Aruba

Aruba OS-CX Packet Capture

Jon Eaton

Mar 19, 2023 • 3 min read

Its always useful to be able to inspect traffic remotely, and the Aruba OS-CX software platform switches provides this functionality.

This guide will demonstrate how to monitor ICMP traffic received or transmitted by a single host connected to one of the switch ports.

First we need to configure a Mirror Session, the Aruba supports upto 4 of these, to check any already configured.

Aruba# show mirror

ID  Admin Status  Operation Status                                    
--- ------------- ----------------------------------------------------
1   enable        enabled                                             
Aruba#

Here we already have one configured, so we need to use session from 2 to 4. We configure the new mirror session accordingly, in this case we will be using port 1/1/17 which has a Raspberry Pi attached.

Aruba# configure 
Aruba(config)# mirror session 2
Aruba(config-mirror-2)# source interface 1/1/17 ?
  both  A source of transmit & receive traffic 
  rx    A source of receive-only traffic 
  tx    A source of transmit-only traffic 
Aruba(config-mirror-2)# source interface 1/1/17 both 
Aruba(config-mirror-2)# destination cpu
Aruba(config-mirror-2)# enable
Aruba(config-mirror-2)# end
Aruba#

We can check the configuration using the show mirror 2 command. This also provides some counters related to the traffic volume being monitored.

Aruba# sh mirror 2
 Mirror Session: 2
 Admin Status: enable
 Operation Status: enabled
 Source: vlan rx none
 Source: vlan tx none
 Source: interface 1/1/17 both
 Destination: cpu
 Output Packets: 372
 Output Bytes: 192478
Aruba#

Next we need to enable diagnostics to provide us with the ability to inspect the traffic.

Aruba# 
Aruba# diagnostics 
Aruba#

Now that diagnostics is enabled, we can call the tcpdump command using the following command as an example.

Aruba# diag utilities tcpdump command -qnt -c 8 icmp
Inspecting traffic mirrored to the CPU via tcpdump until Ctrl-C is entered.
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on MirrorRxNet, link-type EN10MB (Ethernet), snapshot length 262144 bytes
IP 192.168.99.89 > 192.168.99.7: ICMP echo request, id 34100, seq 101, length 64
IP 192.168.99.7 > 192.168.99.89: ICMP echo reply, id 34100, seq 101, length 64
IP 192.168.99.89 > 192.168.99.7: ICMP echo request, id 34100, seq 102, length 64
IP 192.168.99.7 > 192.168.99.89: ICMP echo reply, id 34100, seq 102, length 64
IP 192.168.99.89 > 192.168.99.7: ICMP echo request, id 34100, seq 103, length 64
IP 192.168.99.7 > 192.168.99.89: ICMP echo reply, id 34100, seq 103, length 64
IP 192.168.99.89 > 192.168.99.7: ICMP echo request, id 34100, seq 104, length 64
IP 192.168.99.7 > 192.168.99.89: ICMP echo reply, id 34100, seq 104, length 64
8 packets captured
8 packets received by filter
0 packets dropped by kernel
Ending traffic capture.
Aruba#

Everything following the "command" operand above are the tcpdump command line options and filter being applied. There are some restrictions such as using "&" filters need to use the boolean "and" "or" / "not" to function correctly.

The tcpdump -c can be used to limit the numer of packets captured to a given value. Whilst it is possible to save pcap files to be interrogated later offline in Wireshark for example, I don't tend to use this facility.

Another example of tcpdump where the -e flag is used to show the layer 2 mac addresses for example:

Aruba# diag utilities tcpdump command -qntec 2 icmp
Inspecting traffic mirrored to the CPU via tcpdump until Ctrl-C is entered.
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on MirrorRxNet, link-type EN10MB (Ethernet), snapshot length 262144 bytes
a0:78:17:ea:a0:ba > b8:27:eb:7c:39:3e, IPv4, length 98: 192.168.99.89 > 192.168.99.7: ICMP echo request, id 34100, seq 718, length 64
b8:27:eb:7c:39:3e > a0:78:17:ea:a0:ba, IPv4, length 98: 192.168.99.7 > 192.168.99.89: ICMP echo reply, id 34100, seq 718, length 64
2 packets captured
2 packets received by filter
0 packets dropped by kernel
Ending traffic capture.
Aruba#

Once the analysis is complete, remember to disable and remove the mirror session.

Aruba# sh mirror 

ID  Admin Status  Operation Status                                    
--- ------------- ----------------------------------------------------
1   enable        enabled                                             
2   enable        enabled                                             
Aruba# config
Aruba(config)# no mirror session 2
Aruba(config)# end
Aruba#
Aruba# sh mirror 

ID  Admin Status  Operation Status                                    
--- ------------- ----------------------------------------------------
1   enable        enabled                                             
Aruba#
Aruba#

Thats all folks, as with all my posts, only perform these activities where you have premission to do so.