fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Brocade ADX - Packet Capture

The Brocade ADX provides the ability to capture network traffic which can then be viewed later for further analysis. This is achieved via the  debug filter.
Within this article we will provide the necessary steps required to configure, run, save and then export a debug filter.

Debug Filter Mode

First of all we enter the debug filter prompt.

SSH@adx#debug filter
SSH@adx(debug-filter-all-BP)#

Buffer Attributes

Next we set the packet and buffer size, along with clearing the buffer.

SSH@adx(debug-filter-all-BP)#packet-size whole
SSH@adx(debug-filter-all-BP)#no buffer-size 10000
SSH@adx(debug-filter-all-BP)#buffer-size 10000

Configure Filters

Next we define our filters. This specifies which traffic will be captured.

SSH@adx(debug-filter-all-BP)#specify 1
SSH@adx(debug-filter-spec-1)#reset
SSH@adx(debug-filter-spec-1)#ip src 88.88.88.88
SSH@adx(debug-filter-spec-1)#exit
SSH@adx(debug-filter-all-BP)#specify 2
SSH@adx(debug-filter-spec-2)#reset
SSH@adx(debug-filter-spec-2)#ip dest 88.88.88.88
SSH@adx(debug-filter-spec-2)#exit

Apply / Show Filters

Once the filters are defined, they are applied.

SSH@adx(debug-filter-all-BP)#apply 1or2
SSH@adx(debug-filter-all-BP)#show apply

 Global Apply Expression: 1 or 2

It is also good practice to confirm that actual filter details just to ensure that there are no errors in what has been defined.

SSH@adx(debug-filter-all-BP)#show 1

Filter-ID: 1

        MAC filters:
                Src  MAC : ANY
                Dest MAC : ANY
                MAC Type : ANY
        IP filters:
                Src  IP  : 88.88.88.88
                Dest IP  : ANY
                Protocol : ANY
                Fragment : ANY
        ICMP filters:
                Type  : ANY
                Code  : ANY
        IP6 filters:
                Src  IP  : ANY
                Dest IP  : ANY
                Next-header : 0xff (255)
        ICMP6 filters:
                Type  : ANY
                Code  : ANY
        TCP filters:
                Src  port: ANY
                Dest port: ANY
                Flags    : None
        UDP filters:
                Src  port: ANY
                Dest port: ANY
        HTTP filters:
                Url      : ANY
                Cookie   : ANY
        Pattern filters:
                Pattern  : ANY

Start / Stop Capture

Next we set the debug filter to view (capture traffic on) all Barrel Processors. If you need to capture traffic whcih is destined/leaving the ADX (such as management or healthchecks) then you will need to view the management processor via the command "view mp".
Following this the capture is started and then stopped for the duration that is required.

SSH@adx(debug-filter-all-BP)#view bp all
SSH@adx(debug-filter-all-BP)#start
SSH@adx(debug-filter-all-BP)#stop

Show Capture

To see a summary of the packets captures we issue the 'summary' command.

SSH@adx(debug-filter-all-BP)#summary

Save Capture

We next save the capture.

SSH@adx(debug-filter-all-BP)# pcap save /usb0/capture

Transfer Capture

Finally we export the capture to a TFTP server for further analysis (i.e Wireshark).

SSH@adx(debug-filter-all-BP)# exit
SSH@adx#copy usb0  tftp <TFTP IP> capture.cap CAPTURE.CAP

Template

Below is a copy and paste template that can be used. Obviously the source and destination will need to be amended based on your networks.

debug filter

 packet-size whole
 no buffer-size 10000
 buffer-size 10000

 specify 1
 reset
 ip src 88.88.88.88
 exit
 specify 2
 reset
 ip dest 88.88.88.88
 exit
 
 apply 1or2

 view bp all
 start
 stop
 
 summary
 pcap save /usb0/capture
 exit
 
copy usb0  tftp <TFTP IP> capture.cap CAPTURE.CAP

 

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001