Beruflich Dokumente
Kultur Dokumente
Document
o Introduction
o Extra settings
o Limitations
o Reference
Introduction
The 4500 series catalyst switches with the Supervisor 7 has a new built in functionality with
IOS-XE version 3.3(0) / 151.1 or higher. This built in wireshark has the ability to capture packets
in the way we would traditionally use SPAN with an attached PC for capturing packets in a
troubleshooting scenario.
Switch CPU is not in a high utilization condition as the Wireshark feature is CPU
intensive and will software switch certain packets during capture.
The following is a quick start guide to get a capture started. This is very general and you will
need implement filters and buffer setting as needed to limit the excessive capture of packets if
troubleshooting in a production network.
4500TEST#show version
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software
(cat4500e-UNIVERSAL-M), Version 03.03.00.SG RELEASE SOFTWARE (fc3)
<output omitted>
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5
CPU% per second (last 60 seconds)
2) In this example I am capturing traffic in a TX/RX direction from port gig2/26. We will store
the capture file on bootflash in a pcap file format for review from a local PC if necessary. The
config is done from User EXEC mode, not global config mode.
4500TEST#monitor capture MYCAP interface g2/26 both
4500TEST#monitor capture file bootflash:MYCAP.pcap
4500TEST#monitor capture MYCAP match any start
*Sep 13 15:24:32.012: %BUFCAP-6-ENABLE: Capture Point MYCAP enabled.
3) This will capture all traffic ingress and egress on port g2/26. This will surely fill the file very
quickly with useless traffic in a production situation unless you specify the direction you are
looking for and apply capture filters to narrow down the scope of interesting traffic to be
captured.
4) Once the capture file either times out or fills the size quota you will see the following
message.
Or you can manually stop the capture with the following command
5) Another added feature is you can view the capture from the CLI. You can view the packets
with the following command. The detail option is available at the end to view the actual packet if
it is required to see inside the packets in a wireshark format. Also the dump option is available to
see the hex value of the packet as well.
6) This can get cluttered and confusing if you didn't use a capture-filter when starting the
capture. In this case we can utilize the display-filter option to only give us specific traffic in our
display. We only want to see ICMP traffic, and not the HSRP, STP, and CDP traffic seen above.
As the display filter is the same format as wireshark you can find the filters online.
http://wiki.wireshark.org/DisplayFilters
4500TEST#show monitor capture file bootflash:MYCAP.pcap display-filter
"icmp"
17 4.936999 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request
(id=0x0001, seq(be/le)=0/0, ttl=255)
18 4.936999 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply
(id=0x0001, seq(be/le)=0/0, ttl=251)
19 4.938007 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request
(id=0x0001, seq(be/le)=1/256, ttl=255)
20 4.938007 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply
(id=0x0001, seq(be/le)=1/256, ttl=251)
21 4.938998 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request
(id=0x0001, seq(be/le)=2/512, ttl=255)
22 4.938998 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply
(id=0x0001, seq(be/le)=2/512, ttl=251)
23 4.938998 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request
(id=0x0001, seq(be/le)=3/768, ttl=255)
24 4.940005 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply
(id=0x0001, seq(be/le)=3/768, ttl=251)
25 4.942996 14.1.98.144 -> 172.18.108.26 ICMP Echo (ping) request
(id=0x0001, seq(be/le)=4/1024, ttl=255)
26 4.942996 172.18.108.26 -> 14.1.98.144 ICMP Echo (ping) reply
(id=0x0001, seq(be/le)=4/1024, ttl=251)
7) Last you can transfer the file to a local machine and look at the pcap file as you would any
other standard capture file.
8) To clean up the capture, just remove the config with the following command.
Extra settings
By default the limit on the capture file size is 100 packets or 60 seconds in a linear file. Using the
limit option on the monitor capture syntax can change this.
The buffer size max is 100 MB. This can be adjusted as well as the circular/linear buffer setting
as shown.
Limitations
Due to hardware limitations it is possible to have out of order packets appear in your capture file.
This is due to the separate buffers used for ingress and egress packet capturing. If you have out
of order packets appear in your capture, set your buffer to both ingress. This will prevent the
packets in egress getting processed before the ingress packets when the buffer is processed.
In the above example if you see out of order packets, it is recommended to change your
configuration from "both" to "in" on both interfaces.
+------------+
| |
| 4500 |
+------+ | | +------+
| +---------->in out+---------> |
| <----------+out in<---------+ |
+------+ | | +------+
| |
+------------+
Reference
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/15.1/XE_330SG/configurati
on/guide/wireshrk.html
http://wiki.wireshark.org/DisplayFilters