Monitoring Devices

Set Up Packet Capture to Monitor Network Traffic

In addition to aggregating data from multiple NAMs, Prime Infrastructure makes it easy to actively manage and troubleshoot network problems using multiple NAMs and ASRs.


Note

This feature is supported for NAMs and ASRs. For more information on minimum Cisco IOS XE version supported on ASRs, see the Cisco ASR 1000 Series Aggregation Services Routers Release Notes.

In the following workflow, a network operator needs to troubleshoot a set of similar authentication violations taking place at multiple branches. Because the operator suspects that the authentication problems are due to a network attack in progress, the operator runs the Packet Capture feature against the NAMs or ASRs for each branch, then runs the Packet Decoder to inspect the suspicious traffic.


Note

The legacy cipher, which helps you to perform the Copy To or Merge functionalities in the Packet Capture screen, in the Prime Infrastructure server is enabled by default.

In case the Copy To/Merge functionalities do not work, you must enable it manually by entering the following command in the Prime Infrastructure's CLI.

#admin ncs run ssh-server-security-legacy-algorithms enable

You must disable it after performing these actions. Enter the following command to disable.

admin# ncs run ssh-server-legacy-algorithms disable

Procedure

Step 1

Create a capture session definition:

  1. Choose Monitor > Tools > Packet Capture to create a new capture session definition.

  2. Complete the General section as needed. Give the session definition a unique name and specify how you want to file the captured data. To capture the full packet, enter 0 in the Packet Slice Size.

  3. If you want to restrict the captured traffic to particular source or destination IPs, VLANs, applications, or ports, click Add in the Software Filters section and create filters as needed. If you do not create a software filter, it captures everything.

  4. In the Devices area, you can select: A NAM and its data ports. You can create one capture session per NAM only, whether the capture session is running or not. An ASR and its interfaces.

  5. Click Create and Start All Sessions. Prime Infrastructure saves the new session definition, then runs separate capture sessions on each of the devices you specified. It stores the sessions as files on the device and displays the list of packet capture files in the Capture Files area.

Step 2

To decode a packet capture file:

  1. Choose Monitor > Tools > Packet Capture

  2. Select a PCAP file in a NAM or ASR device.

  3. Select Copy To to copy the PCAP file to the PI server (the decode operation only runs on files in the PI server).

  4. Click View Jobs to confirm that the copy job completed successfully.

  5. Open the localhost folder, select the check box for the new capture file, then click Decode. The decoded data appears in the bottom pane.

  6. A TCP Stream displays the data as the application layer sees it. To view the TCP Stream for a decoded file, select a TCP packet from the Packet List, then click TCP Stream. You can view the data as ASCII text or in a HEX dump.

Step 3

To run a packet capture session again, select the session definition in the Capture Sessions area and click Start.

Manage Jobs Using the Jobs Dashboard

If you have the appropriate user account privileges, you can manage Prime Infrastructure jobs using the Jobs dashboard. To view the Jobs dashboard, choose Administration > Dashboards > Job Dashboard. From here, you can quickly see if a job was successful, partially successful, or failed.

If too many jobs are already running, Prime Infrastructure will hold other jobs in the queue until resources are available. If this delays a scheduled job past its normal starting time, the job will not run. You will have to run it manually.

Some jobs may require approval. If this is the case, Prime Infrastructure sends an email to users with Administrator privileges notifying them that a job was scheduled and needs approval. The job will only run after it is approved.

The following table describes the buttons displayed in the Jobs dashboard.

Table 1. Jobs Dashboard Buttons

Button

Description

Delete Job

Removes a job from the Jobs dashboard.

Edit Job

Edit the settings configured for the selected job.

Edit Schedule

Displays the series schedule and lets you edit it (start time, interval, and end time).

Note 

Editing the schedule of an already-scheduled job will change the status of that job to Pending for Approval since each edit requires an approval from the user who created the job.

Run

Runs a new instance of the selected job. Use this to rerun partially successful or failed jobs; the job will only run for the failed or partially successful components.

Abort

Stops a currently-running job, but allows you to rerun it later. Not all jobs can be aborted; Prime Infrastructure will indicate when this is the case.

Cancel Series

Stops a currently-running job and does not allow anyone to rerun it. If the job is part of a series, future runs are not affected.

Pause Series

Pauses a scheduled job series. When a series is paused, you cannot run any instances of that series (using Run).

Resume Series

Resumes a scheduled job series that has been paused.


Note

The Delete Job, Abort, and Cancel Series buttons are not available for system and poller jobs.

To view the details of a job, follow these steps:

Procedure

Step 1

Choose Administration > Dashboards > Job Dashboard.

Step 2

From the Jobs pane, choose a job series to get basic information (such as job type, status, job duration, and next start time).

Step 3

To view the job interval, click a job instance hyperlink.

At the top of the job page, the Recurrence field indicates how often the job recurs. Job interval details will be added for every jobs that triggers.

Step 4

To get details about a failed or partially successful job, click the job instance hyperlink and expand the entries provided on the resulting page.

This is especially helpful for inventory-related jobs. For example, if a user imported devices using a CSV file (a bulk import), the job will be listed in the Jobs sidebar menu under User Jobs > Device Bulk Import. The job details will list the devices that were successfully added and the devices that were not.

Example

To troubleshoot a failed software image import job:

  1. Choose User Jobs > Software Image Import from the Jobs sidebar menu.

  2. Locate the failed job in the table and then click its hyperlink.

  3. Expand the job's details (if not already expanded) to view the list of devices associated with the job and the status of the image import for each device.

  4. To view the import details for a specific device, click that device's i (information) icon in the Status column. This opens an Image Management Job Results pop-up window.

  5. Examine each step and its status. For example, the Collecting image with Protocol: SFTP column might report that SFTP is not supported on the device.