HPE Comware packet capture

How to activate and use built-in packet capture on HPE Comware switches

In every firmware upgrade file, you probably found a feature image package:

After upgrading to the required image version, login into the switch and run the following command:

install activate feature flash:/5130ei-cmw710-packet-capture-r3208p10.bin slot 1

You should see the following output:

<HPE-5130-EI>install activate feature flash:/5130ei-cmw710-packet-capture-r3208p10.bin slot 1 Verifying the file flash:/5130ei-cmw710-packet-capture-r3208p10.bin on slot 1.....Done. Identifying the upgrade methods....Done. Upgrade summary according to following table: flash:/5130ei-cmw710-packet-capture-r3208p10.bin   Running Version             New Version           None                        Release 3208P10      Slot                        Upgrade Way          1                           Service Upgrade    Upgrading software images to compatible versions. Continue? [Y/N]:y This operation might take several minutes, please wait..................Done.

Then do install commit:

<HPE-5130-EI>install commit This operation will take several minutes, please wait........................Done.

Check that the feature package is activated:

<HPE-5130-EI>show install active Active packages on slot 1:   flash:/5130ei-cmw710-boot-r3208p10.bin   flash:/5130ei-cmw710-system-r3208p10.bin   flash:/5130ei-cmw710-packet-capture-r3208p10.bin

Then reboot the switch:

<HPE-5130-EI>reboot Start to check configuration with next startup configuration file, please wait.........DONE! This command will reboot the device. Continue? [Y/N]:y

After the switch reloads, you can start using the built-in packet capture:

<HPE-5130-EI>packet-capture interface Ten-GigabitEthernet 1/0/52 ?   autostop               Specify the autostop criteria for packet capture   brief                  Brief information   capture-filter         Specify a filter rule for packet capture   capture-ring-buffer    Specify the criteria for saving captured frames to a                          new capture file   display-filter         Specify a filter rule for displaying captured frames   limit-captured-frames  Specify the maximum number of captured frames   limit-frame-size       Specify the maximum size of a frame to be captured   raw                    Display the packet data in hexadecimal format   verbose                Detailed information   write                  Specify the directory for saving captured frames   <cr>                   <HPE-5130-EI>packet-capture interface Ten-GigabitEthernet 1/0/52

Packet capture byte level filter

Here in this post i will explain how to filter capture based on byte level, as an example i will use EIGRP packets.

To filter capture based on EIGRP packets using Wireshark expression filter:

eigrp.opcode == 1

This will display only EIGRP updates, you can change the value to 2 (Request), 3 (Query), 4 (Replay) or 5 (Hello).

Filter capture based on byte offset - 

Choose an EIGRP update packet and mark the opcode field (1):

When you mark the field on the packet detail pane, a field on the packet byte pane is also marked (2), now note that the byte 01 is found on a grey area which represent the EIGRP payload, this payload starts on byte 02, so to capture all EIGRP packets which in the second field there is a byte with value 01 we will use the following string:

eigrp[01:1]==01

Syntax: <PROTOCOL>[<START_FIELD>:<NUMBER_OF_BYTES_TO_COUNT>]<OPERATOR><VALUE>

PROTOCOL - the protocol we are filtering – it can be IP, EIGRP, OSPF, GRE whatever

START_FIELD - indicate the number of the field we are looking on that given protocol

NUMBER_OF_BYTES - number of bytes to count, in my example I used 1 so only one byte after the first byte.

OPERATOR - can be any given one – equal, not, large or less, equal, contain etc.

Here is another example which filters EIGRP packets with a value 002f on the 11^th and 12^th bytes field:

 

eigrp[10:2]==002f

 This method works on tcpdump and wireshark both on display and capture filters and can be used to capture any given packet with specific byte value.

How to do packet capture in Radware AppDirector

Here is a simple example how to do packet capture in Radware AppDirector appliance in order to diasgnose and troubelshoot were needed. 

 

1.       Go to Classes->Modify and choose one of the parameters which you like to use as filter, in my example I will use Networks.

 

Click Create to configure new network

 

2.       Configure new network/host for use as a filter:

 

 

 

3.       Go to Classes->Update Policies and click on Set to apply the changes you have just made

 

4.       Go to Services->Diagnostic->Policies

 

5.       Click on Create to configure new diagnostic policy:

 

While configuring diagnostic policy we can use any parameter to filter or limit the packet capture (SRC, DST, TOS, INTF, VLAN etc.) note that in the following policy I have defined destination host (which we configured in step 2) and limit the number of captured packet to 150.

6.       Go to Services->Diagnostic->Capture->Parameters

 

7.       Choose Enabled in Status drop-box and click Set to start capture.

Warning - diagnostic tools may cause severe performance degradation.

Always use in caution and limit the capture using filters.

8.       Click on Files or go to Services->Diagnostics->Files to access the captured files

 

 

Click on download to save the files on your local PC and use Wireshark to view the content of the file.

Check Point FW monitor examples

Command syntax

Command line options

fw monitor [-u|s] [-i] [-d] [-D] <{-e expr}+|-f <filter-file|->> [-l len] [-m mask] [-x offset[,len]] [-o <file>] <[-pi pos] [-pI pos] [-po pos] [-pO pos] | -p all > [-a] [-ci count] [-co count] [-vs vsid or vsname]

 

Option	Description
-e	Filter packets expression
-l [LENGTH]	Limit the packet length
-m [MASK]	Capture mask out from 4 directions
-x [OFFSET],[LENGTH]	Print packet/payload data
-o [FILE]	Write output to file
-ci / -co	Capture number of packets inbound/outbound
-u	Display UUID
fw ctl chain	Display firewall control chain

Filter ICMP only

Filter the 9th byte of IP and accept only IP protocol 1 which is ICMP

fw monitor -e 'accept [9:1]=1;'

 

Filter ICMP only

echo "accept [9:1]=1;" >myfilter.pf fw monitor -f myfilter.pf

 

Filter ICMP only

Filter the 9th byte of IP and accept only IP protocol 1 which is ICMP

fw monitor -e 'accept [9:1]=1;'

 

Capture ICMP only

Capture all ICMP from host 192.168.10.2

fw monitor -e 'accept icmp and host(192.168.10.2);’

 

Using position filter

Using position filter on inbound with fw ctl chain alias and write it out to dump.cap

fw monitor -pi -secxl_sync -o dump.cap

 

HTTP source port

Capture all traffic with source port 80

Fw monitor –e ‘accept [20:2,b]=80; ‘

 

HTTP destination port

Capture all traffic with destination port 80

Fw monitor –e ‘accept [22:2,b]=80; ‘

 

Capture all HTTP

Capture all HTTP traffic

fw monitor -e 'accept tcpport(80);’

 

FTP source port

Capture all traffic with FTP source port (control channel)

Fw monitor –e ‘accept [20:2,b]=21; ‘

 

FTP destination port

Capture all traffic with FTP destination port (control channel)

Fw monitor –e ‘accept [22:2,b]=21; ‘

 

Capture network range

Capture all traffic for network 192.168.10.0/24

fw monitor -e 'internal={<192.168.10.0, 192.168.10.254>}; accept (src in internal);'

 

Capture specific network range

Capture all traffic from IP address 192.168.10.100 up to 192.168.10.254

fw monitor -e 'lan={<192.168.10.100, 192.168.10.254>}; accept (src in lan);'

 

Do not capture HTTP traffic

Capture all traffic except HTTP

fw monitor -e ‘accept not ( [20:2,b]=80 or [22:2,b]=80); ‘

 

Do not capture SSH or RDP traffic

Capture all traffic except SSH and remote desktop, on all positions  and write it to dump.cap

fw monitor -e 'accept not ([20:2,b]=22 or [22:2,b]=22 or [20:2,b]=3389 or [22:2,b]=3389);' -p all -o dump.cap

 

Do not capture SSH or RDP traffic

Capture all traffic from host 192.168.10.2 except SSH and remote desktop

fw monitor -e 'accept (host(192.168.10.2) and not (tcpport(3389) or tcpport(22))) ;'

 

Capture DNS queries

Capture all DNS queries from host 192.168.10.2

fw monitor -e 'accept (host(192.168.10.2) and (udpport(53))) ;'