https://community.cisco.com/t5/software-defined-access-sd-access/onboard-packet-capture-sda/m-p/4606801#M1847 <P>Hi</P><P>&nbsp;The behavior you are seing seems to be expected. As you are using "Embedded Packet Capture", Cisco informs that:</P><P>"EPC captures multicast packets only on ingress and does not capture the replicated packets on egress."</P><P>&nbsp;</P><P>What you can try is to use "Wireshark" mode on the switch. Ultimately, you can try to run&nbsp;Wireshark on the endpoint, if possible.</P><P>&nbsp;</P><P>You can refer to this guide for more information:</P><P>&nbsp;</P><P><A title="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/nmgmt/b_169_nmgmt_9300_cg/configuring_packet_capture.html" href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/nmgmt/b_169_nmgmt_9300_cg/configuring_packet_capture.html" target="_self">https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/nmgmt/b_169_nmgmt_9300_cg/configuring_packet_capture.html</A>&nbsp;</P> Mon, 09 May 2022 10:49:42 GMT Flavio Miranda 2022-05-09T10:49:42Z https://community.cisco.com/t5/software-defined-access-sd-access/onboard-packet-capture-sda/m-p/4606587#M1846 <P>Hi SDA-Experts,&nbsp;</P><P>&nbsp;</P><P>shortly to the environement:&nbsp;</P><P>&nbsp;</P><P>we have an SDA Fabric in our Location.&nbsp;</P><P>&nbsp;</P><P>We use the Catalyst C9300-48P as Access Switch.&nbsp;</P><P>Our actual version is the 17.3.4 (which was the recommended at this time)&nbsp;</P><P>&nbsp;</P><P>Now we recently had a case on our end where we wanted to capture multicast traffic for one of the attached devices.&nbsp;</P><P>Since it is a quite remote location we wanted to use the onboard capture of the C9300.&nbsp;</P><P><BR />So we added the Trace like this:&nbsp;</P><PRE>monitor capture [CapName] file ring 3 size 100 location flash:[CAPNAME].pcap interface [,...] both match any</PRE><P>&nbsp;</P><P>But from the capture itself I only see incoming traffic. So from the device to the switch.&nbsp; Everything which is&nbsp;</P><P>VXLAN encapsulated to the device is not visible here. We did a workaround to capture the Uplink and decoded VXLAN in the capture. But for switches with high traffic beside the one we want to capture this is not feasible since we get a big load of data that we don't need...&nbsp;</P><P>&nbsp;</P><P>Anybody has some tip how to get all the traffic? Or is the only way to do a span session?&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 09 May 2022 06:30:46 GMT https://community.cisco.com/t5/software-defined-access-sd-access/onboard-packet-capture-sda/m-p/4606587#M1846 Dominik_ 2022-05-09T06:30:46Z https://community.cisco.com/t5/software-defined-access-sd-access/onboard-packet-capture-sda/m-p/4606801#M1847 <P>Hi</P><P>&nbsp;The behavior you are seing seems to be expected. As you are using "Embedded Packet Capture", Cisco informs that:</P><P>"EPC captures multicast packets only on ingress and does not capture the replicated packets on egress."</P><P>&nbsp;</P><P>What you can try is to use "Wireshark" mode on the switch. Ultimately, you can try to run&nbsp;Wireshark on the endpoint, if possible.</P><P>&nbsp;</P><P>You can refer to this guide for more information:</P><P>&nbsp;</P><P><A title="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/nmgmt/b_169_nmgmt_9300_cg/configuring_packet_capture.html" href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/nmgmt/b_169_nmgmt_9300_cg/configuring_packet_capture.html" target="_self">https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/nmgmt/b_169_nmgmt_9300_cg/configuring_packet_capture.html</A>&nbsp;</P> Mon, 09 May 2022 10:49:42 GMT https://community.cisco.com/t5/software-defined-access-sd-access/onboard-packet-capture-sda/m-p/4606801#M1847 Flavio Miranda 2022-05-09T10:49:42Z