Sometimes you need to look at whats going back and from a specefic t0 or t1. There are tools for extracting the packets, they are not as easy availaible as in a standalone router/firewall, but it can sure be done.
Be careful with packet captures! This is on an all-CPU router — so isolating the device before capturing packets is a wise choice.
get logical-routers | find <customer>
Find the VRF you want to capture. Gives you a list with both SR and DR VRF instances. ServiceRoutes(SR) are when you are looking at the internal networks. DistribuedRoutes are when you are looking at the public IP side of things.
vrf 20
We will need to go into the VRF and find the interface that we need to packet capture on.
Command example output
edgenode1-01> get logical-router | find jeram
Wed Jun 07 2023 UTC 13:03:40.465
d595f425-6d15-4743-8598-8b354febffbf 20 5155 DR-dc1.employee.edge.jeram.01-5a DISTRIBUTED_ROUTER_TIER1 8 0/50000
8de7cb24-82f9-49d2-8e70-ecaed3ebdc89 43 5156 SR-dc1.employee.edge.jeram.01-5a SERVICE_ROUTER_TIER1 5 2/50000get interfaces
Gives a list of available interfaces, note down the interface you would like to capture. This example is for internet traffic where we look at the interface of the glue network that NSX used to connect to T0. Afterward, you need to exit the vrf again with “exit”
Command example output
get interfaces
Wed Jun 07 2023 UTC 13:08:19.802
Logical Router
UUID VRF LR-ID Name Type
d595f425-6d15-4743-8598-8b354febffbf 20 5155 DR-dc1.employee.edge.jeram.01-5a DISTRIBUTED_ROUTER_TIER1
a406de-a8ad-4cd6-b4fb-eb8ed575c9
4c
Interfaces (IPv6 DAD Status A-DAD_Success, F-DAD_Duplicate, T-DAD_Tentative, U-DAD_Unavailable)
Interface : c16c758c-bb86-5985-a670-1b9c5ab7ec72
Ifuid : 303
Mode : cpu
Port-type : cpu
Enable-mcast : false
Interface : 9d1e983e-7471-545d-93fa-9e3eb8a4e1de
Ifuid : 304
Mode : blackhole
Port-type : blackhole
Interface : 31968aa8-60e6-474e-a3a0-824cec729947
Ifuid : 705
Name : infra-5311e2e8-158c-4595-8645-4d9ff4660045-dlrp
Fwd-mode : IPV4_ONLY
Mode : lif
Port-type : downlink
IP/Mask : 10.66.66.1/24
MAC : 02:50:56:56:44:62
VNI : 70660
Access-VLAN : untagged
LS port : da0dd1d7-59d6-4827-8492-749afd3c7f1e
Urpf-mode : STRICT_MODE
DAD-mode : LOOSE
RA-mode : DISABLED
Admin : up
Op_state : up
Enable-mcast : True
MTU : 1500
arp_proxy :
Interface : 3ee47d65-dc6b-412e-a8f1-27523b62f85c
Ifuid : 753
Name : bp-dr-port
Fwd-mode : IPV4_ONLY
Mode : lif
Port-type : backplane
IP/Mask : 169.254.0.1/28;fe80::50:56ff:fe56:4462/64(NA)
MAC : 02:50:56:56:44:62
VNI : 72710
Access-VLAN : untagged
LS port : 602e6a5a-5ddf-4c15-929e-d16ef34b8384
Urpf-mode : PORT_CHECK
DAD-mode : LOOSE
RA-mode : RA_INVALID
Admin : up
Op_state : up
Enable-mcast : True
MTU : 1500
arp_proxy :
Interface : 32efb3d0-cf08-4643-9018-779dee3b9a47
Ifuid : 475
Name : 5aa406de-a8ad-4cd6-b4fb-eb8ed575c94c-dhcp-dlrp
Fwd-mode : IPV4_ONLY
Mode : lif
Port-type : downlink
IP/Mask : 192.168.255.226/30
MAC : 02:50:56:56:44:62
VNI : 73728
Access-VLAN : untagged
LS port : bbb711e3-989d-4ef4-8857-b466ceb29dbf
Urpf-mode : NONE
DAD-mode : LOOSE
RA-mode : DISABLED
Admin : up
Op_state : up
Enable-mcast : False
MTU : 1500
arp_proxy :
Interface : 4bef685a-29db-4768-9bb9-bded9a0b2f08
Ifuid : 778
Name : infra-95f47dc9-f4f1-483f-973b-dd77038a734a-dlrp
Fwd-mode : IPV4_ONLY
Mode : lif
Port-type : downlink
IP/Mask : 192.168.255.1/25
MAC : 02:50:56:56:44:62
VNI : 68612
Access-VLAN : untagged
LS port : 6657223f-3ba9-4dd8-b76a-8fc8d829b5cc
Urpf-mode : STRICT_MODE
DAD-mode : LOOSE
RA-mode : DISABLED
Admin : up
Op_state : up
Enable-mcast : True
MTU : 1500
dhcp relay : 192.168.255.225
arp_proxy :
Interface : 8f12fd3d-80c2-4a2c-802e-d3b584441ef7
Ifuid : 656
Name : infra-8888f040-4434-4cf8-9b5f-3d7fa3bd55b2-dlrp
Fwd-mode : IPV4_ONLY
Mode : lif
Port-type : downlink
IP/Mask : 10.44.44.1/24
MAC : 02:50:56:56:44:62
VNI : 67585
Access-VLAN : untagged
LS port : 1af40252-2b5a-41cb-ba79-ed6d69659c1c
Urpf-mode : STRICT_MODE
DAD-mode : LOOSE
RA-mode : DISABLED
Admin : up
Op_state : up
Enable-mcast : True
MTU : 1500
arp_proxy :
Interface : 3b1145e9-7f59-440a-ad1e-758bf449a313
Ifuid : 610
Name : infra-bffc2250-653b-4155-9be8-201c4b86ae3c-dlrp
Fwd-mode : IPV4_ONLY
Mode : lif
Port-type : downlink
IP/Mask : 10.88.88.1/24
MAC : 02:50:56:56:44:62
VNI : 71698
Access-VLAN : untagged
LS port : cf6c94d5-0a77-4497-b5e2-b5da0d302d73
Urpf-mode : STRICT_MODE
DAD-mode : LOOSE
RA-mode : DISABLED
Admin : up
Op_state : up
Enable-mcast : True
MTU : 1500
arp_proxy :exit
Exit the VRF to go to global mode again, from here we can start the packet capture.
start capture interface <id> direction dual expression
Expressions can be like the list below. Use “and” to combine multiple expressions.
src net 172.20.10.0/24- host 10.66.66.231
- port 22
- and port 22 and host 10.66.66.231
Command example output
edgenode1-02> start capture interface 31968aa8-60e6-474e-a3a0-824cec729947 direction dual expression host 10.66.66.231 and port 443
17:36:16.429113 02:50:56:56:44:62 > 00:50:56:01:19:54, ethertype IPv4 (0x0800), length 66: 217.116.214.8.443 > 10.66.66.231.60093: Flags [.], ack 881476981, win 501, options [nop,nop,sack 1 {0:1}], length 0
<base64>AFBWARlUAlBWVkRiCABFAAA0rLtAADgGmWLZdNYICkJC5wG76r1lc88TNIpFdYAQAfXsJAAAAQEFCjSKRXQ0ikV1</base64>
17:36:16.443631 02:50:56:56:44:62 > 00:50:56:01:19:54, ethertype IPv4 (0x0800), length 66: 217.116.214.8.443 > 10.66.66.231.60096: Flags [.], ack 1577142618, win 501, options [nop,nop,sack 1 {0:1}], length 0
<base64>AFBWARlUAlBWVkRiCABFAAA0fztAADgGxuLZdNYICkJC5wG76sDVIvkbXgFJWoAQAfXKVQAAAQEFCl4BSVleAUla</base64>Was this article helpful?
YesNo