Dziś pokaże jak wykonać packet capture z poziomu NSX Managera. Dzięki temu rozwiązaniu nie musimy logować się na hosta tylko wykonujemy operację z jednego miejsca. Jedyne co potrzebujemy to dostęp SSH do NSX Managera, oraz znać hasło do trybu enable.
Topologia na której będziemy pracować:
dla przykładu będziemy zbierać ruch z maszyny Win7-02.
Musimy zalogować się po SSH do Managera gdzie pozyskamy informacje o Vnic Id.
Using username "admin". admin@10.254.1.70's password: mnsx01>
wyświetlamy klastry które widzimy z poziomu NSX a następnie hosty które należą do danego klastra.
mnsx01> show cluster all No. Cluster Name Cluster Id Datacenter Name Firewall Status 1 NSX-T domain-c53 DC2 Not Ready 2 NSX-v domain-c12 Datacenter Enabled mnsx01> show cluster domain-c12 Datacenter: Datacenter Cluster: NSX-v No. Host Name Host Id Installation Status 1 esx02.lab.local host-18 Enabled 2 esx01.lab.local host-15 Enabled
wyświetlamy wirtualne maszyny które są uruchomione na danych hoście – szukamy id wirtualnej maszyny
mnsx01> show host host-18 Datacenter: Datacenter Cluster: NSX-v Host: esx02.lab.local No. VM Name VM Id Power Status 1 Photon-vm02 vm-131 on 2 Web02 vm-83 on 3 DLR01-0 vm-139 on 4 NSX_Controller_ebdc92f7-c94b-42dc-b495-1ee303f4b5e6 vm-42 on 5 App02 vm-86 on 6 DB01 vm-85 on 7 PaloAlto-NSX (2) vm-155 on 8 NSX_Controller_af054d08-f99b-4d8f-99b0-f0e15be4ec74 vm-137 on 9 win7-02 vm-135 on mnsx01>
wyświetlamy informacje o wirtualnej maszynie – potrzebujemy informacji Vnic Id
mnsx01> show vm vm-135 Datacenter: Datacenter Cluster: NSX-v Host: esx02.lab.local Host-ID: host-18 VM: win7-02 Virtual Nics List: 1. Vnic Name win7-02 - Network adapter 1 Vnic Id 502bd15f-9d57-ddb1-0e5e-fb95b5c18337.000 Filters nic-70266-eth0-serviceinstance-5.6 mnsx01>
przechodzimy do trybu enable – podajemy hasło które zdefiniowaliśmy podczas instalacji NSX Mangera
mnsx01> enable Password: mnsx01#
następnie wykonujemy polecenie do załapania ruchu w danym kierunku my będziemy łapać ruch wychodzący ruch z danej maszyny.
Jak widzimy poniżej musimy podać w poleceniu host na którym uruchomiona wirtualna maszyna, Vnic ID oraz kierunek ruchu w naszym przypadku jest to input (ruch wychodzący).
mnsx01# debug packet capture host host-18 vnic 502bd15f-9d57-ddb1-0e5e-fb95b5c18337.000 dir input parameters Session: 44ecfd9e-8a42-4a14-8726-97b9aade645d Request: Capture host: host-18 Vnic: 502bd15f-9d57-ddb1-0e5e-fb95b5c18337.000 Capture point: vnic Capture direction: input Session file: /tmp/pktcap/44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap Session status: started mnsx01#
aby wyświetlić co złapaliśmy możemy wyświetlić dopiero po zatrzymaniu procesu danej sesji. Aby to wykonać musimy znać ID Session, w danej chwili może być uruchomiono klika sesji.
mnsx01# no debug packet capture session 44ecfd9e-8a42-4a14-8726-97b9aade645d Session: 44ecfd9e-8a42-4a14-8726-97b9aade645d Request: Capture host: host-18 Vnic: 502bd15f-9d57-ddb1-0e5e-fb95b5c18337.000 Capture point: vnic Capture direction: input Session file: /tmp/pktcap/44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap Session status: stopped mnsx01#
następnie możemy wyświetlić
mnsx01# debug packet capture display session 44ecfd9e-8a42-4a14-8726-97b9aade645d parameters Session: 44ecfd9e-8a42-4a14-8726-97b9aade645d Request: Capture host: host-18 Vnic: 502bd15f-9d57-ddb1-0e5e-fb95b5c18337.000 Capture point: vnic Capture direction: input Session file: /tmp/pktcap/44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap Session status: finished Capture packets: reading from file /tmp/pktcap/44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap, link-type EN10MB (Ethernet) 13:34:32.117000 IP 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [S.], seq 2298644425, ack 1934144390, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 13:34:32.137849 IP 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [.], ack 20, win 256, length 0 13:34:32.138140 IP 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1:20, ack 20, win 256, length 19 13:34:35.677470 IP 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 20:1201, ack 205, win 255, length 1181 13:34:35.702206 IP 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1201:1260, ack 339, win 255, length 59 13:34:35.738780 IP 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1260:1505, ack 424, win 255, length 245 13:34:35.751607 IP 10.255.20.11.50619 > win-qjeqohhftn8.lab.local.ldap: UDP, length 203 13:34:35.869408 IP 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [S], seq 3371067279, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 13:34:35.873812 IP 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [.], ack 1040719129, win 256, length 0 13:34:35.874280 IP 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [P.], seq 0:160, ack 1, win 256, length 160 13:34:35.879204 IP 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [P.], seq 160:328, ack 109, win 256, length 168 13:34:35.884605 IP 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [S], seq 489965506, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 13:34:35.889702 IP 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [.], ack 2187242584, win 256, length 0 13:34:35.890175 IP 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [P.], seq 0:208, ack 1, win 256, length 208 13:34:35.893872 IP 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [P.], seq 208:1160, ack 129, win 256, length 952 13:34:35.931206 IP 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1505:1846, ack 1245, win 251, length 341
dodając parametr na końcu polecenia -e dostajemy więcej informacji
mnsx01# debug packet capture display session 44ecfd9e-8a42-4a14-8726-97b9aade645d parameters -e Session: 44ecfd9e-8a42-4a14-8726-97b9aade645d Request: Capture host: host-18 Vnic: 502bd15f-9d57-ddb1-0e5e-fb95b5c18337.000 Capture point: vnic Capture direction: input Session file: /tmp/pktcap/44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap Session status: finished Capture packets: reading from file /tmp/pktcap/44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap, link-type EN10MB (Ethernet) 13:34:32.117000 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 66: 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [S.], seq 2298644425, ack 1934144390, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 13:34:32.137849 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 60: 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [.], ack 20, win 256, length 0 13:34:32.138140 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 73: 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1:20, ack 20, win 256, length 19 13:34:35.677470 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 1235: 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 20:1201, ack 205, win 255, length 1181 13:34:35.702206 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 113: 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1201:1260, ack 339, win 255, length 59 13:34:35.738780 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 299: 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1260:1505, ack 424, win 255, length 245 13:34:35.751607 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 245: 10.255.20.11.50619 > win-qjeqohhftn8.lab.local.ldap: UDP, length 203 13:34:35.869408 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 66: 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [S], seq 3371067279, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 13:34:35.873812 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 60: 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [.], ack 1040719129, win 256, length 0 13:34:35.874280 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 214: 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [P.], seq 0:160, ack 1, win 256, length 160 13:34:35.879204 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 222: 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [P.], seq 160:328, ack 109, win 256, length 168 13:34:35.884605 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 66: 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [S], seq 489965506, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 13:34:35.889702 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 60: 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [.], ack 2187242584, win 256, length 0 13:34:35.890175 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 262: 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [P.], seq 0:208, ack 1, win 256, length 208 13:34:35.893872 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 1006: 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [P.], seq 208:1160, ack 129, win 256, length 952 13:34:35.931206 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 395: 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1505:1846, ack 1245, win 251, length 341 13:34:36.103342 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 60: 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [.], ack 377, win 255, length 0 13:34:36.134503 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 60: 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [.], ack 1113, win 252, length 0 13:34:36.592433 00:50:56:ab:cd:3e (oui Unknown) > 01:00:5e:7f:ff:fa (oui Unknown), ethertype IPv4 (0x0800), length 215: 10.255.20.11.50620 > 239.255.255.250.ssdp: UDP, length 173 13:34:37.262015 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 66: 10.255.20.11.ms-wbt-server > 172.20.240.82.64692: Flags [S.], seq 865552083, ack 718686842, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 13:34:37.267775 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 60: 10.255.20.11.ms-wbt-server > 172.20.240.82.64692: Flags [.], ack 45, win 256, length 0 13:34:37.267916 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 73: 10.255.20.11.ms-wbt-server > 172.20.240.82.64692: Flags [P.], seq 1:20, ack 45, win 256, length 19 13:34:37.275929 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 1235: 10.255.20.11.ms-wbt-server > 172.20.240.82.64692: Flags [P.], seq 20:1201, ack 230, win 255, length 1181
a na koniec możemy przenieść plik w inne miejsce i otworzyć np. w wiresharku
mnsx01# debug packet capture scp session 44ecfd9e-8a42-4a14-8726-97b9aade645d url root@10.255.2.10:44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap Session: 44ecfd9e-8a42-4a14-8726-97b9aade645d Request: Capture host: host-18 Vnic: 502bd15f-9d57-ddb1-0e5e-fb95b5c18337.000 Capture point: vnic Capture direction: input Session file: /tmp/pktcap/44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap Session status: finished Begin SCP: Password: mnsx01#
i otwieramy plik zgrany z naszego NSX Managera.
Na koniec zapraszam do obejrzenia nagrania z webinar na którym pokazuję jakie narzędzia mamy aby sprawnie wykonać Troubleshooting na platformie NSX. Link do nagrania znajdziesz na tej stronie