1.. SPDX-License-Identifier: BSD-3-Clause 2 Copyright(c) 2017-2021 Intel Corporation. 3 4DPDK packet capture libraries and tools 5======================================= 6 7This document describes how the Data Plane Development Kit (DPDK) Packet 8Capture Framework is used for capturing packets on DPDK ports. It is intended 9for users of DPDK who want to know more about the Packet Capture feature and 10for those who want to monitor traffic on DPDK-controlled devices. 11 12The DPDK packet capture framework was introduced in DPDK v16.07 13and enhanced in 21.11. 14The DPDK packet capture framework consists of the libraries 15for collecting packets ``librte_pdump`` 16and writing packets to a file ``librte_pcapng``. 17There are two sample applications: ``dpdk-dumpcap`` and older ``dpdk-pdump``. 18 19Introduction 20------------ 21 22The :doc:`librte_pdump <../prog_guide/pdump_lib>` library provides the API 23required to allow users to initialize the packet capture framework 24and to enable or disable packet capture. 25The library works on a multi-process communication model 26and its usage is recommended for debugging purposes. 27 28The :doc:`librte_pcapng <../prog_guide/pcapng_lib>` library provides the API 29to format packets and write them to a file in Pcapng format. 30 31The :doc:`dpdk-dumpcap <../tools/dumpcap>` is a tool that captures packets in 32like Wireshark dumpcap does for Linux. 33It runs as a DPDK secondary process and captures packets 34from one or more interfaces and writes them to a file in Pcapng format. 35The ``dpdk-dumpcap`` tool is designed to take 36most of the same options as the Wireshark ``dumpcap`` command. 37 38Without any options it will use the packet capture framework 39to capture traffic from the first available DPDK port. 40 41The ``dpdk-testpmd`` application can be used to initialize 42the packet capture framework and acts as a server, 43and the ``dpdk-dumpcap`` tool acts as a client. 44To view Rx or Tx packets of ``dpdk-testpmd``, 45the application should be launched first, 46and then the ``dpdk-dumpcap`` tool. 47Packets from ``dpdk-testpmd`` will be sent to the tool, 48and then to the Pcapng file. 49 50Some things to note: 51 52* All tools using ``librte_pdump`` can only be used in conjunction with a primary 53 application which has the packet capture framework initialized already. In 54 dpdk, only ``testpmd`` is modified to initialize packet capture framework, 55 other applications remain untouched. So, if the ``dpdk-dumpcap`` tool has to 56 be used with any application other than the testpmd, the user needs to 57 explicitly modify that application to call the packet capture framework 58 initialization code. Refer to the ``app/test-pmd/testpmd.c`` code and look 59 for ``pdump`` keyword to see how this is done. 60 61* The ``dpdk-pdump`` tool is an older tool 62 created as demonstration of ``librte_pdump`` library. 63 The ``dpdk-pdump`` tool provides more limited functionality 64 and depends on the Pcap PMD. 65 It is retained only for compatibility reasons; 66 users should use ``dpdk-dumpcap`` instead. 67 68 69Test Environment 70---------------- 71 72The overview of using the Packet Capture Framework and the ``dpdk-dumpcap`` utility 73for packet capturing on the DPDK port in 74:numref:`figure_packet_capture_framework`. 75 76.. _figure_packet_capture_framework: 77 78.. figure:: img/packet_capture_framework.* 79 80 Packet capturing on a DPDK port using the dpdk-dumpcap utility. 81 82 83Running the Application 84----------------------- 85 86The following steps demonstrate how to run the ``dpdk-dumpcap`` tool to capture 87Rx side packets on dpdk_port0 in :numref:`figure_packet_capture_framework` and 88inspect them using ``tcpdump``. 89 90#. Launch testpmd as the primary application:: 91 92 sudo <build_dir>/app/dpdk-testpmd -c 0xf0 -n 4 -- -i --port-topology=chained 93 94#. Launch the dpdk-dumpcap as follows:: 95 96 sudo <build_dir>/app/dpdk-dumpcap -w /tmp/capture.pcapng 97 98#. Send traffic to dpdk_port0 from traffic generator. 99 Inspect packets captured in the file capture.pcapng using a tool 100 such as tcpdump or tshark that can interpret Pcapng files:: 101 102 $ tcpdump -nr /tmp/capture.pcapng 103 reading from file /tmp/capture.pcap, link-type EN10MB (Ethernet) 104 11:11:36.891404 IP 4.4.4.4.whois++ > 3.3.3.3.whois++: UDP, length 18 105 11:11:36.891442 IP 4.4.4.4.whois++ > 3.3.3.3.whois++: UDP, length 18 106 11:11:36.891445 IP 4.4.4.4.whois++ > 3.3.3.3.whois++: UDP, length 18 107