Wireshark Your VMs on the Cisco Nexus 1000V

Recently, I ran some tests to verify Multicast, QoS, and Security settings that I implemented on the Nexus 1000V.  I wasn’t seeing the results that I expected.  So, I setup Wireshark on a VM to examine the packets…

The Nexus 1000V allows you to use either SPAN or ERSPAN to forward packet data.  ERSPAN requires an additional VMkernel in vSphere and creating a special Nexus 1000V Port Profile with L3Control enabled.  Since my workload was relatively small, I decided to go with SPAN since the only requirement is to have the data collector and source VMs on the same ESXi host.

Before we can collect the data, we need to know which Vethernet port belongs to the Wireshark VM:

1. Get the DV Port value for the Wireshark VM NIC from the VM Properties:

Helps us find the right Vethernet port on the 1000V
The VM DV Port Number

2. On the Cisco Nexus 1000V VSM, use the DV Port Number to get the Vethernet Port information on the Nexus 1000V

VSMvCloud# show interface | include "DVS port 418" prev 5
 Vethernet19 is up
 Port description is qos-Analytics, Network Adapter 1
 Hardware: Virtual, address: 0050.56ab.68c8 (bia 0050.56ab.68c8)
 Owner is VM "qos-Analytics", adapter is Network Adapter 1
 Active on module 4
 VMware DVS port 418

You can verify that you have the right VM by looking at the Port description and Owner is VM values.

We then create a monitoring session on the Cisco Nexus 1000V to forward information about the VLANs, Vethernet ports, or Ethernet ports that we are interested in (VLAN 180 in my case):

VSMvCloud# configure terminal
VSMvCloud(config)# monitor session 2
VSMvCloud(config-monitor)# description QoS Debug
VSMvCloud(config-monitor)# source vlan 180 both
VSMvCloud(config-monitor)# destination interface Vethernet19
VSMvCloud(config-monitor)# no shutdown

The monitoring session number doesn’t really matter.  Just be careful that you don’t overwrite an existing session (run show monitor to see a list of existing session numbers).  The last command, no shutdown, begins the flow of traffic to the Wireshark VM’s NIC.  If your VM has only one NIC, you will lose connectivity if you’re accessing it via VNC\Remote Desktop.  You will either need to use the vSphere Client console or add a second NIC to access the VM while monitor session is running.

Now, you can open up WireShark, apply the necessary filters, and examine the information being sent over.  In the screenshot below, I wanted to verify that the correct DSCP value (af11) was being applied to my network traffic.

Verifying my QoS Data
Wireshark Output showing DSCP value AF11

When you are done with your testing, be sure to shutdown the monitoring session:

VSMvCloud# configure terminal
VSMvCloud(config)# monitor session 2
VSMvCloud(config-monitor)# shutdown
VSMvCloud(config-monitor)# end
VSMvCloud# copy running-config startup-config

…And don’t forget to save your work!

Leave a Reply

Your email address will not be published. Required fields are marked *