This article explores how to capture network packets on an EDGE router for subsequent analysis in Wireshark, which can be invaluable for diagnosing various network issues. After gaining console access to the virtual router as described in Part 1, we'll proceed with packet capture.
First, let's determine which network interface to monitor using:
In our example, we'll monitor traffic on the external interface vNic_0. There are two capture methods available:
-
Real-time terminal display
-
File capture
Start debug packet display interface vNic_0 and get a report about traffic to the console.
Press CTRL+C to stop the capture. You can log this output to a file by enabling session logging in your SSH client settings.
To filter traffic for a specific host (e.g., 90.107.69.171):
debug packet display interface vNic_0 90.107.69.171
To filter traffic by host 90.107.69.171 and port 22 we use:
debug packet display interface vNic_0 port_22_and_host_90.107.69.171
You can exclude from the output those connections that we use to connect to EDGE via SSH, adding not to the rules, excluding our host 90.107.69.171:
debug packet display interface vNic_0 not_port_22_and_not_host_90.107.69.171
To capture on multiple ports UDP / 500 (ISAKMP) or UDP / 4500 (IPSEC) and Remote host IP: 192.168.255.2, write:
debug packet display interface vNic_0 host_192.168.255.2_and_udp_port_500_or_udp_port_4500
Other examples of possible filtering:
debug packet display interface any host_11.22.33.44_and_tcp_port_80
debug packet display interface vNic_0 udp
debug packet display interface vNic_0 icmp
debug packet display interface vNic_0 host_10.10.10.10
debug packet display interface vNic_0 tcp_src_port_53
debug packet display interface any host_10.10.10.10_or_host_11.22.33.44
II. Capturing traffic with saving to file
Write all captured traffic to a file - debug packet capture interface vNic_0
You can continue to work in the console. As you decided to finish collecting traffic, enter - no debug packet capture interface vNic_0. Now let's see the created file with this data - debug show files.
After saving file, copy it from EDGE to the remote server, where continue to work with it and analyze it. The following protocols are supported - FTP or SCP. Copy to the root of the FTP server 192.168.2.2 located in VDC, debug copy ftp FTP_USER_NAME @ FTP_SERVER: / tcpdump_vNic_0.0, then enter password.
SCP protocol is executed the same way. The file is copied to FTP, do not store it on EDGE and delete debug remove tcpdump_vNic_0.0
Wireshark-m is installed on server, open it normally.
