Explains how to limit the type of syslog messages sent from the VAP (APM) to the CPMN/A
Customers using NPM 86x0 would like to perform
tcpdump on the physical interface using a mirror port. Due to the NPM6 architecture and the use of VLAN stacking we are unable to use the TCPDUMP filters.
The NPM 6 is using VLAN stacking to identify the Physical port at the EZChip level and the inner VLAN tag corresponds to the VLAN tag received from the ethernet wire.
At that point, TCPDump software provided onto the NPM does not let the user the ability to setup regular libpcap filters to match on the host or protocol portion.
The solution is:
1) Telnet to the NPM on which you want to monitor ports
2) Set the monitoring parameters
cd /crossbeam/tools ./cbsif smcfg xxx 21 8100
xxx represents the bitmask decimal conversion of the physical port
11 10 9 8 7 6 5 4 3 2 1 x x x x x x x x x x x
If the monitoring is set on port 4 the bitmask will then be 008
If the monitoring is set on port 2 and 8 the bitmask will be 082
eth2 from the Octeon perspective
8100 is the TPID to have the additional VLAN header in the TCPDump traces.
3) change the interface state
ifconfig eth2 up
4) perform the tcpdump
tcpdump -ni eth2
This packet is untagged at the physical interface level
If you need to add filters to the TCPdump you then need to calculate the offset for the given traffic to select. The offset are from the beginning of the ethernet frame without the preamble. However offsets needs to take into account the Vlan header coming from the physical interface. The Crossbeam-specific VLAN header added will have to be taken into consideration.
The following offsets are used for calculation:
Ethernet header = 14 bytes
Vlan (Crossbeam physical interface) = 4 bytes
Vlan (real vlan onto the wire) = 4 bytes
As a consequence. a host selection needs to be handled bidirectionally and offsets have to be calculated manually.
Assume that the host we want to filter has the following IPv6 address:
2a01:0135:abcd:f280:240:abff:fefe:f119 We have to convert it from the standard notation to the hex value by removing the ':' between digits and add the various zeros in between.
Please note that the following IPv6 addresses are equivalent from the notation perspective but needs to be converted to the full representation of the address for the TCPdump filter:
If you need to match both source and destination, the following TCPdump filter can be used assuming the second host IP address is
On a VLAN tagged frame on the interface:
tcpdump -ni xxxx ' ( ether[26:16]=0x2a010135abcdf2800240abfffefef119 and ether [42:16]=0x2a010135abcdf2800240abeeeefef119 ) or ( ether[26:16] = 0x2a010135abcdf2800240abeeeefef119 and ether[42:16]=0x2a010135abcdf2800240abfffefef119 )
On a Non VLAN tagged frame on the interface:
tcpdump -ni xxxx ' ( ether[30:16]=0x2a010135abcdf2800240abfffefef119 and ether [46:16]=0x2a010135abcdf2800240abeeeefef119 ) or ( ether[30:16] = 0x2a010135abcdf2800240abeeeefef119 and ether[46:16]=0x2a010135abcdf2800240abfffefef119 )
IPv6 protocol offsets are variable and the IPv6 header can be composed of multiple headers. It is hence very difficult to match a specific offset for L4 or higher protocol elements and we do recommnd to use a raw capture of a conversation between hosts or subnets and perform the analysis using a proper tracefile analyser tool like Wireshark.
However, assuming the traffic is not fragmented and no other IPv6 options are set, you may try to detect a given protocol like TCP/UDP/ICMP you may match the IPv6 next-header selector to select a specific protocol.
To match TCP protocol on non IPv6 fragmented traffic and non-vlan tagged frame :