Capturing Packets on Dataplane Interfaces

Dataplane interfaces do not pass traffic in a way that traditional utilities such as tcpdump can handle. There are ways to trace and capture packets in the dataplane itself using vppctl but these do not offer the familiarity and flexibility of tcpdump. However, there is a way to tap into these interfaces so that packets can be captured using tcpdump using tap and span interfaces.

Warning

Do not leave this in place longer than necessary, as it will likely degrade overall performance.

Note

This method does not work for loopback interfaces. Capture on the ingress and egress interface(s) instead.

First, setup a tap interface. The name can be anything that isn’t already in use as an interface name in the shell (not in TNSR). For convenience, this example calls it capture with an instance ID of 30:

tnsr(config)# interface tap capture
tnsr(config-tap)# instance 30
tnsr(config-tap)# exit
tnsr(config)# interface tap30
tnsr(config-interface)# enable
tnsr(config-interface)# exit

The tap interface creates a link between the dataplane and the host OS, but it still needs to be fed packets to be captured. For that, configure a span between the TNSR interface (WAN, in this example) and the tap interface created above:

tnsr(config)# span WAN
tnsr(config-span)# onto tap30 hw both
tnsr(config-span)# exit

Warning

This technique does not work on VLAN subinterfaces. To capture on a subinterface, create a span to the parent interface and filter by VLAN ID in tcpdump.

Now start a shell prompt in the dataplane namespace and run tcpdump on the interface named capture. This can be done from the dataplane shell command in TNSR or at a shell prompt using dp-exec:

tnsr# dataplane shell sudo tcpdump -ni capture
$ sudo dp-exec tcpdump -ni capture

The usual tcpdump options, syntax, and filtering are possible from there.

When finished, remove the span and tap interface configuration:

tnsr(config)# no span WAN
tnsr(config)# no interface tap30
tnsr(config)# no interface tap capture