Capturing Packets on Dataplane Interfaces

Dataplane interfaces do not pass traffic in a way that traditional utilities such as tcpdump can handle. There are ways to trace and capture packets in the dataplane itself using vppctl but these do not offer the familiarity and flexibility of tcpdump. However, there is a way to tap into these interfaces so that packets can be captured using tcpdump using tap and span interfaces.

Warning

Do not leave this in place longer than necessary, as it will likely degrade overall performance.

First, setup a tap interface. The name can be anything that isn’t already in use as an interface name in the shell (not in TNSR). For convenience, this example calls it capture with an instance ID of 30:

tnsr(config)# interface tap capture
tnsr(config-tap)# instance 30
tnsr(config-tap)# exit
tnsr(config)# interface tap30
tnsr(config-interface)# enable
tnsr(config-interface)# exit

The tap interface creates a link between the dataplane and the host OS, but it still needs to be fed packets to be captured. For that, configure a span between the TNSR interface (WAN, in this example) and the tap interface created above:

tnsr(config)# span WAN
tnsr(config-span)# onto tap30 hw both
tnsr(config-span)# exit

Now start a shell prompt and run tcpdump on the interface named capture. This can be done from the shell command in TNSR or at a shell prompt. In either case, the command must be run in the dataplane namespace using dp-exec:

tnsr# shell sudo dp-exec tcpdump -ni capture
$ sudo dp-exec tcpdump -ni capture

The usual tcpdump options, syntax, and filtering are possible from there.

When finished, remove the span and tap interface configuration:

tnsr(config)# no span WAN
tnsr(config)# no interface tap30
tnsr(config)# no interface tap capture