CML packet capture — start, stop, download pcaps from CML lab links, integrate with Packet Buddy for analysis. Use when capturing packets in a CML lab, troubleshooting BGP or OSPF with packet analysis, or downloading pcap files for Wireshark review.
cml-mcp (pip-installed, stdio transport)CML_URL, CML_USERNAME, CML_PASSWORD environment variables| Tool | Parameters | What It Does |
|---|---|---|
start_capture | lab_id/lab_title, link_id, max_packets?, pcap_filter? | Start capturing packets on a link |
stop_capture | lab_id/lab_title, link_id | Stop an active capture |
get_capture_status | /, |
lab_idlab_titlelink_id| Check capture status (running, packet count) |
download_capture | lab_id/lab_title, link_id, file_path? | Download the captured pcap file |
list_captures | lab_id/lab_title | List all active and completed captures in a lab |
When a user says "capture traffic between R1 and R2 and analyze it":
get_links (from cml-topology-builder) to find the link ID between R1 and R2start_capture with optional filter (e.g., "icmp", "tcp port 179")execute_command to ping)stop_capture after sufficient traffic is collecteddownload_capture to save the pcap file locallypcap_summary — overviewpcap_protocol_hierarchy — protocol breakdownpcap_conversations — who talked to whompcap_expert_info — errors, retransmissionspcap_filter — drill into specific trafficWhen troubleshooting a specific protocol:
1. start_capture with pcap_filter="tcp port 179"
2. Wait for BGP events (or trigger with clear ip bgp)
3. stop_capture
4. download_capture
5. Analyze: Look for OPEN, KEEPALIVE, UPDATE, NOTIFICATION messages
6. Check for: hold timer expiry, capability mismatch, prefix limit exceeded
1. start_capture with pcap_filter="ospf"
2. Wait for OSPF events (or trigger with clear ip ospf process)
3. stop_capture
4. download_capture
5. Analyze: Look for Hello, DBD, LSR, LSU, LSAck packets
6. Check for: area mismatch, auth failure, MTU mismatch, dead timer expiry
1. start_capture (no filter, or pcap_filter="icmp")
2. execute_command on source node: "ping {destination}"
3. stop_capture
4. download_capture
5. Analyze: Look for echo request/reply, unreachable, TTL exceeded
6. Check for: asymmetric routing, ACL drops, MTU issues
1. start_capture with pcap_filter="stp"
2. Wait for STP convergence or trigger topology change
3. stop_capture
4. download_capture
5. Analyze: BPDUs, topology change notifications, root bridge elections
CML uses BPF (Berkeley Packet Filter) syntax for capture filters:
| Filter | Captures |
|---|---|
icmp | ICMP (ping) traffic |
tcp port 179 | BGP traffic |
ospf | OSPF traffic |
tcp port 22 | SSH traffic |
udp port 53 | DNS traffic |
arp | ARP requests/replies |
stp | Spanning Tree BPDUs |
tcp port 80 or tcp port 443 | HTTP/HTTPS traffic |
host 10.0.0.1 | Traffic to/from specific host |
net 10.0.0.0/24 | Traffic to/from specific subnet |
vlan 100 | Traffic on VLAN 100 |
When verifying a configuration change:
before.pcapafter.pcapAfter downloading a pcap from CML, use these Packet Buddy tools for analysis:
| Step | Packet Buddy Tool | Purpose |
|---|---|---|
| 1 | pcap_summary | Big picture: packet count, duration, size |
| 2 | pcap_protocol_hierarchy | What protocols are present |
| 3 | pcap_conversations | Who is talking to whom |
| 4 | pcap_expert_info | Errors, warnings, retransmissions |
| 5 | pcap_filter | Focus on specific traffic |
| 6 | pcap_packet_detail | Deep dive into a single packet |
| 7 | pcap_dns_queries | DNS resolution analysis |
| 8 | pcap_http_requests | HTTP traffic analysis |
r1-r2-bgp-capture.pcap