This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EXOS Packet Capture

EXOS Packet Capture

Go to solution
Stefan_K_
Valued Contributor

‎05-18-2021 01:00 PM

Hello,

today I played around with the built-in packet capture of EXOS ( How To: How to perform a local packet capture on an EXOS switch | Extreme Portal (force.com) )

I’m able to capture packets and open the pcap file with wireshark, but I only see the following packets:

999ffec7689143d294de259a963f2492_0cfb738b-55a4-498b-9533-89f57cd81ed1.png

Wondering if I’m doing something wrong or if the feature is something else than I’m thinking. Any hints?

Best regards
Stefan

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
CThompsonEXOS
Extreme Employee

‎05-18-2021 03:54 PM

Hi,

You can use the editcap tool to remove the first 52 bytes.  Mine looked something like below from Powershell:

PS C:\Program Files\Wireshark> .\editcap.exe -C 52 editcap.pcap newpcap.pcap

syntax below:
PS C:\Program Files\Wireshark> .\editcap.exe -C 52 <original pcap filename> <new pcap filename>

Below is more on editcap:

https://www.wireshark.org/docs/man-pages/editcap.html

Before:

83850ff01e9c44fd92c42a4a8fa2122d_701970b3-7509-4c5a-9bf0-a8dab60f51b4.png

 

After:

83850ff01e9c44fd92c42a4a8fa2122d_65f32e5a-5e2a-4a35-96da-75256f170e72.png

 

Thanks,

Chris Thompson

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
CThompsonEXOS
Extreme Employee

‎05-18-2021 05:51 PM

Hi Stefan,

You bring upa good point(Stefan 1, Chris 0) so that article has been updated:

 

How To: How to perform a local packet capture on an EXOS switch | Extreme Portal (force.com)

 

Thanks again,

Chris Thompson

0 Kudos

Go to solution
Stefan_K_
Valued Contributor

‎05-18-2021 05:13 PM

Hi Chris,

this worked like a charm, thank you very much! How much “trouble” some 52 bytes can cause… 🙂

Maybe this little information can be added to the GTAC articles?

 

Best regards
Stefan

0 Kudos

Go to solution
CThompsonEXOS
Extreme Employee

‎05-18-2021 03:54 PM

Hi,

You can use the editcap tool to remove the first 52 bytes.  Mine looked something like below from Powershell:

PS C:\Program Files\Wireshark> .\editcap.exe -C 52 editcap.pcap newpcap.pcap

syntax below:
PS C:\Program Files\Wireshark> .\editcap.exe -C 52 <original pcap filename> <new pcap filename>

Below is more on editcap:

https://www.wireshark.org/docs/man-pages/editcap.html

Before:

83850ff01e9c44fd92c42a4a8fa2122d_701970b3-7509-4c5a-9bf0-a8dab60f51b4.png

 

After:

83850ff01e9c44fd92c42a4a8fa2122d_65f32e5a-5e2a-4a35-96da-75256f170e72.png

 

Thanks,

Chris Thompson

0 Kudos

Go to solution
Stefan_K_
Valued Contributor

‎05-18-2021 01:17 PM

Hi Chris,

thanks for your quick reply! I’m on 30.7.1.1-patch1-86. Switch is an X460-G2. I’m just doing some testing of this feature and don’t want to capture any specific traffic for now. But we might need this feature in the near future. (Troubleshooting at a customers site)

Best regards
Stefan

0 Kudos
GTM-P2G8KFN