4500 Wireshark quick setup guide

Document

Wed, 12/31/2014 - 02:37

Dennis McLaughlin 4 years ago

Table of Contents [hide]

o Introduction

o Wireshark feature conditions

o Verify and Capture

o Extra settings

o Limitations

o Reference

Introduction
The 4500 series catalyst switches with the Supervisor 7 has a new built in functionality with
IOS-XE version 3.3(0) / 151.1 or higher. This built in wireshark has the ability to capture packets
in the way we would traditionally use SPAN with an attached PC for capturing packets in a
troubleshooting scenario.

Wireshark feature conditions

To utilize the Wireshark feature you must meet the following conditions.

4500 series Catalyst switch

Supervisor 7 (supervisor 6 is unsupported at this time)

 Feature set IP Base and Enterprise Services (LAN Base is unsupported)

Switch CPU is not in a high utilization condition as the Wireshark feature is CPU
intensive and will software switch certain packets during capture.

The following is a quick start guide to get a capture started. This is very general and you will
need implement filters and buffer setting as needed to limit the excessive capture of packets if
troubleshooting in a production network.

Verify and Capture

1) Verify you meet the conditions to support the capture.

4500TEST#show version
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software
(cat4500e-UNIVERSAL-M), Version 03.03.00.SG RELEASE SOFTWARE (fc3)
<output omitted>

License Information for 'WS-X45-SUP7-E'

License Level: entservices Type: Permanent
Next reboot license Level: entservices

cisco WS-C4507R+E (MPC8572) processor (revision 8) with 2097152K/20480K

bytes of memory.

Processor board ID FOX1512GWG1

MPC8572 CPU at 1.5GHz, Supervisor 7
<output omitted>
4500TEST#show proc cpu history
History information for system:
888844444222222222222222333334444422222222222222255555222222
100
90
80
70
60
50
40
30
20
10 **** *****

0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5
CPU% per second (last 60 seconds)

2) In this example I am capturing traffic in a TX/RX direction from port gig2/26. We will store
the capture file on bootflash in a pcap file format for review from a local PC if necessary. The
config is done from User EXEC mode, not global config mode.
4500TEST#monitor capture MYCAP interface g2/26 both
4500TEST#monitor capture file bootflash:MYCAP.pcap
4500TEST#monitor capture MYCAP match any start
*Sep 13 15:24:32.012: %BUFCAP-6-ENABLE: Capture Point MYCAP enabled.

3) This will capture all traffic ingress and egress on port g2/26. This will surely fill the file very
quickly with useless traffic in a production situation unless you specify the direction you are
looking for and apply capture filters to narrow down the scope of interesting traffic to be
captured.

4500TEST#monitor capture MYCAP start capture-filter "icmp"

This will only capture ICMP traffic in your capture file.

4) Once the capture file either times out or fills the size quota you will see the following
message.

*Sep 13 15:25:07.933: %BUFCAP-6-DISABLE_ASYNC: Capture Point MYCAP

disabled. Reason : Wireshark session ended

Or you can manually stop the capture with the following command

4500TEST#monitor capture MYCAP stop

5) Another added feature is you can view the capture from the CLI. You can view the packets
with the following command. The detail option is available at the end to view the actual packet if
it is required to see inside the packets in a wireshark format. Also the dump option is available to
see the hex value of the packet as well.

4500TEST#show monitor capture file bootflash:MYCAP.pcap

1 0.000000 44:d3:ca:25:9c:c9 -> 01:00:0c:cc:cc:cc CDP Device ID:

4500TEST Port ID: GigabitEthernet2/26
2 0.166983 00:19:e7:c1:6a:18 -> 01:80:c2:00:00:00 STP Conf. Root =
32768/1/00:19:e7:c1:6a:00 Cost = 0 Port = 0x8018
3 0.166983 00:19:e7:c1:6a:18 -> 01:00:0c:cc:cc:cd STP Conf. Root =
32768/1/00:19:e7:c1:6a:00 Cost = 0 Port = 0x8018
4 1.067989 14.1.98.2 -> 224.0.0.2 HSRP Hello (state Standby)
5 2.173987 00:19:e7:c1:6a:18 -> 01:80:c2:00:00:00 STP Conf. Root =
32768/1/00:19:e7:c1:6a:00 Cost = 0 Port = 0x8018

6) This can get cluttered and confusing if you didn't use a capture-filter when starting the
capture. In this case we can utilize the display-filter option to only give us specific traffic in our
display. We only want to see ICMP traffic, and not the HSRP, STP, and CDP traffic seen above.
As the display filter is the same format as wireshark you can find the filters online.

http://wiki.wireshark.org/DisplayFilters
4500TEST#show monitor capture file bootflash:MYCAP.pcap display-filter
"icmp"
17 4.936999 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request
(id=0x0001, seq(be/le)=0/0, ttl=255)
18 4.936999 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply
(id=0x0001, seq(be/le)=0/0, ttl=251)
19 4.938007 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request
(id=0x0001, seq(be/le)=1/256, ttl=255)
20 4.938007 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply
(id=0x0001, seq(be/le)=1/256, ttl=251)
21 4.938998 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request
(id=0x0001, seq(be/le)=2/512, ttl=255)
22 4.938998 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply
(id=0x0001, seq(be/le)=2/512, ttl=251)
23 4.938998 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request
(id=0x0001, seq(be/le)=3/768, ttl=255)
24 4.940005 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply
(id=0x0001, seq(be/le)=3/768, ttl=251)
25 4.942996 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request
(id=0x0001, seq(be/le)=4/1024, ttl=255)
26 4.942996 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply
(id=0x0001, seq(be/le)=4/1024, ttl=251)

7) Last you can transfer the file to a local machine and look at the pcap file as you would any
other standard capture file.

4500TEST#copy bootflash: ftp://Username:Password@<ftp server address>

8) To clean up the capture, just remove the config with the following command.

4500TEST#no monitor capture MYCAP

4500TEST#show monitor capture MYCAP
<no output>
4500TEST#

Extra settings
By default the limit on the capture file size is 100 packets or 60 seconds in a linear file. Using the
limit option on the monitor capture syntax can change this.

4500TEST#monitor cap MYCAP limit ?

duration Limit total duration of capture in seconds
packet-length Limit the packet length to capture
packets Limit number of packets to capture

The buffer size max is 100 MB. This can be adjusted as well as the circular/linear buffer setting
as shown.

4500TEST#monitor cap MYCAP buffer ?

circular circular buffer
size Size of buffer
The built in wireshark feature on the Sup7 IOS-XE 3.3(0) is a very powerful tool and if used
correctly can save time and resources when troubleshooting in customers network. Caution must
be used when utilizing the feature as it does have to potential to increase CPU utilization in high
traffic situations. And should never be configured and left unattended. If used properly it is an
invaluable tool to troubleshooting on the 4500 platform.

Limitations
Due to hardware limitations it is possible to have out of order packets appear in your capture file.
This is due to the separate buffers used for ingress and egress packet capturing. If you have out
of order packets appear in your capture, set your buffer to both ingress. This will prevent the
packets in egress getting processed before the ingress packets when the buffer is processed.

In the above example if you see out of order packets, it is recommended to change your
configuration from "both" to "in" on both interfaces.

4500TEST#monitor capture MYCAP interface g2/26 both

Change the command to

4500TEST#no monitor capture MYCAP interface g2/26 both

4500TEST#monitor capture MYCAP interface g2/26 in
4500TEST#monitor capture MYCAP interface g2/27 in

+------------+

| |

| 4500 |

+------+ | | +------+

| +---------->in out+---------> |

| host | |g2/26 g2/27| | host |

| <----------+out in<---------+ |

+------+ | | +------+

| |

+------------+

Reference
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/15.1/XE_330SG/configurati
on/guide/wireshrk.html
 http://wiki.wireshark.org/DisplayFilters