cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Using 3850 Embedded Wireshark (Wired)

64318
Views
10
Helpful
9
Comments

 

Introduction

The 3850 now has a wireshark feature, so it is possible to do packet captures. This decreases the requirement for SPAN captures when troubleshooting.

 Reference CCO: http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/network_management/configuration_guide/b_nm_3se_3850_cg_chapter_01000.html

Requires and Restrictions

  • 3.3.0 IOS-EX or higher required
  • Limiting circular file storage by file size is not supported
  • During Wireshark packet capture, hardware forwarding happens concurrently
  • Capture filters are not supported.
  • Matching on ACL is supported
  • CPU-injected packets are considered control plane packets. Therefore, these types of packets will not be captured on an interface egress capture
  • Layer 2 and Layer 3 EtherChannels are not supported
  • MAC ACL is only used for non-IP packets such as ARP. It will not be supported on a Layer 3 port or SVI.
  • More listed on CCO

Few extra notes  

  • When WireShark is used on switches in a stack, packet captures can be stored only on flash or USB flash devices connected to the active switch. For example, if flash1 is connected to the active switch, and flash2 is connected to the secondary switch, only flash1 can be used to store packet captures.Attempts to store packet captures on devices other than flash or USB flash devices connected to the active switch will probably result in errors.
  • Decoding and displaying packets may be CPU intensive
  • Because packet forwarding typically occurs in hardware, packets are not copied to the CPU for software processing. For Wireshark packet capture, packets are copied and delivered to the CPU, which causes an increase in CPU usage. To avoid high CPU usage, do the following:
    •  Attach only relevant ports.
    •  Use a class map, and secondarily, an access list to express match conditions. If neither is viable, use an explicit, in-line filter.
    •  Adhere closely to the filter rules. Restrict the traffic type (such as, IPv4 only) with a restrictive, rather than relaxed CL, which elicits unwanted traffic
  • The capture buffer can be in linear or circular mode. In linear mode, new packets are discarded when the buffer is full. In circular mode, if the buffer is full, the oldest packets are discarded to accommodate the new packets. Although the buffer can also be cleared when needed, this mode is mainly used for debugging network traffic.
  • When a Wireshark capture point is activated, a fixed rate policer is applied automatically in the hardware so that the CPU is not flooded with Wireshark-directed packets. The disadvantage of the rate policer is that you cannot capture contiguous packets beyond the established rate even if more resources are available.
  • VLANs—When a VLAN is used as a Wireshark attachment point, packets are captured in the input direction only

How to Capture 

  1. Define your source
    • monitor capture mycap interface GigabitEthernet1/0/1 both
  2. Set your match statement
    • monitor capture mycap access-list myacl <--- match on acl
    • monitor capture mycap match ipv4 any any <--- match any is only supported currently
  3. Set your destination
    • monitor capture mycap file location flash:mycap.pcap buffer-size 10 <--- 10mb buffer
    • monitor capture mycap file location usbflash0:<file_name>  buffer-size 10 <--- save to usb
  4. (Optional): set packet limit and/or duration
    • monitor capture mycap limit packets 100 duration <number_of_seconds>

Demo

  • IXIA connected to Gi1/0/1 - 10.10.10.10
  • Int vlan 10  - 10.10.10.1
F340.09.11-3800-1#sh mac address-table dynamic
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    aaaa.aaaa.aaaa    DYNAMIC     Gi1/0/1 <--- HOST   1    d0c7.8971.6b02    DYNAMIC     Gi1/0/2 <--- Neighbor 3850

 Verification

340.09.11-3800-1#show monitor capture mycap parameter   monitor capture mycap interface GigabitEthernet1/0/1 both
   monitor capture mycap match ipv4  any any
   monitor capture mycap file location flash:mycap.pcap buffer-size 10
   monitor capture mycap limit packets 100

Start the Capture

F340.09.11-3800-1#monitor capture mycap startA file by the same capture file name already exists, overwrite?[confirm] <-- if file already exist it can overwrite

Capture Running

F340.09.11-3800-1#show monitor capture mycap

Status Information for Capture mycap
  Target Type:
   Interface: GigabitEthernet1/0/1, Direction: both
   Status : Active  Filter Details:
   IPv4
    Source IP:  any
    Destination IP:  any
   Protocol: any
  Buffer Details:
   Buffer Type: LINEAR (default)
  File Details:
   Associated file name: flash:mycap.pcap
   Size of buffer(in MB): 10
  Limit Details:
   Number of Packets to capture: 100
   Packet Capture duration: 0 (no limit)
   Packet Size to capture: 0 (no limit)
   Packets per second: 0 (no limit)
   Packet sampling rate: 0 (no sampling)

Stop Capture

F340.09.11-3800-1#monitor capture mycap stop 

View Capture

F340.09.11-3800-1#show monitor capture file flash:mycap.pcap  1   0.000000  10.10.10.10 -> 10.10.10.1   IP Unknown (0xff)
  2   0.000992  10.10.10.10 -> 10.10.10.1   IP Unknown (0xff)
  3   0.000992  10.10.10.10 -> 10.10.10.1   IP Unknown (0xff)
  4   0.000992  10.10.10.10 -> 10.10.10.1   IP Unknown (0xff)
  5   0.000992  10.10.10.10 -> 10.10.10.1   IP Unknown (0xff)

View Capture (display filter)

F340.09.11-3800-1#show monitor capture file flash:mycap.pcap dis "eth.addr==0c:68:03:45:e5:47"1   0.000000 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
  2   0.001999 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
  3   0.009003 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10

View Capture (detailed)

 

F340.09.11-3800-1#show monitor capture file flash:mycap.pcap detailedFrame 1: 1396 bytes on wire (11168 bits), 1396 bytes captured (11168 bits)
    Arrival Time: Oct  9, 2013 12:15:29.371974000 UTC
    Epoch Time: 1381320929.371974000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 1396 bytes (11168 bits)
    Capture Length: 1396 bytes (11168 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:data]
Ethernet II, Src: aa:aa:aa:aa:aa:aa (aa:aa:aa:aa:aa:aa), Dst: 0c:68:03:45:e5:47 (0c:68:03:45:e5:47)    Destination: 0c:68:03:45:e5:47 (0c:68:03:45:e5:47)
        Address: 0c:68:03:45:e5:47 (0c:68:03:45:e5:47)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: aa:aa:aa:aa:aa:aa (aa:aa:aa:aa:aa:aa)        Address: aa:aa:aa:aa:aa:aa (aa:aa:aa:aa:aa:aa)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 10.10.10.10 (10.10.10.10), Dst: 10.10.10.1 (10.10.10.1)    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 1382
    Identification: 0x0000 (0)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64    Protocol: Unknown (255)    Header checksum: 0x4c7b [correct]
        [Good: True]
        [Bad: False]
    Source: 10.10.10.10 (10.10.10.10)
    Destination: 10.10.10.1 (10.10.10.1)
Data (1362 bytes)

0000  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f   ................
0010  10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f   ................
0020  20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f    !"#$%&'()*+,-./
0030  30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f   0123456789:;<=>?
0040  40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f   @ABCDEFGHIJKLMNO
0050  50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f   PQRSTUVWXYZ[\]^_
0060  60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f   `abcdefghijklmno
0070  70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f   pqrstuvwxyz{|}~.
0080  80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f   ................
0090  90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f   ................
00a0  a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af   ................
00b0  b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf   ................
00c0  c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf   ................
00d0  d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df   ................
00e0  e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef   ................
00f0  f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff   ................
0100  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f   ................
0110  10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f   ................
0120  20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f    !"#$%&'()*+,-./
0130  30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f   0123456789:;<=>?
0140  40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f   @ABCDEFGHIJKLMNO
0150  50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f   PQRSTUVWXYZ[\]^_
0160  60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f   `abcdefghijklmno
0170  70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f   pqrstuvwxyz{|}~.
0180  80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f   ................
0190  90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f   ................
01a0  a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af   ................
01b0  b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf   ................
01c0  c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf   ................
01d0  d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df   ................
01e0  e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef   ................
01f0  f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff   ................
0200  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f   ................
0210  10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f   ................
0220  20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f    !"#$%&'()*+,-./
0230  30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f   0123456789:;<=>?
0240  40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f   @ABCDEFGHIJKLMNO
0250  50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f   PQRSTUVWXYZ[\]^_
0260  60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f   `abcdefghijklmno
0270  70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f   pqrstuvwxyz{|}~.
0280  80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f   ................
0290  90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f   ................
02a0  a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af   ................
02b0  b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf   ................
02c0  c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf   ................
02d0  d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df   ................
02e0  e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef   ................
02f0  f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff   ................
0300  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f   ................
0310  10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f   ................
0320  20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f    !"#$%&'()*+,-./
0330  30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f   0123456789:;<=>?
0340  40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f   @ABCDEFGHIJKLMNO
0350  50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f   PQRSTUVWXYZ[\]^_
0360  60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f   `abcdefghijklmno
0370  70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f   pqrstuvwxyz{|}~.
0380  80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f   ................
0390  90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f   ................
03a0  a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af   ................
03b0  b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf   ................
03c0  c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf   ................
03d0  d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df   ................
03e0  e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef   ................
03f0  f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff   ................
0400  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f   ................
0410  10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f   ................
0420  20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f    !"#$%&'()*+,-./
0430  30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f   0123456789:;<=>?
0440  40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f   @ABCDEFGHIJKLMNO
0450  50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f   PQRSTUVWXYZ[\]^_
0460  60 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f   `abcdefghijklmno
0470  70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f   pqrstuvwxyz{|}~.
0480  80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f   ................
0490  90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f   ................
04a0  a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af   ................
04b0  b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf   ................
04c0  c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 ca cb cc cd ce cf   ................
04d0  d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 da db dc dd de df   ................
04e0  e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef   ................
04f0  f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff   ................
0500  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f   ................
0510  10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f   ................
0520  20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f    !"#$%&'()*+,-./
0530  30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f   0123456789:;<=>?
0540  40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f   @ABCDEFGHIJKLMNO
0550  50 51                                             PQ
    Data&colon; 000102030405060708090a0b0c0d0e0f1011121314151617...
    [Length: 1362]

 

Sample ARP Capture

*note: CPU-injected packets are considered control plane packets. Therefore, these types of packets will not be captured on an interface egress capture

F340.09.11-3800-1#sh mon cap mycap par   monitor capture mycap interface GigabitEthernet1/0/1 both
   monitor capture mycap match any <-- must do any here   monitor capture mycap file location flash:mycap.pcap buffer-size 10
   monitor capture mycap limit packets 100 


F340.09.11-3800-1#show monitor capture file flash:mycap.pcap
  1   0.000000 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
  2   0.000000 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
  3   0.000000 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
  4   0.000000 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
  5   0.000000 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
  6   0.000000 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10

F340.09.11-3800-1#show monitor capture file flash:mycap.pcap
  1   0.000000 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
  2   0.000000 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
  3   0.000000 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
  4   0.000000 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
  5   0.000000 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
  6   0.000000 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10


F340.09.11-3800-1#sh int vlan 1Vlan1 is up, line protocol is up
  Hardware is Ethernet SVI, address is 0c68.0345.e547 (bia 0c68.0345.e547) <-----------

 

Control Plane Capture (packets ingress or egress to CPU)

Flooding the 3850 with a arp request from 10.10.10.10

 

Set your capture to be control-plane

F340.09.11-3800-1#monitor capture mycap control-plane ?
  both  Inbound and outbound packets
  in    Inbound packets
  out   Outbound packets

 

F340.09.11-3800-1#sh mon cap mycap par   monitor capture mycap control-plane both
   monitor capture mycap match any
   monitor capture mycap file location flash:mycap.pcap buffer-size 10
   monitor capture mycap limit packets 100 <--- will become inactive after 100 packets

 

F340.09.11-3800-1#sh mon cap mycapStatus Information for Capture mycap
  Target Type:
   Interface: Control Plane, Direction : both
   Status : Inactive  Filter Details:
    Capture all packets
  Buffer Details:
   Buffer Type: LINEAR (default)
  File Details:
   Associated file name: flash:mycap.pcap
   Size of buffer(in MB): 10
  Limit Details:
   Number of Packets to capture: 100
   Packet Capture duration: 0 (no limit)
   Packet Size to capture: 0 (no limit)
   Packets per second: 0 (no limit)
   Packet sampling rate: 0 (no sampling)

 

F340.09.11-3800-1#show mon capture file flash:mycap.pcap1   0.143990 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
2   0.148003 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
3   0.153999 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
4   0.159004 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
5   0.163993 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
6   0.168998 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
7   0.174003 aa:aa:aa:aa:aa:aa -> 0c:68:03:45:e5:47 ARP Who has 10.10.10.1?  Tell 10.10.10.10
8   0.178992 0c:68:03:45:e5:47 -> aa:aa:aa:aa:aa:aa ARP 10.10.10.1 is at 0c:68:03:45:e5:47
9   0.184988 0c:68:03:45:e5:47 -> aa:aa:aa:aa:aa:aa ARP 10.10.10.1 is at 0c:68:03:45:e5:47
10   0.189993 0c:68:03:45:e5:47 -> aa:aa:aa:aa:aa:aa ARP 10.10.10.1 is at 0c:68:03:45:e5:47
11   0.194998 0c:68:03:45:e5:47 -> aa:aa:aa:aa:aa:aa ARP 10.10.10.1 is at 0c:68:03:45:e5:47
12   0.200994 0c:68:03:45:e5:47 -> aa:aa:aa:aa:aa:aa ARP 10.10.10.1 is at 0c:68:03:45:e5:47
13   0.205999 0c:68:03:45:e5:47 -> aa:aa:aa:aa:aa:aa ARP 10.10.10.1 is at 0c:68:03:45:e5:47
14   0.210988 0c:68:03:45:e5:47 -> aa:aa:aa:aa:aa:aa ARP 10.10.10.1 is at 0c:68:03:45:e5:47
15   0.215993 0c:68:03:45:e5:47 -> aa:aa:aa:aa:aa:aa ARP 10.10.10.1 is at 0c:68:03:45:e5:47
16   0.221989 0c:68:03:45:e5:47 -> aa:aa:aa:aa:aa:aa ARP 10.10.10.1 is at 0c:68:03:45:e5:47

 The pcap can be uploaded off flash, and decoded in Wireshark as well 

wireshark-cap.JPG

Comments
Beginner

 

This documentaion should be updated, stating that this feature is not supported in LAN base images.

Tried this on 03.03.05SE and 03.06.00E and it did not work.

Then found the following which stated LAN base images not supported.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/network_management/configuration_guide/b_nm_3se_3850_cg/b_nm_3se_3850_cg_chapter_01000.html#reference_47668D4BDCC84C01B409861313C8244E

 

 

Beginner

 

This documentaion should be updated, stating that this feature is not supported in LAN base images.

Tried this on 03.03.05SE and 03.06.00E and it did not work.

Then found the following which stated LAN base images not supported.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/network_management/configuration_guide/b_nm_3se_3850_cg/b_nm_3se_3850_cg_chapter_01000.html#reference_47668D4BDCC84C01B409861313C8244E

 

 

Beginner

Also doesn't work with WS-C3850-48P IPservices 03.06.03E .  Takes all the commands but doesn't write to flash:

Won't even create the output file.

SWITCH#show monitor capture mycap

Status Information for Capture mycap
  Target Type:
   Interface: GigabitEthernet1/0/3, Direction: both
   Status : Inactive
  Filter Details:
   IPv4
    Source IP:  any
    Destination IP:  any
   Protocol: any
  Buffer Details:
   Buffer Type: LINEAR (default)
  File Details:
   Associated file name: flash:mycap.pcap
   Total size of files(in MB): 5
   Number of files in ring: 2
   Size of buffer(in MB): 10
  Limit Details:
   Number of Packets to capture: 0 (no limit)
   Packet Capture duration: 0 (no limit)
   Packet Size to capture: 0 (no limit)
   Packets per second: 0 (no limit)
   Packet sampling rate: 0 (no sampling)

Beginner

I am on the same version and hardware. I did confirm that it is IPbase and I am experiencing the same issue. Any one else having this issue? 

Beginner

I can confirm I am having this issue on a Cisco 3850 switch stack.

I have just upgraded to 03.06.04.E - universalk9 image the packet capture feature has stopped. As above it takes all the commands but then just doesn't write the file to flash and is listed as INACTIVE.

The feature was working as of yesterday on the old code of 03.03.05SE.

The answer to get mine working was adding the "monitor capture cap1 buffer circular size 10" line to the monitor. This wasn't required in the earlier version of code.

Beginner

I banged my head on this for a while.  To add to what everyone is saying, pointing it at the default flash:/ did not work.  My final solution was to point it to slot 2's flash.  As soon as I did that the capture worked properly.  Flash-1: was not even option.

monitor capture gi1023 interface GigabitEthernet1/0/23 both
monitor capture gi1023 match any
monitor capture gi1023 file location flash-2:gi1023.pcap buffer-size 10
monitor capture gi1023 limit packets 1000
monitor capture gi1023 start 

Cisco Employee

Well I think the issue you are having is that maybe no are pointing to the correct flash: remmember that the captures just can be saved on the flash of the active swtich.

Community Member

This worked for me, but also make sure the .pcap file is all lower case. File with all capitals did not want to appear on flash for us.

Hi there

i have interesting case to grab the packets destined for the local delivery (as the switch is L3 termination point for the target VLAN). I'd like to grab packets which trigger ARP-incomplete entries on the switch. That's where i'm curious if this kind of packets must be sniffed on th egress interfaces or on the control-plain as to be delivered they must punt CPU for the ARP resolution to happen?

 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards