本帖最后由 yondong 于 2018-5-31 21:19 编辑 注:本方法只适用于对到达CPU的数据包进行入向接口分析,无法对穿越流量进行分析。操作分析示例如下:一 部署ethanalyzerN9K# ethanalyzer local interface inband decode-internal limit-captured-frames 0 detail二 抓包示例CPU-inbound Broadcom RCPU (88650)
Signature: 0x5555
Operation: TOCPU Packet (0x10)
Flags: 0x04, modhdr
.... ...0 = reply: False
.... ..0. = minipkt: False
.... .1.. = modhdr: True
.... 0... = fail: False
...0 .... = parity_err: False
..0. .... = busy: False
.0.. .... = truncated: False
0... .... = jumbo: False
Transaction
TransID: 0x0000
Datalen: 70
Replen: 0
Reserved: 0x00000000
Reason High: 0x00000000
Reason: 0x00080000
.... .... = cpu opcode type: 0
.... 0001 0010 1100 = outer_vid: 300
.... 0111 1110 0010 = queue_num: 2018
10.. .... = Hgi intf Indicator: 2
..00 0000 00.. .... = Match Rule: 0
..00 0000 0100 1010 = Packet Length: 74
.001 1010 = Source Port: 26
START: 0xfb
0000 .... = Traffic Class: 0x00
.... 0... = Multicast: 0x00
.... .000 = Reserved 1: 0x00
DST MODID/MGID_MSB: 28
DST PORT/MGID_LSB: 17
Load Balancing ID: 0
000. .... = PPD Type: 0x00
...0 0... = Reserved 2: 0x00
.... .0.. = EHV: 0x00
.... ..00 = DP: 0x00
0... .... = Mirror: 0x00
.0.. .... = Mirror done: 0x00
..1. .... = Mirror only: 0x01
...0 .... = Ingress tagged: 0x00
.... 000. = Dst tgid: 0x00
.... ...0 = Dst t: 0x00
0010 .... = vc_label_19_16: 0x02
.... 0... = label_present: 0x00
.... .0.. = l3: 0x00
.... ..00 = rsvd3: 0x00
vc_label_15_8: 0x00
vc_label_0_7: 0x00
.... 0001 = VLAN ID Hi: 0x01
...0 .... = VLAN CFI: 0x00
000. .... = VLAN Priority: 0x00
0010 1100 = VLAN ID Li: 0x2c
00.. .... = OPCODE: 0x00
...0 0... = Reserved 5: 0x00
.... .0.. = SRC_T: 0x00
.... ..01 = Port Filtering Mode: 0x01
0000 0... = Reserved 6: 0x00
.... .000 = HDR Extension Len: 0
PAD1: 1880752384
PAD2: 67108992
PAD3: 0
PAD4: 2215247872
Ethernet II, Src: 00:24:ac:0e:f8:00 (00:24:ac:0e:f8:00), Dst: 00:00:0c:07:ac:fe (00:00:0c:07:ac:fe)
Destination: 00:00:0c:07:ac:fe (00:00:0c:07:ac:fe)
Address: 00:00:0c:07:ac:fe (00:00:0c:07:ac:fe)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:24:ac:0e:f8:00 (00:24:ac:0e:f8:00)
Address: 00:24:ac:0e:f8:00 (00:24:ac:0e:f8:00)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 300
000. .... .... .... = Priority: 0
...0 .... .... .... = CFI: 0
.... 0001 0010 1100 = ID: 300
Type: IP (0x0800)
Internet Protocol, Src: 134.32.114.9 (134.32.114.9), Dst: 134.32.114.253 (134.32.114.253)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00)
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 52
Identification: 0x0000 (0)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 62
Protocol: TCP (0x06)
Header checksum: 0x4b6d [correct]
[Good: True]
[Bad : False]
Source: 134.32.114.9 (134.32.114.9)
Destination: 134.32.114.253 (134.32.114.253)
三 查看端口映射表
N9K# show interface hardware-mappings
Legends:
SMod - Source Mod. 0 is N/A
Unit - Unit on which port resides. N/A for port channels
HPort - Hardware Port Number or Hardware Trunk Id:
FPort - Fabric facing port number. 255 means N/A
NPort - Front panel port number
VPort - Virtual Port Number. -1 means N/A
--------------------------------------------------------------------
Name Ifindex Smod Unit HPort FPort NPort VPort
--------------------------------------------------------------------
Eth10/1
1a480000 28
0 17
255 0 -1 Eth10/2 1a480200 28 0 18 255 1 -1
Eth10/3 1a480400 28 0 19 255 2 -1
Eth10/4 1a480600 28 0 20 255 3 -1
Eth10/5 1a480800 28 0 21 255 4 -1
四 结论
上到CPU的,源目分别为134.32.114.9和134.32.114.253的数据包,入向端口为Eth10/1
