Hi folks,

I am trying to setup a dynamic packet capture with EEM and then after the capture captures some predetermined amount of data automatically off-loads that .pcap file to my server.  I have figured out how to dynamically trigger the EEM script but stuck with off-loading the file to my TFTP server.

PROBLEM: The dynamic capture starts once G3 goes down (which is what I want) but then immediately copies an "empty" file to my tftp server (which is what I do not want). I have tried using a delay option but since I don't know when I will get the specified number of packets, it may fail prematurely. I am looking to copy the file only after some trigger has been reached EX: When monitor capture has captured 20 packets, a syslog message  Packet Count Reached is sent.

EEM applet

track 1000 ip route 192.168.1.1/32 reachability

event manager applet EEM-PCAP

event track 1000 state any

action 1.1 track read

action 1.3 info type routername

action 1.5 comment Run sniffer when G3 goes down

action 2.1 if $_track_state eq "down"

action 2.3 cli command "enable"

action 2.5 cli command "mon cap INT_STATE limit packets 20 int g4 both match ipv4 any any start"

action 2.7 syslog msg "Now sniffing packets on GigabitEthernet 4"

action 2.9 end

action 3.1 if $_track_state eq "up"

action 3.3 cli command "enable"

action 3.5 puts "(R) $_info_routername is now up"

action 3.7 end

event syslog pattern "Packet Count Reached"

action 4.1 cli command "enable"

action 4.3 cli command "monitor capture INT_STATE export tftp://192.168.1.55/INT_STATE.pcap

Thank you

Frank