09:12:02.075927 -> ICMP Echo (ping) reply
2013-04-08 09:12:03.079609 -> ICMP Echo (ping) request
2013-04-08 09:12:03.079788 -> ICMP Echo (ping) reply
nexus5548up# 8 packets captured
ag-nexus5548-7# dir bootflash:
319 Aug 24 11:48:26 2012 MDS*****.lic
322 Sep 03 11:45:41 2012 MDS*****.lic
744 Apr 08 09:12:04 2013 foxtesticmp.cap
34672128 Apr 08 05:13:03 2013 n5000-uk9-kickstart.6.0.2.N1.2.bin
238082390 Apr 08 05:05:54 2013 n5000-uk9.6.0.2.N1.2.bin
4096 Jan 01 11:16:26 2009 vdc_2/
4096 Jan 01 11:16:26 2009 vdc_3/
4096 Jan 01 11:16:26 2009 vdc_4/
4096 Apr 08 05:35:30 2013 virt_strg_pool_bf/
676 Dec 06 06:01:02 2012 vlan.dat
Usage for bootflash://sup-local
390414336 bytes used
1258209280 bytes free
1648623616 bytes total

The saved captured frames can be analyzed locally or remotely. For local analysis one has to use the read option.

nexus5548up# ethanalyzer local read bootflash:foxtesticmp.cap limit-captured-frames 1 detail
Frame 1 (74 bytes on wire, 74 bytes captured)
Arrival Time: Apr 8, 2013 09:12:00.073872000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 74 bytes
Capture Length: 74 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:icmp:data]
Ethernet II, Src: 00:e0:4d:08:4f:ea (00:e0:4d:08:4f:ea), Dst: 54:7f:ee:a9:0c:81 (54:7f:ee:a9:0c:81)
Destination: 54:7f:ee:a9:0c:81 (54:7f:ee:a9:0c:81)
Address: 54:7f:ee:a9:0c:81 (54:7f:ee:a9:0c:81)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:e0:4d:08:4f:ea (00:e0:4d:08:4f:ea)
Address: 00:e0:4d:08:4f:ea (00:e0:4d:08:4f:ea)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: (, Dst: (
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 60
Identification: 0x5f0b (24331)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 128
Protocol: ICMP (0x01)
Header checksum: 0x3cf7 [correct]
[Good: True]
[Bad : False]
Source: (
Destination: (
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 ()
Checksum: 0x45fd [correct]
Identifier: 0x0001
Sequence number: 1886 (0x075e)
Data (32 bytes)
0000 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
0010 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi
Data: 6162636465666768696A6B6C6D6E6F707172737475767761...
[Length: 32]

For remote analysis it’s necessary to upload the saved file with the help of any available file transfer protocol like TFTP.

nexus5548up# copy bootflash:foxtesticmp.cap tftp:
Enter vrf (If no input, current vrf 'default' is considered): management
Enter hostname for the tftp server:
Trying to connect to tftp server......
Connection to Server Established.
TFTP put operation was successful
Copy complete, now saving to disk (please wait)...

Here we’re finishing our review of the Cisco Ethanalyser function and wish you successful troubleshooting of your network problems with its help.

Add comment

Security code

Found a typo? Please select it and press Ctrl + Enter.