Solved: Capture not showing TCP port numbers on IOS XE

Hawk · ‎12-26-2018

I know Im doing something wrong but have followed the documentation to the T. I can see pretty much everything except the soure/destination tcp port numbers. Even when using the "detailed" syntac it still doesn not appear. Heres my config & examples below. What am I doing wrong?

CONFIG

monitor capture CAP interface GigabitEthernet0/0/0.15 both

monitor capture CAP match ipv4 any host 192.168.1.11

monitor capture CAP start

monitor capture CAP stop

OUT PUT I GET BACK

R1#show monitor capture CAP buffer brief
----------------------------------------------------------------------------
# size timestamp source destination dscp protocol
----------------------------------------------------------------------------
0 290 0.000000 10.222.224.78 -> 192.168.1.11 0 BE TCP
1 289 0.033994 10.222.224.78 -> 192.168.1.11 0 BE TCP
2 289 0.930011 10.222.224.78 -> 192.168.1.11 0 BE TCP
3 295 0.957002 10.222.224.78 -> 192.168.1.11 0 BE TCP

R1#show monitor capture CAP buffer detailed
----------------------------------------------------------------------------
# size timestamp source destination dscp protocol
----------------------------------------------------------------------------
0 290 0.000000 10.222.224.78 -> 192.168.1.11 0 BE TCP
0000: A8B45643 EB9034E6 D7415EAB 8100000F ..VC..4..A^.....
0010: 08004500 01106A1E 40008006 E2E90ADE ..E...j.@.......
0020: E04EC0A8 010BF081 0185C19D E6578846 .N...........W.F
0030: 69715018 FFFF6566 00000000 00E40100 iqP...ef........

1 289 0.033994 10.222.224.78 -> 192.168.1.11 0 BE TCP
0000: A8B45643 EB9034E6 D7415EAB 8100000F ..VC..4..A^.....
0010: 08004500 010F6A20 40008006 E2E80ADE ..E...j @.......
0020: E04EC0A8 010BF081 0185C19D E73F8846 .N...........?.F
0030: 6ECA5018 FAA66D9F 00000000 00E30100 n.P...m.........

2 289 0.930011 10.222.224.78 -> 192.168.1.11 0 BE TCP
0000: A8B45643 EB9034E6 D7415EAB 8100000F ..VC..4..A^.....
0010: 08004500 010F6A41 40008006 E2C70ADE ..E...jA@.......
0020: E04EC0A8 010BF081 0185C19D E73F8846 .N...........?.F
0030: 6ECA5018 FAA66D9F 00000000 00E30100 n.P...m.........

3 295 0.957002 10.222.224.78 -> 192.168.1.11 0 BE TCP
0000: A8B45643 EB9034E6 D7415EAB 8100000F ..VC..4..A^.....
0010: 08004500 01156A42 40008006 E2C00ADE ..E...jB@.......
0020: E04EC0A8 010BF081 0185C19D E8268846 .N...........&.F

luis_cordova · ‎12-26-2018

Hi, @Hawk,

Check this link, where you specify the command and the IOS version that supports it:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/command/epc-cr-book/epc-cr-m1.html

Regards

View solution in original post

Mohammed al Baqari · ‎12-26-2018

Try show monitor capture dump command. You can use brief keyword.

You can export the capture and open it using wireshark

View solution in original post

luis_cordova · ‎12-26-2018

Hi, @Hawk,

Check this link, where you specify the command and the IOS version that supports it:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/command/epc-cr-book/epc-cr-m1.html

Regards

Denise "Fish" Fishburne · ‎12-26-2018

Hello Hawk.

Let's start with the assumption that you aren't doing anything incorrect.

1) Router is an IOS XE style - which box?

2) What code version are you running?

3) What URL are you following that shows you will also getting column for the port numbers?

Let's focus on the above first.

Next step is you actually can find the port numbers in there. It just takes some getting used to and looking. After the destination IP address in this one for example. "3C02" is the source port and '0017' is the dest port (in hex). Changing 17 to decimal gives you telnet (23) which is what I did in the lab to get this sample capture.

1 54 0.001007 10.1.7.1 -> 10.100.100.2 48 CS6 TCP
0000: 2CD02DA9 84072CD0 2DA97207 080045C0 ,.-...,.-.r...E.
0010: 0028BF1C 4000FF06 3C8B0A01 07010A64 .(..@...<......d
0020: 64023C02 00177F5E F8F34101 8F025010 d.<....^..A...P.
0030: 10209BDD 0000

Mohammed al Baqari · ‎12-26-2018

Try show monitor capture dump command. You can use brief keyword.

You can export the capture and open it using wireshark