NetApp built-in packet capturePosted: June 24, 2013
I first had to do this at the direction of NetApp tech support. Ever since, I found myself searching my email for it so I could use it again and again. I finally took the hint and decided to post it here for my reference – but maybe you could use it as well. Oh, and copy it to Evernote, too.
They way I use this, as you might expect, is to start the capture, perform the operation that’s failing, and then stop the capture. So as not to capture too much traffic and therefore have to wade through all of it, I try to perform those steps rather quickly. But then again, if you know a few useful features of Wireshark, you can get around in the capture file pretty easily. So here you are.
filer> pktt start all -d /etc/crash
<perform the operation that fails here>
filer> pktt dump all filer> pktt stop all
You could also force a new Autosupport message for NetApp tech support with
options autosupport.doit USEFUL_TITLE
Then you can access your traces via CIFS, if you have it set up at the time, or HTTP. NetApp captures packets per interface, interface group, or VLAN, so it’s rather easy to pick out the trace you want. I find this a bit easier than modifying the pktt command to only capture certain interfaces.
From here, simply download the trace you want and open with your favorite packet analyzer, such as Wireshark. Of course, you’ll probably want to have a good idea of which interface to look at. In my most recent case, I was troubleshooting a login issue via System Manager, so I looked at the e0M trace. Be sure to use the most recent trace, too. For instance, I’d already run a trace on this particular box twice before and when I viewed what I thought was the right trace, I didn’t find anything I was looking for. I was also looking at a trace that was months old. I think you may have to manually clear out or archive these traces, so keep that in mind. Most are fairly small, measured in KB, but some can be larger, especially depending on how long you leave the trace.