Perform a Packet Capture in a Telemetry Broker Node

Introduction

This document describes how to perform a packet capture in a Cisco Telemetry Broker (CTB) Broker node.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Basic Linux administration
• Basic Cisco Telemetry Broker architecture
• SSH basic knowledge
• Command Line Interface (CLI) access as admin and root is needed to perform the packet capture.

Components Used

The information in this document is based on CTB Broker node running version 2.0.1.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Configure

The CTB Broker Node has a tool called ctb-pcap that is used to perform a network capture from the telemetry interface of the broker node. Note that this tool is not available at the CTB Manager Node.

Before you use the command ctb-pcap, ensure that you first switch to the root user with the command sudo su. This tool is available to the root user only.

To view the available options for this tool, run the command ctb-pcap --help at the CLI of the Broker node. This image displays the full list of the options:

All available options for CTB packet capture tool

As the output indicates, the number of captured packets, the duration in seconds, and the packet capture output file name are required. Moreover, the packet type, either received, sent, or dropped packets, must be stated in the command.

You can use the next syntax as the basis of the packet capture command, which already specifies the number of captured packets, the duration and the file name of the packet capture, as well as the verbose option and packet type:

ctb-pcap -V -n [number_pkts] -t [duration] -o [filename] [rx/tx/drop]

Verify

As an example, you can do a packet capture with verbose option, 100 packets, for thirty seconds, filtered by source 10.10.10.10 of received packets and save the output with the name received_packets.pcap.

The command to perform such packet capture is:

ctb-pcap -V -n 100 -t 120 -s 10.10.10.10 -o received_packets.pcap rx

Enter the command at the CLI of the Broker Node and the packet capture begins. When the packet capture finishes, the file is automatically saved to /var/lib/titan/pcap/ directory.

Here is an example of the verbose output from the packet capture command:

Verbose output from the example command

Note that for the duration and number of packet options, the first one stops the packet capture. (For example, if a total of 100 packets have been captured even though the thirty of the duration have not been completed, the packet capture is stopped. In this example, the duration of thirty seconds was reached first, so only 66 packets were captured.)

After the packet capture has been generated, use SCP or SFTP to transfer the file to your local machine. If you use SFTP, enter the admin credentials to connect to the appliance.

Related Information

• Technical Support & Documentation - Cisco Systems