Cisco Nexus switches use a slightly different syntax compared to the ASA series for packet capturing, which is accomplished through a feature known as Ethanalyzer. Here are 10 examples of how to use Ethanalyzer:
1. Capturing all packets on a specific interface
Nexus# ethanalyzer local interface inband capture-filter "not port 22"
This command will capture all packets except those on port 22 (to exclude SSH traffic) on the inband management interface.
2. Capture packets destined to a specific IP address
Nexus# ethanalyzer local interface inband capture-filter "dst host 192.168.1.2"
This command will capture all packets that are destined to the IP address 192.168.1.2.
3. Capture packets originating from a specific IP address
Nexus# ethanalyzer local interface inband capture-filter "src host 192.168.1.1"
This command will capture all packets that originate from the IP address 192.168.1.1.
4. Capture packets of a specific protocol
Nexus# ethanalyzer local interface inband capture-filter "icmp"
This command will capture all ICMP packets on the inband management interface.
5. Limit the number of packets to capture
Nexus# ethanalyzer local interface inband limit-captured-frames 1000
This command will limit the packet capture to 1000 packets.
6. Capture packets on a specific VLAN
Nexus# ethanalyzer local interface inband capture-filter "vlan 100"
This command will capture all packets that are on VLAN 100.
7. Capture packets based on source port
Nexus# ethanalyzer local interface inband capture-filter "src port 80"
This command will capture all packets that have a source port of 80.
8. Capture packets based on destination port
Nexus# ethanalyzer local interface inband capture-filter "dst port 80"
This command will capture all packets that have a destination port of 80.
9. Capture packets of a specific size
Nexus# ethanalyzer local interface inband capture-filter "len > 100"
This command will capture all packets that are greater than 100 bytes in size.
10. Capture packets based on TCP flags
Nexus# ethanalyzer local interface inband capture-filter "tcp[13] & 2 != 0"
Here’s a breakdown of the command above:
ethanalyzer local interface inband: This command starts the ethanalyzer on the local device (the switch itself) on the inband management interface. The inband management interface is a logical interface on the switch that is used to manage the switch itself over the network.
capture-filter "tcp[13] & 2 != 0": This is a capture filter that ethanalyzer uses to select which packets to capture and analyze.
Let’s break down the filter:
tcp[13]: This part is looking at the 13th byte in the TCP header. This byte is the flags byte, where each bit represents a different TCP flag (SYN, ACK, FIN, RST, etc).
& 2: This part is a bitwise AND operation with the number 2. In the context of the TCP flags byte, the number 2 represents the SYN flag when considering the byte as a whole.
!= 0: This part checks if the result of the bitwise AND operation is not equal to 0. If it’s not equal to 0, that means the SYN flag is set.
Please replace inband with your actual interface if you don’t want to use the inband management interface, and replace the IP addresses, ports, VLAN, size, and TCP flags with your desired values.
Please note that Ethanalyzer does not have the ability to save packet captures for future analysis, so you’ll have to view them in real-time or redirect the output to a file or another server. This is one limitation compared to the packet capture capabilities on ASA firewalls.
Terminal Pager 0
The command terminal pager 0 is used to disable the default paging behavior in the Cisco IOS terminal.
When using commands that generate a lot of output (like `show tech-support` or `show log`, or in this case, viewing large packet captures), the terminal typically shows a certain number of lines (usually 24) and then pauses, waiting for you to press Enter or Space to see the next set of lines.
If you issue the command `terminal pager 0`, you disable this behavior, and the terminal will display the full output of a command without pausing.
In the context of packet captures on both ASA and Nexus devices, using `terminal pager 0` could be useful if you want to view the entire capture output at once. However, be aware that this can generate a significant amount of output and might make it harder to see specific packets you’re interested in if the capture is very large.
You can re-enable the default paging behavior with the command `terminal pager ` where “ is the number of lines to display before pausing. If you just use `terminal pager`, the default is usually set to 24.
Flags
Here are some common flags you might see:
S = SYN: The synchronization flag is used when a connection is being established.
F = FIN: The finish flag is used to gracefully close a TCP connection.
R = RST: The reset flag is used to forcibly close a TCP connection.
P = PUSH: The push flag is used to ask the receiving end to pass this data to the application as soon as possible, rather than buffering it.
A = ACK: The acknowledgment flag is used to acknowledge receipt of packets.
U = URG: The urgent flag is used when certain data within a packet must be processed immediately.
E = ECE: The explicit congestion notification echo flag is used to signal network congestion.
C = CWR: The congestion window reduced flag is used to acknowledge the receipt of an ECE flag.