NSX Manager packet capture

Dziś pokaże jak wykonać packet capture z poziomu NSX Managera. Dzięki temu rozwiązaniu nie musimy logować się na hosta tylko wykonujemy operację z jednego miejsca. Jedyne co potrzebujemy to dostęp SSH do NSX Managera, oraz znać hasło do trybu enable.

Topologia na której będziemy pracować:

dla przykładu będziemy zbierać ruch z maszyny Win7-02.

Musimy zalogować się po SSH do Managera gdzie pozyskamy informacje o Vnic Id.

Using username "admin".
admin@10.254.1.70's password:
mnsx01>

wyświetlamy klastry które widzimy z poziomu NSX a następnie hosty które należą do danego klastra.

mnsx01> show cluster all
No.  Cluster Name   Cluster Id               Datacenter Name   Firewall Status
1    NSX-T          domain-c53               DC2               Not Ready
2    NSX-v          domain-c12               Datacenter        Enabled
mnsx01> show cluster domain-c12
Datacenter: Datacenter
Cluster: NSX-v
No.  Host Name         Host Id                  Installation Status
1    esx02.lab.local   host-18                  Enabled
2    esx01.lab.local   host-15                  Enabled

wyświetlamy wirtualne maszyny które są uruchomione na danych hoście – szukamy id wirtualnej maszyny

mnsx01> show host host-18
Datacenter: Datacenter
Cluster: NSX-v
Host: esx02.lab.local
No.  VM Name                                               VM Id     Power Status
1    Photon-vm02                                           vm-131    on
2    Web02                                                 vm-83     on
3    DLR01-0                                               vm-139    on
4    NSX_Controller_ebdc92f7-c94b-42dc-b495-1ee303f4b5e6   vm-42     on
5    App02                                                 vm-86     on
6    DB01                                                  vm-85     on
7    PaloAlto-NSX (2)                                      vm-155    on
8    NSX_Controller_af054d08-f99b-4d8f-99b0-f0e15be4ec74   vm-137    on
9    win7-02                                               vm-135    on
mnsx01>

wyświetlamy informacje o wirtualnej maszynie – potrzebujemy informacji Vnic Id

mnsx01> show vm vm-135
Datacenter: Datacenter
Cluster: NSX-v
Host: esx02.lab.local
Host-ID: host-18
VM: win7-02
Virtual Nics List:
1.
Vnic Name      win7-02 - Network adapter 1
Vnic Id        502bd15f-9d57-ddb1-0e5e-fb95b5c18337.000
Filters        nic-70266-eth0-serviceinstance-5.6
mnsx01>

przechodzimy do trybu enable – podajemy hasło które zdefiniowaliśmy podczas instalacji NSX Mangera

mnsx01> enable
Password:
mnsx01#

następnie wykonujemy polecenie do załapania ruchu w danym kierunku my będziemy łapać ruch wychodzący ruch z danej maszyny.

Jak widzimy poniżej musimy podać w poleceniu host na którym uruchomiona wirtualna maszyna, Vnic ID oraz kierunek ruchu w naszym przypadku jest to input (ruch wychodzący).

mnsx01# debug packet capture host host-18 vnic 502bd15f-9d57-ddb1-0e5e-fb95b5c18337.000 dir input parameters
Session: 44ecfd9e-8a42-4a14-8726-97b9aade645d
Request:
        Capture host: host-18
        Vnic: 502bd15f-9d57-ddb1-0e5e-fb95b5c18337.000
        Capture point: vnic
        Capture direction: input
Session file: /tmp/pktcap/44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap
Session status: started
mnsx01#

aby wyświetlić co złapaliśmy możemy wyświetlić dopiero po zatrzymaniu procesu danej sesji. Aby to wykonać musimy znać ID Session, w danej chwili może być uruchomiono klika sesji.

mnsx01# no debug packet capture session 44ecfd9e-8a42-4a14-8726-97b9aade645d
Session: 44ecfd9e-8a42-4a14-8726-97b9aade645d
Request:
        Capture host: host-18
        Vnic: 502bd15f-9d57-ddb1-0e5e-fb95b5c18337.000
        Capture point: vnic
        Capture direction: input
Session file: /tmp/pktcap/44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap
Session status: stopped
mnsx01#

następnie możemy wyświetlić

mnsx01# debug packet capture display session 44ecfd9e-8a42-4a14-8726-97b9aade645d parameters
Session: 44ecfd9e-8a42-4a14-8726-97b9aade645d
Request:
        Capture host: host-18
        Vnic: 502bd15f-9d57-ddb1-0e5e-fb95b5c18337.000
        Capture point: vnic
        Capture direction: input
Session file: /tmp/pktcap/44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap
Session status: finished
Capture packets:
reading from file /tmp/pktcap/44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap, link-type EN10MB (Ethernet)
13:34:32.117000 IP 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [S.], seq 2298644425, ack 1934144390, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:34:32.137849 IP 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [.], ack 20, win 256, length 0
13:34:32.138140 IP 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1:20, ack 20, win 256, length 19
13:34:35.677470 IP 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 20:1201, ack 205, win 255, length 1181
13:34:35.702206 IP 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1201:1260, ack 339, win 255, length 59
13:34:35.738780 IP 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1260:1505, ack 424, win 255, length 245
13:34:35.751607 IP 10.255.20.11.50619 > win-qjeqohhftn8.lab.local.ldap: UDP, length 203
13:34:35.869408 IP 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [S], seq 3371067279, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:34:35.873812 IP 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [.], ack 1040719129, win 256, length 0
13:34:35.874280 IP 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [P.], seq 0:160, ack 1, win 256, length 160
13:34:35.879204 IP 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [P.], seq 160:328, ack 109, win 256, length 168
13:34:35.884605 IP 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [S], seq 489965506, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:34:35.889702 IP 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [.], ack 2187242584, win 256, length 0
13:34:35.890175 IP 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [P.], seq 0:208, ack 1, win 256, length 208
13:34:35.893872 IP 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [P.], seq 208:1160, ack 129, win 256, length 952
13:34:35.931206 IP 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1505:1846, ack 1245, win 251, length 341

dodając parametr na końcu polecenia -e dostajemy więcej informacji

mnsx01# debug packet capture display session 44ecfd9e-8a42-4a14-8726-97b9aade645d parameters -e
Session: 44ecfd9e-8a42-4a14-8726-97b9aade645d
Request:
        Capture host: host-18
        Vnic: 502bd15f-9d57-ddb1-0e5e-fb95b5c18337.000
        Capture point: vnic
        Capture direction: input
Session file: /tmp/pktcap/44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap
Session status: finished
Capture packets:
reading from file /tmp/pktcap/44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap, link-type EN10MB (Ethernet)
13:34:32.117000 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 66: 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [S.], seq 2298644425, ack 1934144390, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:34:32.137849 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 60: 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [.], ack 20, win 256, length 0
13:34:32.138140 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 73: 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1:20, ack 20, win 256, length 19
13:34:35.677470 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 1235: 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 20:1201, ack 205, win 255, length 1181
13:34:35.702206 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 113: 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1201:1260, ack 339, win 255, length 59
13:34:35.738780 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 299: 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1260:1505, ack 424, win 255, length 245
13:34:35.751607 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 245: 10.255.20.11.50619 > win-qjeqohhftn8.lab.local.ldap: UDP, length 203
13:34:35.869408 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 66: 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [S], seq 3371067279, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:34:35.873812 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 60: 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [.], ack 1040719129, win 256, length 0
13:34:35.874280 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 214: 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [P.], seq 0:160, ack 1, win 256, length 160
13:34:35.879204 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 222: 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [P.], seq 160:328, ack 109, win 256, length 168
13:34:35.884605 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 66: 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [S], seq 489965506, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:34:35.889702 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 60: 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [.], ack 2187242584, win 256, length 0
13:34:35.890175 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 262: 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [P.], seq 0:208, ack 1, win 256, length 208
13:34:35.893872 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 1006: 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [P.], seq 208:1160, ack 129, win 256, length 952
13:34:35.931206 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 395: 10.255.20.11.ms-wbt-server > 172.20.240.82.64691: Flags [P.], seq 1505:1846, ack 1245, win 251, length 341
13:34:36.103342 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 60: 10.255.20.11.60943 > win-qjeqohhftn8.lab.local.epmap: Flags [.], ack 377, win 255, length 0
13:34:36.134503 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 60: 10.255.20.11.60944 > win-qjeqohhftn8.lab.local.49158: Flags [.], ack 1113, win 252, length 0
13:34:36.592433 00:50:56:ab:cd:3e (oui Unknown) > 01:00:5e:7f:ff:fa (oui Unknown), ethertype IPv4 (0x0800), length 215: 10.255.20.11.50620 > 239.255.255.250.ssdp: UDP, length 173
13:34:37.262015 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 66: 10.255.20.11.ms-wbt-server > 172.20.240.82.64692: Flags [S.], seq 865552083, ack 718686842, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:34:37.267775 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 60: 10.255.20.11.ms-wbt-server > 172.20.240.82.64692: Flags [.], ack 45, win 256, length 0
13:34:37.267916 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 73: 10.255.20.11.ms-wbt-server > 172.20.240.82.64692: Flags [P.], seq 1:20, ack 45, win 256, length 19
13:34:37.275929 00:50:56:ab:cd:3e (oui Unknown) > 02:50:56:56:44:52 (oui Unknown), ethertype IPv4 (0x0800), length 1235: 10.255.20.11.ms-wbt-server > 172.20.240.82.64692: Flags [P.], seq 20:1201, ack 230, win 255, length 1181

a na koniec możemy przenieść plik w inne miejsce i otworzyć np. w wiresharku

mnsx01# debug packet capture scp session 44ecfd9e-8a42-4a14-8726-97b9aade645d url root@10.255.2.10:44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap
Session: 44ecfd9e-8a42-4a14-8726-97b9aade645d
Request:
        Capture host: host-18
        Vnic: 502bd15f-9d57-ddb1-0e5e-fb95b5c18337.000
        Capture point: vnic
        Capture direction: input
Session file: /tmp/pktcap/44ecfd9e-8a42-4a14-8726-97b9aade645d.pcap
Session status: finished
Begin SCP:
Password:
mnsx01#

i otwieramy plik zgrany z naszego NSX Managera.

Na koniec zapraszam do obejrzenia nagrania z webinar na którym pokazuję jakie narzędzia mamy aby sprawnie wykonać Troubleshooting na platformie NSX. Link do nagrania znajdziesz na tej stronie

Pasjonat komputerowy od zawsze oraz maniak w zakresie sieci, wirtualizacji oraz bezpieczeństwa IT. Kompetentny inżynier z dużym doświadczeniem w realizacji projektów informatycznych i telekomunikacyjnych. Wieloletni administrator IT, który utrzymuje systemy informatyczne dostosowując je do wymogów biznesowych z zapewnieniem dostępności 24/7/365.
Posts created 126

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top