How to capture packet traces (PKTT)

It is important to specify -d /etc/crash in the pktt commands so that the traces are saved to disk and in a location that is easy to access.  If you do not specify the -d option, the traces will only be written to disk if you use the pktt dump command.

The pktt start all command starts capturing packets on all physical and VLAN ports that are online.

Examples:

::> node run -node <node_name> pktt start all -i <ip_addr> -i <ip_addr> -i <ip_addr> -d /etc/crash
This will start a packet trace on all interfaces on the node specified, and will capture any packet that has a source or destination of one of the IPs specified with the -i flag.
This will prevent logging of any non-IP traffic (for example, ARP), so if that is required a trace on the entire interface would be required.
This can be useful for example with NFS traces when you want to trace the client along with any calls to external name servers.  Each potential name server (DNS, LDAP, NIS) can be specified with an additional -i flag.
You may specify up to 16 addresses with the -i option.  Each additional address requires a new -i flag.
This tends to be the most useful kind of capture as it lends itself to making sure the appropriate data is collected while not creating overly large trace files.

::> node run -node <node_name> pktt start e3a -d /etc/crash
This will start a packet trace for all traffic over the e3a interface on the node specified.
If you require a trace on a vlan tagged interface, the interface must be specified specifically.  Starting a trace on e3a will not capture all of the related interfaces.
This type of trace should be used with caution as the trace file can grow very large quickly on a production system.

*** NATIVE ROLLING PKTT CAPTURES FOR 8.3.2+ ***
::> set advanced

::*> node run -node <node_name> pktt start e3a -d /etc/crash -r <number_of_traces_to_keep>
This will start a packet trace for all traffic over the e3a interface on the node specified, and as each port’s trace reaches the max file size [default = 1G], the trace starts over collecting a new trace, leaving the last one untouched. Once the number of traces per port reaches the value in -r, the oldest trace will be deleted
If you require a trace on a vlan tagged interface, the interface must be specified specifically.  Starting a trace on e3a will not capture all of the related interfaces.
This type of trace should be used with caution as the trace file can grow very large quickly on a production system.
*The allowed values for Rolling traces is between 1-64, if the value specify is larger then 64 it will be considured as 1.
*Once the maximum rolloing value is reached the first file will be overwritten and we continue rolling until the capture is stopped. (pktt stop interface).

Note:
If the trace is being run on a busy system without a filter, it may be a good idea to increase the buffer and file size so that packets will not be dropped from the trace.
This can be done by adding the -b and -s flags.
Setting the buffer to 2M is sufficient for most cases.
The size flag will set the maximum size of the trace file.  The default is 1G.
Example: ::> node run -node {NODE_NAME.EN_US} pktt start e3a -b 2M -s 10g -d /etc/crash

::> node run -node {NODE_NAME.EN_US} pktt stop all 
This will stop all packet traces on the specified node and save the trc files to the specified directory.

Collecting the trace files:

After the packet traces are created, collect them from the /etc/crashdirectory using the HTTPS interface.

https://cluster-mgmt-ip/spi/node-name/etc/crash/

There might be instances where the collected file can be corrupted. In such scenarios, use Secure Copy (SCP) to copy the file, as a workaround.

Once downloaded, they can be uploaded to NetApp using https://upload.netapp.com
For information to enable remote read-only HTTPS access, see 1013814: How to enable remote access to a node’s root volume in a cluster.

Note: Once the trace files are successfully retrieved, they should be removed from the node root volume. Run the following command for each trace file that was created to delete it:
::>node run -node <node> pktt delete /etc/crash/<filename>

twitterlinkedinmailtwitterlinkedinmail
Arco

About

View all posts by