Packet Tracing

Versa FlexVNF supports packet tracing for debugging Life of a Packet or a Session. Since enabling debug-level logs on production system for prolonged peris not recommended, a few logs might help identify the root cause via packet tracing, whose logs are stored in /var/log/versa/versa-pkttrace.log

Packet Filter Options

admin@gotham-cli> request debug session filter-create ?
Description: Enable packet/flow logging
Possible completions:
  description        - Session filter description
  destination-port   - Destination port or port range (e.g. 5000-6000, 5000)
  destination-prefix - Destination IP prefix
  filter-name        - Session filter name
  ip-version         - IP version/family (default IPv4)
  modules            - Module specific logging
  protocol           - Protocol value
  routing-instance   - Routing instance name
  source-port        - Source port or port range (e.g. 5000-6000, 6000)
  source-prefix      - Source IP prefix
  timeout            - Duration after which this filter is automatically removed (in minutes)

Create Packet Trace Filter

To illustrate, let's assume you want to trace DNS packets originating from host 192.168.130.10/32. A packet trace filter can be created using the following request command. The timeout field is mandatory and specifies the duration (in minutes) after which the filter is automatically removed: 

admin@gotham-cli> request debug session filter-create filter-name DNS source-prefix 192.168.130.10/32 destination-prefix 8.8.8.8/32 protocol 17 timeout 10

View Packet Trace Filter

To view an existing packet trace filter, use the following CLI:

admin@gotham-cli> request debug session filter-display DNS 
result Success
filter-name DNS
ip-version ipv4
source-prefix 192.168.130.10/32
destination-prefix 8.8.8.8/32
protocol 17
routing-instance riCustomer1
timeout 10

Delete Packet Trace Filter

A packet filter can be deleted using its name. For instance, the DNS packet trace filter created above can be deleted using the following CLI:

admin@gotham-cli> request debug session filter-delete DNS 

View Packet Trace Table (Datapath)

To ensure that the packet trace filter is installed correctly in the datapath, use the following CLI: 

admin@gotham-cli> show debug filter trace table 
 
Legends
  C/Catg - Category
  L/Prio - Level/priority
  P/Prot - Protocol

 +------------+---+-----+-----+-----------+--------------------+--------------------+-------------+-------------+
 |   Rule Hdl | C |  L  |  P  |    VRF    |     SOURCE-IP      |       DEST-IP      |    SPORT    |    DPORT    |
 +------------+---+-----+-----+-----------+--------------------+--------------------+-------------+-------------+
 | 0x00010000 | A |  22 |  17 |    8-8    |   192.168.130.10/32 |         8.8.8.8/32 |     0-65535 |     0-65535 |
 +------------+---+-----+-----+-----------+--------------------+--------------------+-------------+-------------+
 | Total IPv4 Filters: 1                                                                                        |
 +--------------------------------------------------------------------------------------------------------------+


admin@gotham-cli> show debug filter trace stats 

 Rule Handle 0x00010000 :     1

Note:

• Packet Tracing filters should be as constrained as possible. Avoid using a large subnet (e.g. /24) as the source or destination prefix — matching a wide range of traffic generates excessive logging and can put significant load on the system. Prefer specific host prefixes (/32).
• Do not run packet tracing for a prolonged period. Always set a short timeout and delete the packet tracing filter after collecting the logs.