11-Network Management and Monitoring Command Reference

HomeSupportResource CenterH3C S6850 & S9850 Switch Series Command References-Release 655x-6W10111-Network Management and Monitoring Command Reference
19-Packet capture commands
Title Size Download
19-Packet capture commands 77.38 KB

Packet capture commands

display packet-capture status

Use display packet-capture status to display status information about local or remote packet capture.

Syntax

display packet-capture status

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

This command does not display information about feature image-based packet capture.

Examples

# Display status information about local or remote packet capture.

<Sysname> display packet-capture status

Status     : Capturing

File Name  : flash:/a.pcap

User Name  : N/A

Password   : N/A

Table 1 Command output

Field

Description

Status

Packet capture status. Only the Capturing status is supported in the current software version.

Username

Username for logging in to the remote FTP server.

Password

Password for logging in to the remote FTP server. Both passwords in encrypted form and in plaintext form are displayed as ******. If no password is required or configured, this filed displays N/A.

packet-capture interface

Use packet-capture interface to capture incoming packets on an interface.

Syntax

Save captured packets to a file:

packet-capture interface interface-type interface-number [ capture-filter capt-expression | limit-captured-frames limit | limit-frame-size bytes | autostop filesize kilobytes | autostop duration seconds | autostop files numbers | capture-ring-buffer filesize kilobytes | capture-ring-buffer duration seconds | capture-ring-buffer files numbers ] * write filepath [ raw | { brief | verbose } ] *

Filter packet data to display:

packet-capture interface interface-type interface-number [ capture-filter capt-expression | display-filter disp-expression | limit-captured-frames limit | limit-frame-size bytes | autostop duration seconds ] * [ raw | { brief | verbose } ] *

Views

User view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an Ethernet interface by its type and number.

capture-filter capt-expression: Specifies an expression to match packets to be captured, a case-sensitive string of 1 to 256 characters. If you do not specify a capture filter expression, the device captures all incoming packets on an interface.

display-filter disp-expression: Specifies an expression to match packets to be displayed, a case-sensitive string of 1 to 256 characters. If you do not specify a display filter expression, the device displays all captured packets.

limit-captured-frames limit: Stops capturing packets when the maximum number of captured packets is reached. The limit argument sets the maximum number of packets to capture. The value range is 0 to 2147483647, and the default value is 10. If you set the limit to 0, the maximum number of captured packets is unlimited.

limit-frame-size bytes: Sets the maximum number of bytes to capture for a packet. The value range is 64 to 8000 bytes, and the default value is 8000 bytes.

autostop filesize kilobytes: Stops capturing packets if the maximum packet file size is exceeded when file rotation is disabled. The kilobytes argument sets the maximum packet file size. The value range is 1 to 65536 kilobytes. If you do not set a limit, the packet file size is unlimited.

autostop duration seconds: Stops capturing packets when the capturing duration expires. The seconds argument sets the capturing duration. The value range is 1 to 2147483647 seconds. If you do not set a limit, the capturing duration is unlimited.

autostop files numbers: Stops capturing packets when the maximum number of file rotations is reached. The numbers argument sets the maximum number of file rotations. The value range is 2 to 64. The capture creates a file to store packet data when a rotation is triggered. The first rotation occurs when the capture starts. If you do not set a limit, the number of file rotations is unlimited.

capture-ring-buffer filesize kilobytes: Rotates the packet file when the maximum file size is reached. The kilobytes argument sets the maximum file size. The value range is 1 to 65536 kilobytes.

capture-ring-buffer duration seconds: Rotates the packet file when the rotation interval expires. The seconds argument sets the rotation interval. The value range is 1 to 2147483647 seconds.

capture-ring-buffer files numbers: Sets the maximum number of packet files for file rotation, in the range of 2 to 64. If this limit is reached before the capture stops, newly captured packets will overwrite the packet data in the oldest file.

write filepath: Specifies the full path of the packet file to store captured packet data. The path must be a case-sensitive string of up to 64 characters. The filename extension must be .pcap. For more information about setting a file path, see file system management in Fundamentals Configuration Guide.

raw: Displays packet contents in hexadecimal notation. If you do not specify this keyword, the capture displays packet data in a string format.

verbose: Displays detailed information about captured packets.

brief: Displays brief information about captured packets.

Usage guidelines

To use this command, you must install the packet capture feature image by using the boot-loader, install, or issu command series. For more information about image installation, see software upgrade and ISSU in Fundamentals Configuration Guide.

The device displays captured packet data in real time.

·     If you specify the write filepath option without specifying the raw, brief, or verbose keyword, this command displays the number of captured packets.

·     If you do not specify any one of the raw, brief, verbose, and write filepath parameters, this command displays brief information about captured packets.

After packet capture is enabled, you are not allowed to configure other commands from the CLI. To stop the capture while it is capturing packets, press Ctrl+C.

If file rotation is disabled, the capture creates a packet file with the file name specified by the write filepath option. If file rotation is enabled, the capture automatically creates a packet file for each rotation, and renames the file to include a sequence number and timestamp. The sequence number increases by 1 for each file rotation. For example, set the file name to a.pcap. For the first rotation, the capture will create a packet file named a_00001_20140211034151.pcap. For the second rotation, the capture will create a packet file named a_00002_20140211034207.pcap.

Use Table 2 when you configure the options for stopping the capture or rotating the file.

Table 2 Using the packet filter parameters

Purpose

Options

Remarks

Stop capturing

·     Stop based on the capturing duration:
autostop duration seconds

·     Stop based on the number of captured packets:
limit-captured-frames limit

·     Stop based on the number of file rotations:
autostop files numbers

·     Stop based on the file size if file rotation is disabled:
autostop filesize kilobytes

The packet capture stops if any one of the limits for the stop options is reached. The packet capture also stops if the file system's limit on the number of files has been reached.

The autostop filesize option does not stop the capture if file rotation is enabled by the autostop files, capture-ring-buffer files, or capture-ring-buffer filesize option.

Rotate files

·     Rotate based on the file size:
capture-ring-buffer filesize kilobytes

·     Rotate based on the rotation interval:
capture-ring-buffer duration seconds

·     Rotate based on the file size specified for the autostop filesize kilobytes option:
autostop files numbers
autostop filesize kilobytes
capture-ring-buffer files numbers

The capture rotates the packet file when any one of the limits for the rotation options is reached.

If you specify the autostop filesize option after the capture-ring-buffer filesize option, the capture rotates the file based on the file size specified for the autostop filesize option.

Examples

# Capture incoming packets on Twenty-FiveGigE 1/0/1.

<Sysname> packet-capture interface twenty-fivegige 1/0/1

Related commands

packet-capture read

packet-capture local interface

Use packet-capture local interface to capture incoming packets on an interface and save the captured packets to a local file or to a remote file on an FTP server.

Syntax

packet-capture local interface interface-type interface-number [ capture-filter capt-expression | limit-frame-size bytes | autostop filesize kilobytes | autostop duration seconds ] * write { filepath | url url [ username username [ password { cipher | simple } string ] ] }

Views

User view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an Ethernet interface by its type and number.

capture-filter capt-expression: Specifies an expression to match packets to be captured, a case-sensitive string of 1 to 256 characters. If you do not specify a capture filter expression, the device captures all incoming packets on an interface.

limit-frame-size bytes: Sets the maximum number of bytes to capture for a packet. The value range is 64 to 8000 bytes, and the default value is 8000 bytes.

autostop filesize kilobytes: Stops capturing packets if the maximum packet file size is exceeded when file rotation is disabled. The kilobytes argument sets the maximum packet file size. The value range is 1 to 65536 kilobytes. If you do not set a limit, the packet file size is unlimited.

autostop duration seconds: Stops capturing packets when the capturing duration expires. The seconds argument sets the capturing duration. The value range is 1 to 2147483647 seconds. If you do not set a limit, the capturing duration is unlimited.

write: Stores the captured packet data.

filepath: Specifies the full path of a local packet file to store captured packet data. The path must be a case-sensitive string of up to 64 characters. The filename extension must be .pcap. For more information about setting a file path, see file system management in Fundamentals Configuration Guide.

url url: Specifies the URL of a remote packet file on an FTP server to store captured packet data. The URL must be a case-sensitive string of 1 to 255 characters. The URL string must not contain at signs (@), and the specified username and password. If you do not specify a URL, the captured packet data is not saved.

username username: Specifies a username for logging in to the FTP server. The username is a case-sensitive string of 1 to 32 characters.

password: Specifies a password for logging in to the FTP server.

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 32 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters.

Usage guidelines

To stop the capture while it is capturing packets, use the packet-capture stop command.

If you configure both the autostop filesize option and autostop duration option, the packet capture stops when any one of the limits for the stop options is reached.

Follow these restrictions and guidelines to specify the URL, username, and password:

·     The URL format is ftp://FTP server address:port number/file name, where the port number is optional, for example, ftp://192.168.1.1/test.cfg and ftp://192.168.1.1:21/test.cfg. If the server is configured with a port number, you must enter the port number in the URL.

·     If the server address is an IPv6 address, enclose the address in a pair of brackets, for example, ftp://[2001::1]/test.cfg and ftp://[2001::1]:21/test.cfg.

·     You can also specify the DNS domain name for the server address field, for example, ftp://sdp:21/test.cfg.

·     The username and password must be the same as those configured on the FTP server. If the server authenticates only the username, the password can be omitted.

Do not set a short capturing duration in the autostop duration seconds option. If the duration is too short, the capture might stop when a user has not logged in to the FTP server. The captured packets cannot be saved because a packet file has not been created.

Examples

# Capture incoming packets and store the data in the database.pcap file on the FTP server at 10.1.1.1. The username and password for logging in to the FTP server are 1 and 1, respectively.

<Sysname> packet-capture local interface twenty-fivegige 1/0/1 write url ftp://10.1.1.1/database.pcap username 1 password simple 1

Related commands

display packet-capture status

packet-capture stop

packet-capture read

Use packet-capture read to display the contents in a packet file.

Syntax

packet-capture read filepath [ display-filter disp-expression ] [ raw | { brief | verbose } ] *

Views

User view

Predefined user roles

network-admin

Parameters

filepath: Specifies the full path of the packet file to store captured packet data. The path must be a case-sensitive string of up to 64 characters. The filename extension must be .pcap or .pcapng. For more information about setting a file path, see file system management in Fundamentals Configuration Guide.

display-filter disp-expression: Specifies an expression to match packets to be displayed, a case-sensitive string of 1 to 256 characters. If you do not specify a display filter expression, this command displays all file contents.

raw: Displays file contents in hexadecimal notation. If you do not specify this keyword, the capture displays packet data in a string format.

brief: Displays brief information about captured packets in the file.

verbose: Displays detailed information about captured packets in the file.

Usage guidelines

To use this command, you must install the packet capture feature image by using boot-loader, install, or issu commands. For more information about image installation, see software upgrade and ISSU in Fundamentals Configuration Guide.

To stop displaying the file contents, press Ctrl+C.

The device stores captured packets in .pcap files but can read .pcap and .pcapng files.

If you do not specify the raw, brief, or verbose keyword, this command displays brief information about captured packets in the file.

Examples

# Display the contents in the file flash:/test/aaaa.pcap.

<Sysname> packet-capture read flash:/test/aaaa.pcap

Related commands

packet-capture interface

packet-capture remote interface

Use packet-capture remote interface to capture incoming packets on an interface.

Syntax

packet-capture remote interface interface-type interface-number [ port port ]

Views

User view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an Ethernet interface by its type and number.

port port: Specifies the RPCAP service port by its number. If you do not specify a RPCAP service port, RPCAP service port 2002 is used.

Usage guidelines

After this command is executed, the client (such as Wireshark) connected to the AP can obtain packets captured on the specified interface.

To stop the capture while it is capturing packets, use the packet-capture stop command.

Examples

# Capture incoming packets on Twenty-FiveGigE 1/0/1 and specify the RPCAP service port number as 2014.

<Sysname> packet-capture remote interface twenty-fivegige 1/0/1 port 2014

Related commands

display packet-capture status

packet-capture stop

packet-capture stop

Use packet-capture stop to stop the local or remote packet capture.

Syntax

packet-capture stop

Views

User view

Predefined user roles

network-admin

Usage guidelines

This command does not stop the feature image-based packet capture. To stop the feature image-based packet capture, press Ctrl+C.

Examples

# Stop the local or remote packet capture.

<Sysname> packet-capture stop

Related commands

packet-capture local interface

packet-capture remote interface