xref: /dpdk/doc/guides/howto/packet_capture_framework.rst (revision cbb44143be74e7dd19853f4f360b51104e02380f)
1..  SPDX-License-Identifier: BSD-3-Clause
2    Copyright(c) 2017-2021 Intel Corporation.
3
4DPDK packet capture libraries and tools
5=======================================
6
7This document describes how the Data Plane Development Kit (DPDK) Packet
8Capture Framework is used for capturing packets on DPDK ports. It is intended
9for users of DPDK who want to know more about the Packet Capture feature and
10for those who want to monitor traffic on DPDK-controlled devices.
11
12The DPDK packet capture framework was introduced in DPDK v16.07
13and enhanced in 21.11.
14The DPDK packet capture framework consists of the libraries
15for collecting packets ``librte_pdump``
16and writing packets to a file ``librte_pcapng``.
17There are two sample applications: ``dpdk-dumpcap`` and older ``dpdk-pdump``.
18
19Introduction
20------------
21
22The :doc:`librte_pdump <../prog_guide/pdump_lib>` library provides the API
23required to allow users to initialize the packet capture framework
24and to enable or disable packet capture.
25The library works on a multi-process communication model
26and its usage is recommended for debugging purposes.
27
28The :doc:`librte_pcapng <../prog_guide/pcapng_lib>` library provides the API
29to format packets and write them to a file in Pcapng format.
30
31The :doc:`dpdk-dumpcap <../tools/dumpcap>` is a tool that captures packets in
32like Wireshark dumpcap does for Linux.
33It runs as a DPDK secondary process and captures packets
34from one or more interfaces and writes them to a file in Pcapng format.
35The ``dpdk-dumpcap`` tool is designed to take
36most of the same options as the Wireshark ``dumpcap`` command.
37
38Without any options it will use the packet capture framework
39to capture traffic from the first available DPDK port.
40
41The ``dpdk-testpmd`` application can be used to initialize
42the packet capture framework and acts as a server,
43and the ``dpdk-dumpcap`` tool acts as a client.
44To view Rx or Tx packets of ``dpdk-testpmd``,
45the application should be launched first,
46and then the ``dpdk-dumpcap`` tool.
47Packets from ``dpdk-testpmd`` will be sent to the tool,
48and then to the Pcapng file.
49
50Some things to note:
51
52* All tools using ``librte_pdump`` can only be used in conjunction with a primary
53  application which has the packet capture framework initialized already. In
54  dpdk, only ``testpmd`` is modified to initialize packet capture framework,
55  other applications remain untouched. So, if the ``dpdk-dumpcap`` tool has to
56  be used with any application other than the testpmd, the user needs to
57  explicitly modify that application to call the packet capture framework
58  initialization code. Refer to the ``app/test-pmd/testpmd.c`` code and look
59  for ``pdump`` keyword to see how this is done.
60
61* The ``dpdk-pdump`` tool is an older tool
62  created as demonstration of ``librte_pdump`` library.
63  The ``dpdk-pdump`` tool provides more limited functionality
64  and depends on the Pcap PMD.
65  It is retained only for compatibility reasons;
66  users should use ``dpdk-dumpcap`` instead.
67
68
69Test Environment
70----------------
71
72The overview of using the Packet Capture Framework and the ``dpdk-dumpcap`` utility
73for packet capturing on the DPDK port in
74:numref:`figure_packet_capture_framework`.
75
76.. _figure_packet_capture_framework:
77
78.. figure:: img/packet_capture_framework.*
79
80   Packet capturing on a DPDK port using the dpdk-dumpcap utility.
81
82
83Running the Application
84-----------------------
85
86The following steps demonstrate how to run the ``dpdk-dumpcap`` tool to capture
87Rx side packets on dpdk_port0 in :numref:`figure_packet_capture_framework` and
88inspect them using ``tcpdump``.
89
90#. Launch testpmd as the primary application::
91
92     sudo <build_dir>/app/dpdk-testpmd -c 0xf0 -n 4 -- -i --port-topology=chained
93
94#. Launch the dpdk-dumpcap as follows::
95
96     sudo <build_dir>/app/dpdk-dumpcap -w /tmp/capture.pcapng
97
98#. Send traffic to dpdk_port0 from traffic generator.
99   Inspect packets captured in the file capture.pcapng using a tool
100   such as tcpdump or tshark that can interpret Pcapng files::
101
102     $ tcpdump -nr /tmp/capture.pcapng
103     reading from file /tmp/capture.pcap, link-type EN10MB (Ethernet)
104     11:11:36.891404 IP 4.4.4.4.whois++ > 3.3.3.3.whois++: UDP, length 18
105     11:11:36.891442 IP 4.4.4.4.whois++ > 3.3.3.3.whois++: UDP, length 18
106     11:11:36.891445 IP 4.4.4.4.whois++ > 3.3.3.3.whois++: UDP, length 18
107