The first time I saw a network trace, I was totally captivated. I was a young network systems programmer working on an IBM mainframe. The network operator had a Spectron Datascope that he could patch into any of the 9.6kbps links connecting the front end processor with the remote offices. My fascination remained, and I progressed from that datascope to using GTF traces and eventually wrote my own multi-tasking real-time trace analysis package in IBM System/370 assembler.
While this was a labor of love stemming from my complete fascination with the subject, I found trace analysis was the most useful tool in my network troubleshooting bag of tricks. Traces did not lie—they showed exactly what was or wasn’t going on. Additionally, they gave me a more thorough understanding of network protocols.
Fast forward to today. We have more network tools, but networks have become a lot more complex and dispersed. Cisco and others have had port mirroring in many of their switches for a long time. SPAN or Switch Port Analyzer (as Cisco called the feature) enabled the network admin to selectively and non-disruptively replicate traffic from switch ports to another switch port connected to a protocol analyzer or a PC running wireshark or similar. The SPAN capability eventually evolved to Remote SPAN (RSPAN) and Encapsulated RSPAN (ERSPAN). The latter enabling routing of GRE encapsulated SPAN traffic to any point in the network (given sufficient bandwidth, of course!).
Tracing on a Virtual Switch
So what about virtual networks and virtual switches? How do you probe vswitch traffic? Fortunately, there is a simple and well-proven method for capturing traffic traversing a vswitch. The method involves setting up a guest VM (e.g. Windows, Linux) with Wireshark or other third party trace “sniffing” software. Simply:
- Create a new port group with Promiscuous Mode=Accept in the Port Security options.
- Set the VLAN to the VLAN ID you wish to trace, or set VLAN=4095 to trace traffic for all VLANs on that vswitch (assuming VST mode)
And there you have it. Start Wireshark in the VM and monitor through the Console.
Forthcoming Options …
With the Cisco Nexus 1000V with our forthcoming release, you will have another alternative. The Nexus 1000V supports SPAN and ERSPAN (see complete feature comparison here), so the network folks can use the same methods and techniques whether it be a virtual or physical network. The ERSPAN capability means you can redirect the trace traffic to any point without setting up a specialized sniffing VM on the host and vswitch in question.