Data Center RUM Documentation

Skip to end of metadata
Go to start of metadata


The nfdump command is one of the methods to capture and filter the specific traffic on a particular AMD. For more information on capturing methods, see Selecting a traffic capture method.

Capturing and filtering the traffic on a specific AMD has the following traits:

  • It allows you to capture traffic regardless of AMD sampling mode, while other capturing methods disallow capturing when sampling is in effect. For more information on sampling, see AMD sampling.

  • It lessens the performance impact of such capture limiting the strain only to the AMD where this command was used.

The nfdump is an rcon command that is executed from the rcon console or system command prompt. For more information on executing rcon commands, see RCON commands.

Running nfdump

With nfdump, you can start a number of simultaneous captures. We assign a unique filter ID to each capture, so that you can indicate which to stop or remove.

You can quickly refer to nfdump manpages with nfdump help.

The basic nfdump syntax is: 

The nfdump action can be:

 nfdump start

nfdump start + [parameters]

Begins capturing traffic based on additional parameters provided in the command line. The parameters are:

  • (optionally) Force capturing to begin even if the AMD sampling is in effect.
  • A filter pattern in pcap format expressed as a quoted string (refer to tcpdump manpages for examples).

  • A capture file size limit expressed in bytes, kilobytes (k), megabytes (M) and gigabytes (G).

  • A capture duration expressed in seconds.

The following example indicates that this AMD will perform capture and filter the traffic from the host located at 10.1.1.1, the capture file cannot be larger than 10k, the capture will be active for 200 seconds, and the capture will occur regardless of AMD sampling mode.

You can specify the port of your traffic filter. For example, to filter traffic on port 137, use this filter pattern:

Use operators to combine and group your filters:

  • Negation (not)
    For example, capture and filter the traffic between the host located at 10.1.1.1, and any host except 10.4.4.4.

  • Concatenation (and)
    For example, capture and filter the traffic that is observed on port 137 between the host located at 10.3.3.3, and any other host.

  • Alternation (or)
    For example, capture and filter the traffic that is observed on the host located either at 10.1.1.1, or 10.4.4.4.

You can also combine the operators to create more complex filters, for example:
Select traffic between 10.1.1.1 and either 10.2.2.2 or 10.4.4.4.

Select traffic for the host 10.1.1.1 on ports 20 or 21.

Select traffic for the host 10.1.1.1 and on 20 or 21, and traffic for the host 10.2.2.2 on port 80.

For more information on filter patterns see the official pcap documentation (http://www.tcpdump.org/manpages/pcap-filter.7.html).

Icon

When indicating a host in the filter pattern, the nfdump utility, unlike the tcpdump system utility, captures and filters based on the innermost IP header which in terms includes any VLAN traffic that may occur.

Because every capture is assigned its own unique filter ID, you can start multiple captures at the same time. Check the nfdump status command for currently active captures.

The default location for the capture files is /var/spool/adlex/spc/ Note that each capture results in a number of pcap files, one per each CPU worker thread. To learn more, see Merging capture files.

 nfdump status

nfdump status

Displays status of all nfdump captures/filters.
For example,

Each of the filters lists the status of the parameters used for capturing and whether the filter is active or finished. Only active filters can be stopped and only finished filters can be removed. 

Icon

Check nfdump stop and nfdump remove to find out how to stop and remove filters.

 nfdump stop

nfdump stop + [parameters]

Stops capturing traffic based on additional parameters provided in the command line where the parameters indicate a specific filter to be stopped, or all active filters to stop (all, <filter number>).

Icon

Use nfdump status to find out which filters are active.

For example,

Capturing with filter ID number 33 has been stopped.

All four active filters have been stopped.

 nfdump remove

nfdump remove + [parameters]

Removes finished captures based on additional parameters provided in the command line where the parameters indicate a specific filter to be removed, or all finished filters to be removed (all, <filter number>).

Icon

Only filters that have status finished can be removed. Use nfdump status to find out which filters have finished capturing.

For example,

Capturing with filter ID number 33 has been removed.

All four finished filters have been removed.

Merging capture files

The result of nfdump traffc capture is a number of pcap files, one per each CPU worker thread involved in the capture. The pcap filename contains a unique filter id assigned to each capture. To start your diagnostics, you should merge your capture files into one convenient file. While you can use various third-party software to perform the merge, we recommend the use of mergecap. The mergecap application is part of an open source Wireshark software that is installed with your AMD. To merge multiple pcap files into one run the mergecap with the input files and output file as a parameter from the location of the saved pcap files (/var/spool/adlex/spc/).

Where -v indicates a verbose status to the screen, the input file uses the wildcard to include all captures with a filter ID 43 and the -w indicates the merged filename. For more information on mergecap parameters, see official mergecap documentation (https://www.wireshark.org/docs/man-pages/mergecap.html).

 

 

  • No labels
  1. Anonymous (login to see details)

    Does nfdump capture traffic only on the sniffing interfaces, or does it capture traffic on any interface (sniffing and communications)?