The Aruba CX switches support mirroring to replicate traffic transmitted and/or received on selected interfaces, which can be used for analysis. Traffic can be mirrored to separate interface or mirrored locally to the switch cpu, where the built-in tshark diagnostics utility can be used to capture the packets and view on the switch CLI or written to a pcap file for viewing in wireshark.
In this post we will capture packets locally on a Aruba CX 6300 switch running firmware version 10.10.1030.
Create a mirror session with a unique ID, define the source interface and rx (receive), tx (transmit) or both and specify the destination as cpu to capture locally on the switch, finally the session must be explictly enabled.
mirror session 1 source interface 1/1/46 both destination cpu enable
The command show mirror will confirm the mirror sessions.
For detailed configuration information on the mirror, run the command show mirror <ID>
Enable diagnostics using the command diagnostics
6300# diagnostics
To view the packet capture on the switch itself run the command diag utilities tshark. To stop the output press CTRL+C
6300# diag utilities tshark Inspecting traffic mirrored to the CPU until Ctrl-C is entered. Frame 1: 119 bytes on wire (952 bits), 119 bytes captured (952 bits) on interface MirrorRxNet, id 0 Interface id: 0 (MirrorRxNet) Interface name: MirrorRxNet Encapsulation type: Ethernet (1) Arrival Time: Aug 13, 2023 08:50:31.408454600 UTC [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1691916631.408454600 seconds [Time delta from previous captured frame: 0.000000000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 0.000000000 seconds] Frame Number: 1 Frame Length: 119 bytes (952 bits) Capture Length: 119 bytes (952 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:llc:stp] IEEE 802.3 Ethernet Destination: 01:80:c2:00:00:00 Address: 01:80:c2:00:00:00 .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast) Source: 94:60:d5:ad:82:11 Address: 94:60:d5:ad:82:11 .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Length: 105 Logical-Link Control DSAP: Spanning Tree BPDU (0x42) 0100 001. = SAP: Spanning Tree BPDU .... ...0 = IG Bit: Individual SSAP: Spanning Tree BPDU (0x42) 0100 001. = SAP: Spanning Tree BPDU .... ...0 = CR Bit: Command Control field: U, func=UI (0x03) 000. 00.. = Command: Unnumbered Information (0x00) .... ..11 = Frame type: Unnumbered frame (0x3) Spanning Tree Protocol Protocol Identifier: Spanning Tree Protocol (0x0000) Protocol Version Identifier: Multiple Spanning Tree (3) BPDU Type: Rapid/Multiple Spanning Tree (0x02) BPDU flags: 0x3c, Forwarding, Learning, Port Role: Designated
To send the packet capture output to a file run the command diag utilities tshark file. There will be no further output displayed, wait a period until enough packets have been captured press CTRL+C to stop.
The pcap file can be copied off the switch via SCP, SFTP or TFTP.
The packet capture can be viewed in either tcpdump, tshark or wireshark.
After troubleshooting has been completed, the shark packet capture file can be deleted using the diag utilities tshark delete-file command.
6300# diag utilities tshark delete-file
Capture file has been deleted.
And finally stop the mirror session using no mirror session 1