NetApp built-in packet capture


3people_netapp_blocks_hiresI first had to do this at the direction of NetApp tech support.  Ever since, I found myself searching my email for it so I could use it again and again.  I finally took the hint and decided to post it here for my reference – but maybe you could use it as well. Oh, and copy it to Evernote, too.

They way I use this, as you might expect, is to start the capture, perform the operation that’s failing, and then stop the capture.  So as not to capture too much traffic and therefore have to wade through all of it, I try to perform those steps rather quickly.  But then again, if you know a few useful features of Wireshark, you can get around in the capture file pretty easily.  So here you are.

filer> pktt start all -d /etc/crash

<perform the operation that fails here>

filer> pktt dump all
filer> pktt stop all

You could also force a new Autosupport message for NetApp tech support with

options autosupport.doit USEFUL_TITLE

Then you can access your traces via CIFS, if you have it set up at the time, or HTTP.  NetApp captures packets per interface, interface group, or VLAN, so it’s rather easy to pick out the trace you want.  I find this a bit easier than modifying the pktt command to only capture certain interfaces.

HTTP

http://<storage-ip-address>/na_admin/cores

na_admin-cores

CIFS

\\<storage-ip-address>\c$\etc\crash

etc-crash

From here, simply download the trace you want and open with your favorite packet analyzer, such as Wireshark.  Of course, you’ll probably want to have a good idea of which interface to look at.  In my most recent case, I was troubleshooting a login issue via System Manager, so I looked at the e0M trace.  Be sure to use the most recent trace, too.  For instance, I’d already run a trace on this particular box twice before and when I viewed what I thought was the right trace, I didn’t find anything I was looking for.  I was also looking at a trace that was months old.  I think you may have to manually clear out or archive these traces, so keep that in mind.  Most are fairly small, measured in KB, but some can be larger, especially depending on how long you leave the trace.

Google

Advertisements

2 Comments on “NetApp built-in packet capture”

  1. […] NetApp built-in packet capture | VirtuallyMikeBrown – They way I use this, as you might expect, is to start the capture, perform the operation that’s failing, and then stop the capture.  So as not to capture too much traffic and therefore have to wade through all of it, I try to perform those steps rather quickly.  But then again, if you know a few useful features of Wireshark, you can get around in the capture file pretty easily.  […]

  2. […] used NetApp’s built in packet capture to look at the frames hitting the interface on each controller.  I’m glad I did and I’m […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s