Packet Captures or PCAPs are often necessary for network engineers to get to the root cause of issues in a network. As an esteemed friend and talented network engineering friend likes to say, “PCAP or it didn’t happen.” That said, getting a packet capture can be fraught with issues. How do you get mirrored packets for capture to a laptop or other computer that can review them onsite? Can you easily get a remote desktop session going to it? What if that host goes to sleep or goes offline for some reason? Is there a user that has the technical capability at the location in question to set up a capture?
With all of these challenges, wouldn’t it be cool if there was a way to pipe the data from a port mirror right into your local machine to review it? If you’re working with an Arista switch and the hardware supports it, you may be able to do just that via SSH!
I have an Arista switch! But does it support this?
First things first, see if your switch supports it by going to the Supported Features page on Arista’s site and filter by the platform you’re using then select under “Product Features” check “Management Features” then hit “Search”. If the feature “Mirror to EOS” has a green check mark next to it, you should be good to go.
Wireshark/Tshark
Next, you’ll need to make sure your desktop/laptop machine that you’ll be using has Wireshark (GUI on MacOS, Windows & Linux) or TShark (No GUI/headless on MacOS, Windows & Linux) installed. This will be the software that collects the PCAP for review. Wireshark & Tshark are very powerful tools that have many filtering and analysis capabilities which is outside the scope of this article but there are some great how-tos out there available by Googling around.
Arista EOS Config
Once you have Wireshark or TShark installed, we’ll need to start mirroring the packets on the switch in such a way that we can transport the capture into it over SSH. The global commands in EOS to set up the mirror would be (variables in brackets):
monitor session [name] source [Interface]
monitor session [name] destination Cpu
Not all Arista switches are created equal. There are different chips within the various product lines. When trying this on a 720XP PoE switch, unfortunately I did not see any traffic using the normal procedure of setting my monitor source interface and setting the destination to the CPU. This may be true of other platforms like the 750s as well. The good news is there is a way to make this work. You can take a spare Ethernet interface that is not in use and recirculate the traffic through it and then run the capture. Here’s the Arista EOS Config:
interface Recirc-Channel1
no switchport
switchport recirculation features cpu-mirror
interface EthernetXX
description *** Currently not in use ***
traffic-loopback source system device mac
channel-group recirculation 1
monitor session my_session source EthernetXX
monitor session my_session destination Cpu
SSH Transport FTW!
Now let’s get that mirror streamed into your local copy of Wireshark or TShark. If you’re on a MacOS or Linux host, the following string of commands run from your local terminal will take that mirrored traffic and transport it directly into your local copy of Wireshark (variables in brackets):
ssh [user]@[switch hostname or IP address] "bash sudo tcpdump -s 0 -Un -w - -i mirror0" | wireshark -k -i -
If you don’t have access to the GUI (very common with a Linux host), you can use:
ssh [user]@[host] "bash sudo tcpdump -s 0 -Un -w - -i mirror0" | tshark -i -
On Windows for our purposes, you can use PuTTY to transport this data and the commands would be:
plink -l [user] -pw [password] -batch [host] "tcpdump -s 0 -Un -w - -i mirror0" | wireshark -k -i -
There may be other software to provide the transport other than PuTTY or Linux & MacOS built in OpenSSH but that too is outside the scope of this doc. If you have a different terminal software that you work with, it may be possible to do something similar with it.
Wrapping Up
Arista makes a pretty solid platform in EOS that has many great features for operators. This is just one of the many that makes network engineers’ lives easier. If you’re curious to learn more about Arista solutions or need help with your existing Arista environment, be sure to reach out to us here.
For more Arista related content, see some of our other blog posts here:
Arista Tips & Tricks: Connecting to Arista switches via SSH Key Based Authentication
Three Features in Arista EOS That You Need to Know About
WAN Dynamics is One of Five Arista Certified Services Partners in the World