Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3904
Views
10
Helpful
6
Replies

3850 embedded packet capture export not working

Go to solution
suelange
Level 1
Level 1

‎02-07-2018 11:26 AM - edited ‎03-08-2019 01:45 PM

according to this document: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/command/epc-cr-book/epc-cr-m1.html#wp3379948068

 

I should be able to issue this command:

monitor capture CAP export tftp://10.4.72.12/CAP.pcap

and my capture buffer should get placed on a server where I can examine it with wire shark.  Except that my 3850 tells me it is an invalid input at the point where "tftp" begins.   running cat3k_caa-universalk9.16.03.05b.SPA.   this should work I would think...  I saw a similar post for someone with 3850 who can't ftp or tftp...did not see a solution for them.   

 

I have packets in the capture, I can show them both brief and detailed.

 

Is there a way to get the capture off the 3850 and into wireshark?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to suelange

‎02-07-2018 05:13 PM

Ok, so FTP and TFTP are not options.

The options are:

crashinfo: Location of the file
flash: Location of the file
usbflash0: Location of the file

HTH

View solution in original post

6 Replies 6

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎02-07-2018 12:23 PM - edited ‎02-07-2018 12:23 PM

Is ftp an option at the end of the command? I don't see it in earlier versions of IOS-XE

Can you try: 

monitor capture test export ?

and post the output?

HTH

0 Helpful

Go to solution
suelange
Level 1
Level 1
In response to Reza Sharifi

‎02-07-2018 12:25 PM

when I used the question mark to prompt for options, it told me I should supply it with file|location.  It does not say FTP or TFTP key words either one.

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to suelange

‎02-07-2018 05:13 PM

Ok, so FTP and TFTP are not options.

The options are:

crashinfo: Location of the file
flash: Location of the file
usbflash0: Location of the file

HTH

Go to solution
suelange
Level 1
Level 1
In response to Reza Sharifi

‎02-08-2018 05:46 AM

Thank you Reza.  So anyone out there from Cisco willing to explain why this is?   Why do some systems have the convenience of being able to download these files so they can be worked with a real packet sniffing tool and why some systems you have to jump through a dozen hoops...assuming even that will get you where you want to be?   Crazy.  AND, the document I sited at the start of this post was *supposedly* related to 3850 command structure, and it clearly states ftp and tftp can be used.  But clearly they cannot.  

 

Reza again my thanks to you.  Cisco...boo hiss!

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to suelange

‎02-08-2018 06:45 AM

Working with Cisco equipment and software for years, I can tell you that there are a lot of inconsistencies between documentation and what the OS is actually capable of doing. Also, Cisco has never been good at providing this type of features in their platforms and OSs. 

HTH  

Go to solution
fsebera
Level 4
Level 4

‎01-23-2020 05:21 AM

Hi Suelange,

 

I was looking to perform the same action BUT saving to flash, then copy to TFTP server, then deleting the pcap file from flash is a lot of extra work. 1 cli statement is much more efficient.

 

Happy to say using:

IOS-XE

Gibraltar 16.12.02

mon cap xx export tftp://192.168.1.55/ce-g2_20-ICMP-AF12-1201-1220.pcap

 

Send directly to TFTP server, load into Wireshark and all is good!!

Thanks

Frank

0 Helpful
Top