Published on August 31, 2011
Troubleshooting Ethernet Services with Packet-Capture and Decode Capabilities (Part 2)
Part 1 of this article examine the main configuration issues with packet-forwarding devices is fragmentation of the traffic, VLAN tunneling and header fields.
EXFO’s Packet-Capture and Decode Capabilities
To enhance troubleshooting tools for technicians and network engineers, EXFO has introduced packet-capture and decode capabilities to its extensive datacom portfolio—as a software upgrade to its existing FTB and RTU Ethernet test modules. This new feature, associated with the frame-analyzer test tool, introduces Ethernet capture capabilities at a line-rate speed from 10 Mbit/s to 10 Gbit/s. The combination of these two tools allows network operators and technicians to quickly and efficiently troubleshoot network events:
- Packet capture on a test tool: By enabling packet capture on the test platform, two of the technician’s pains are solved. First, technicians only need to carry one piece of equipment instead of two or more, which provides powerful packet-capture, decode and test capabilities all from one single piece of equipment in the field—therefore reducing equipment costs.
- Industry-standard capture files: Captured traffic is saved in PCAP files, the industry standard in capture data files. Decoding capabilities is performed via Wireshark1, an industry leader and the de facto standard in packet analysis and decoding. This open-source tool is freely available on the Internet and provides the most complete packet decoding capabilities and powerful post-processing analysis capabilities. WireShark’s strong and committed community of developers ensures that the tool is constantly updated.
- Availability on a wide series of modules: Packet capture is available on almost the entire EXFO datacom portfolio, from the dedicated Ethernet module FTB series to the multiservice PowerBlazer series to the centralized rack-mounted RTU series. The wide availability of form factors and capabilities ensure that solutions can be applied for any network configuration.
- Packet capture for all Ethernet rates: Since packet capture is performed directly from the test ports of the modules, capture can be performed on all Ethernet rates from 10 Mbit/s to 10GigE for LAN and metro networks, and 100GigE for high-speed with full line-rate capabilities. This flexibility removes the need for external accessories and reduces the number of failure points in the test architecture.
Packet-Capture Usability Features
EXFO’s implementation of the packet-capture tool goes beyond the simple capture capabilities. Extra features and functionalities have been implemented in order to increase the efficiency of the test cycle and provide more value to the customer. Capturing capabilities are often reduced by the limited amount of memory available to store the capture traffic. In the case of the EXFO suite, available memory is dependent on the module used. In order to mitigate the effect of these limitations, EXFO’s packet-capture tool provides comprehensive filter and triggering methods to target specific traffic and efficiently use the memory available.
Filtering Captured Traffic
In some cases, only a particular traffic flow is of interest and other traffic can consume memory without providing any useful information. The EXFO packet capture tool provides the capability to filter the captured traffic in order to capture only traffic that fits a specific profile, therefore efficiently using the available memory.
The filter engine is based on the basic frame-analyzer and advanced traffic-filter system. In the basic mode, the user can filter traffic based on a single trigger value, while an advanced mode provides the capability to restrict traffic even more by using up to four trigger field and operands (AND, OR, NOT). In both cases, a complete set of triggers is available such as MAC – IP – TCP/UDP fields, VLAN, MPLS and PBB-TE fields.
In most captures, the payload information is typically proprietary information that cannot be understood and decoded by the analysis engine. The technical staff usually focuses on header information as these are decoded and are used for more in-depth troubleshooting, such as conversation and top-talker analysis. Therefore, capturing the payload of packets is, in most cases, not efficient as it consumes memory without providing extra information.
EXFO’s packet-capture tool provides an innovative packet truncation feature, which limits the capture to a specific number of bytes, starting from the first bit of the packet. Users can therefore limit capture to the first few bytes of the header (layer 2 to layer 4) or add more bytes to include higher layer information. By only capturing this information and avoiding the payload, users efficiently use the available memory. In order to assist the truncation process, a simple calculator is provided. This efficient tool automatically calculates the number of bytes to truncate according to the common header profile of the incoming frames.
A very common issue with typical capture tools is that the capture starts as soon as the tool is enabled. However, the event of interest may occur later and the captured traffic fills the memory buffer but does not provide any useful information. In some cases, the testing opportunity can be completely missed because of the high amount of captured data and the short event window.
EXFO’s packet-capture tools solve this issue by including a set of triggering capabilities, allowing the customer to fine-tune and specify when the capture process should start. This powerful capability simplifies the troubleshooting process by filling the memory only when the event of interest is detected. The memory and troubleshooting time are therefore efficiently used, resulting in meaningful capture data, which yields more important information.
Users can capture traffic based on three types of triggers:
1. Manual trigger is the simplest form of trigger and basically starts the capture as soon as it is enabled. This is the default mode of operation and mimics traditional capture tools.
2. On-error trigger is a trigger which starts to capture the operation when a specific event is detected. These events are typically Ethernet errors such as frame-check sequence (FCS) errors. This mode enables on-event capture, a scenario where a capture device can remain armed; monitoring the circuit, until the specific event is detected and the capture is triggered.
3. Field-match trigger launches the capture when a frame with a specific filtered condition is detected. This condition uses a similar system as the traffic filter system and enables the user to monitor the circuit and start the capture as soon as a specific frame condition is detected.
The triggering position is used to determine the position of the triggered frame within the captured data, solving one of the common problems with traditional capture tools where the event of interest is often located within the capture data.
A typical use for the triggering position is performing pre- and post-analysis. In network troubleshooting, it is very important to understand the events that lead to the failure and to view the events that followed the failure. These two critical phases provide a wealth of information on the failure, as well as on its causes and how the network reacted to it. For example, troubleshooting a TCP retransmission issue could start by looking at the pre-trigger phase to identify the cause of the retransmission by focusing on the TCP sequence itself, looking at the bandwidth usage or determining if there was any congestion by searching for Ethernet pause frames. The post-trigger analysis can focus on the retransmission process and determine if the cause of congestion has been relieved.
The triggering position capabilities allows the user to specify where the trigger event will be located in the capture, therefore allowing the selection of the frames that will be captured, depending on their position relative to the trigger event. Traditional capture tools do not provide the capability to perform mid-trigger or pre-trigger as they only provide post-trigger capabilities. Instead, users are left to manually search in the captured sequence to identify the event and perform the analysis. Combining this to the lack of trigger mechanism, it is quite possible when using traditional capture tools that the event of interest is completely missed, resulting in an inefficient capture process.
EXFO’s packet-capture feature provides three triggering positions:
Exporting Capture and Analysis
Once a capture has been completed, the captured data can be exported either to the platform’s internal memory or to an external USB-based memory for decoding. The exporting process generates an industry-standard, PCAP file that can be used by a variety of open-source decoding tools.
Decoding and post-analysis is performed using the Wireshark application (the industry standard in protocol analysis and decode). This free application enables extensive protocol decoding as well as complex analysis to provide a solid post-processing analysis. Since Wireshark is an open-source application and it is maintained by a strong and dedicated community of developers and contributors, the application is always up-to-date with the latest protocols. What’s more, Wireshark is also supported by various extensions that enable analysis tools or specialized processes which can be used to complement the standard Wireshark offering.
EXFO’s test solution can be used in a variety of locations, from central field and customer locations to labs and exchange office.
Today’s multiservice networks are growing increasingly complex, driving the need for technicians to have a more granular view of data traffic across all layers of the network. By adding packet-capture and decode capabilities to its test modules, EXFO brings to market a comprehensive, simplified and fully integrated solution for end-to-end carrier Ethernet network assessment. This enables field technicians to quickly pinpoint, analyze and report quality of service issues using a single test unit. With packet-capture and decode functionalities, EXFO is revolutionizing the way network operators validate, turn up, monitor and troubleshoot carrier Ethernet services.