RA5300 Packet Capture抓包失败
- 0关注
- 0收藏,38浏览
问题描述:
RA5300 设备抓包失败
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter " scr 4.8.10.236 and dst 18.16.136.1" limit-captured-frames 10
write flash:/wz3.pcap
Capturing on 'Ten-GigabitEthernet3/0/0'
tshark: Invalid capture filter " scr 4.8.10.236 and dst 18.16.136.1" for interface 'Ten-GigabitEthernet3/0/0'.
That string isn't a valid capture filter (syntax error).
See the User's Guide for a description of the capture filter syntax.
dis version
H3C Comware Software, Version 7.1.075, Release 7607P529
Copyright (c) 2004-2024 New H3C Technologies Co., Ltd. All rights reserved.
H3C RA5300 uptime is 65 weeks, 6 days, 17 hours, 50 minutes
Last reboot reason : Power on
Boot image: flash:/ra5300rsu4xx-cmw710-boot-r7607p529.bin
Boot image version: 7.1.075, Release 7607P529
Compiled Apr 18 2024 16:00:00
System image: flash:/ra5300rsu4xx-cmw710-system-r7607p529.bin
System image version: 7.1.075, Release 7607P529
Compiled Apr 18 2024 16:00:00
Feature image(s) list:
flash:/ra5300rsu4xx-cmw710-devkit-r7607p529.bin, version: 7.1.075
Compiled Apr 18 2024 16:00:00
flash:/ra5300rsu4xx-cmw710-packet-capture-r7607p529.bin, version: 7.1.075
Compiled Apr 18 2024 16:00:00
Slot 0: RSU-400 uptime is 65 weeks, 6 days, 17 hours, 50 minutes
Last reboot reason : Power on
CPU ID: 0x1b
8G bytes DDR4 SDRAM Memory
3776M bytes Flash Memory
PCB Version: 3.0
CPLD Version: 3.0
Basic BootWare Version: 3.02
Extended BootWare Version: 3.02
[SUBSLOT 0]CON (Hardware)3.0, (Driver)1.0, (CPLD)3.0
[SUBSLOT 0]METH0 (Hardware)3.0, (Driver)1.0, (CPLD)3.0
Slot 1: RSU-400 uptime is 65 weeks, 6 days, 17 hours, 50 minutes
Last reboot reason : Power on
CPU ID: 0x1b
8G bytes DDR4 SDRAM Memory
3776M bytes Flash Memory
PCB Version: 3.0
CPLD Version: 3.0
Basic BootWare Version: 3.02
Extended BootWare Version: 3.02
[SUBSLOT 0]CON (Hardware)3.0, (Driver)1.0, (CPLD)3.0
[SUBSLOT 0]METH0 (Hardware)3.0, (Driver)1.0, (CPLD)3.0
Slot 2: HRIC-XP8-H
PCB Version: 2.0
CPLD Version: 1.0
[SUBSLOT 0]XP8-H (Hardware)2.0, (Driver)1.0, (CPLD)1.0
Slot 3: HRIC-XP8-H
PCB Version: 2.0
CPLD Version: 1.0
[SUBSLOT 0]XP8-H (Hardware)2.0, (Driver)1.0, (CPLD)1.0
一、问题诊断与解决方案
1. 问题所在
您的命令中:" scr 4.8.10.236 and dst 18.16.136.1"的 scr拼写错误,应该是 src。
错误命令:
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter " scr 4.8.10.236 and dst 18.16.136.1" limit-captured-frames 10 write flash:/wz3.pcap
正确命令:
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "src 4.8.10.236 and dst 18.16.136.1" limit-captured-frames 10 write flash:/wz3.pcap
二、H3C抓包过滤器正确语法
1. 基本语法规则
# 基本格式
packet-capture interface <接口> capture-filter "<过滤表达式>" [参数] write <文件名>
# 常见运算符
# and, or, not, &&, ||, ! (不同版本支持不同)
2. 正确的过滤表达式示例
IP地址过滤
# 单个IP
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "host 4.8.10.236" write flash:/test1.pcap
# 源IP
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "src host 4.8.10.236" write flash:/test2.pcap
# 目的IP
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "dst host 18.16.136.1" write flash:/test3.pcap
# 双向IP通信
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "host 4.8.10.236 and host 18.16.136.1" write flash:/test4.pcap
# 源到目的
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "src host 4.8.10.236 and dst host 18.16.136.1" write flash:/test5.pcap
端口过滤
# TCP端口
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "tcp port 80" write flash:/http.pcap
# 源端口
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "src port 1234" write flash:/srcport.pcap
# 目的端口
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "dst port 443" write flash:/https.pcap
# IP+端口组合
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "host 4.8.10.236 and tcp port 80" write flash:/combo.pcap
协议过滤
# TCP协议
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "tcp" write flash:/tcp.pcap
# UDP协议
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "udp" write flash:/udp.pcap
# ICMP协议
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "icmp" write flash:/icmp.pcap
三、复杂过滤条件示例
1. 多个条件组合
# AND 条件
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "src host 4.8.10.236 and dst host 18.16.136.1 and tcp port 80" write flash:/multi1.pcap
# OR 条件
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "host 4.8.10.236 or host 18.16.136.1" write flash:/multi2.pcap
# 复杂组合
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "(src host 4.8.10.236 and tcp port 80) or (dst host 18.16.136.1 and udp port 53)" write flash:/complex.pcap
2. 子网过滤
# 源子网
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "src net 4.8.10.0/24" write flash:/subnet1.pcap
# 目的子网
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "dst net 18.16.136.0/24" write flash:/subnet2.pcap
四、抓包参数详解
1. 完整命令语法
# 完整格式
packet-capture interface <接口>
[ capture-filter "<过滤条件>" ]
[ limit-captured-frames <数量> ]
[ limit-frame-size <字节数> ]
[ buffer-size <KB> ]
[ timeout <秒> ]
write <文件名>
2. 常用参数说明
参数
说明
示例
limit-captured-frames
抓包数量限制
limit-captured-frames 100
limit-frame-size
每个包抓取的最大字节
limit-frame-size 128
buffer-size
缓冲区大小(KB)
buffer-size 1024
timeout
超时时间(秒)
timeout 30
direction
方向(in/out/both)
direction in
3. 实际应用示例
# 抓取100个包,每个包最多128字节
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "host 4.8.10.236" limit-captured-frames 100 limit-frame-size 128 write flash:/sample1.pcap
# 设置1MB缓冲区,抓取30秒
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "tcp port 443" buffer-size 1024 timeout 30 write flash:/sample2.pcap
# 只抓取入口流量
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "icmp" direction in write flash:/icmp_in.pcap
五、验证与下载抓包文件
1. 检查抓包状态
# 查看抓包进程
display packet-capture status
# 查看存储空间
dir flash:
2. 下载抓包文件
# 通过TFTP下载
tftp 192.168.1.100 put flash:/wz3.pcap
# 通过FTP下载
ftp 192.168.1.100
# 输入用户名密码后
get wz3.pcap
quit
# 通过HTTP下载(需开启HTTP服务)
# 访问 https://设备IP/wz3.pcap
3. 开启HTTP服务(如需)
# 开启HTTP服务
ip http enable
ip https enable
# 创建本地用户
local-user admin
password simple admin123
service-type http https
authorization-attribute user-role network-admin
quit
六、调试与排错技巧
1. 分步测试法
如果过滤条件复杂,建议分步测试:
# 第1步:不设过滤条件,测试基本功能
packet-capture interface Ten-GigabitEthernet 3/0/0 limit-captured-frames 5 write flash:/test1.pcap
# 第2步:简单过滤条件
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "icmp" limit-captured-frames 5 write flash:/test2.pcap
# 第3步:复杂过滤条件
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "src 4.8.10.236" limit-captured-frames 5 write flash:/test3.pcap
2. 查看支持的过滤器语法
# 查看帮助
packet-capture ?
# 或
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter ?
3. 常见错误及解决方法
错误信息
原因
解决方法
Invalid capture filter
语法错误
检查关键字拼写,如src非scr
Unknown protocol
协议名错误
使用正确协议名:tcp、udp、icmp
Syntax error
语法格式错误
检查括号、引号是否匹配
Interface not found
接口不存在
使用display interface brief查看接口名
七、批量抓包脚本
1. 同时抓多个接口
# 创建脚本文件
system-view
tclsh
#
# 定义抓包函数
proc capture_interface {interface filter file} {
exec "packet-capture interface $interface capture-filter \"$filter\" limit-captured-frames 100 write flash:/$file"
}
# 并行抓包
capture_interface Ten-GigabitEthernet 3/0/0 "host 4.8.10.236" capture1.pcap
after 1000
capture_interface Ten-GigabitEthernet 3/0/1 "host 18.16.136.1" capture2.pcap
#
tclquit
2. 定时抓包
# 创建计划任务抓包
scheduler job capture-job
command 1 packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "src 4.8.10.236" limit-captured-frames 1000 write flash:/scheduled.pcap
scheduler schedule CAPTURE
job capture-job
time repeating at 14:00
quit
八、高级抓包技巧
1. VLAN过滤
# 抓取特定VLAN流量
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "vlan 10" write flash:/vlan10.pcap
# VLAN+IP组合
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "vlan 10 and host 4.8.10.236" write flash:/vlan_ip.pcap
2. MAC地址过滤
# 源MAC
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "ether src 00:11:22:33:44:55" write flash:/mac_src.pcap
# 目的MAC
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "ether dst 00:11:22:33:44:55" write flash:/mac_dst.pcap
3. TCP标志位过滤
# SYN包
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "tcp[tcpflags] & tcp-syn != 0" write flash:/tcp_syn.pcap
# RST包
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "tcp[tcpflags] & tcp-rst != 0" write flash:/tcp_rst.pcap
九、针对您具体问题的解决方案
1. 修正后的命令
# 修正语法错误
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "src 4.8.10.236 and dst 18.16.136.1" limit-captured-frames 10 write flash:/wz3.pcap
# 或使用更明确的语法
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "src host 4.8.10.236 and dst host 18.16.136.1" limit-captured-frames 10 write flash:/wz3.pcap
2. 如果仍有问题,使用简化版本测试
# 测试1:不指定过滤器
packet-capture interface Ten-GigabitEthernet 3/0/0 limit-captured-frames 5 write flash:/test_nofilter.pcap
# 测试2:简单IP过滤
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "host 4.8.10.236" limit-captured-frames 5 write flash:/test_host.pcap
# 测试3:双向通信
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "host 4.8.10.236 and host 18.16.136.1" limit-captured-frames 5 write flash:/test_both.pcap
3. 验证抓包结果
# 查看抓包文件
dir flash:*.pcap
# 查看文件大小
dir flash:/wz3.pcap
# 如果文件太小(可能是0KB),说明没有匹配的流量
# 可以尝试放宽过滤条件
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "net 4.8.10.0/24" limit-captured-frames 100 write flash:/wz3_all.pcap
十、总结
核心问题:scr拼写错误,应该是src
正确命令:
packet-capture interface Ten-GigabitEthernet 3/0/0 capture-filter "src 4.8.10.236 and dst 18.16.136.1" limit-captured-frames 10 write flash:/wz3.pcap
建议:如果仍有问题,先不使用过滤器测试基本功能,再逐步添加过滤条件
注意事项:
确保接口名称正确
确保有对应流量经过
注意存储空间是否足够
注意设备性能影响,适当限制抓包数量
如果按照上述修正后仍有问题,请提供具体的错误信息,我可以进一步帮助诊断。
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论