Cat 9k Embedded packet capture with ACL

rasmus.elmholt · ‎11-02-2020

Hi everyone.

I am doing an Embedded Packet Capture on a 9300 switch and I have attached a packet filter on the capture:

#show monitor capture ul

Status Information for Capture ul
  Target Type:
 Interface: GigabitEthernet1/1/1, Direction: BOTH
 Interface: GigabitEthernet1/1/4, Direction: BOTH
   Status : Inactive
  Filter Details:
   Access-list: CAP
  Buffer Details:
   Buffer Type: LINEAR (default)
  File Details:
   Associated file name: flash:ul.pcap
   Size of buffer(in MB): 10
  Limit Details:
   Number of Packets to capture: 0 (no limit)
   Packet Capture duration: 0 (no limit)
   Packet Size to capture: 0 (no limit)
   Maximum number of packets to capture per second: 1000
   Packet sampling rate: 0 (no sampling)

This should capture traffic on both uplink ports on the switch but I do not want to fill the pcap with BFD packets, so I have made a capture filter called CAP with a deny on udp port 3785.

#show ip access-lists CAP
Extended IP access list CAP
    10 deny udp any any eq 3785
    20 deny udp any eq 3785 any
    30 permit ip any any

But when I look at the pcap file all I see is the BFD packets:

#show monitor capture file flash:ul.pcap brie
Starting the packet display ........ Press Ctrl + Shift + 6 to exit

  1   0.000000  10.32.0.131 -> 10.32.0.131  UDP 60 49152 b^F^R 3785  Len=12
  3   0.021109  10.32.0.139 -> 10.32.0.139  UDP 60 49152 b^F^R 3785  Len=12
  4   0.021151  10.32.0.139 -> 10.32.0.139  UDP 60 49152 b^F^R 3785  Len=12
  5   0.026738  10.32.0.138 -> 10.32.0.138  UDP 60 49152 b^F^R 3785  Len=12
  6   0.052082  10.32.0.130 -> 10.32.0.130  UDP 60 49152 b^F^R 3785  Len=12
  7   0.052128  10.32.0.130 -> 10.32.0.130  UDP 60 49152 b^F^R 3785  Len=12
  8   0.094771  10.32.0.131 -> 10.32.0.131  UDP 60 49152 b^F^R 3785  Len=12
  9   0.102492  10.32.0.139 -> 10.32.0.139  UDP 60 49152 b^F^R 3785  Len=12
 10   0.102516  10.32.0.139 -> 10.32.0.139  UDP 60 49152 b^F^R 3785  Len=12
 11   0.115457  10.32.0.138 -> 10.32.0.138  UDP 60 49152 b^F^R 3785  Len=12
 12   0.143905  10.32.0.130 -> 10.32.0.130  UDP 60 49152 b^F^R 3785  Len=12
 13   0.143930  10.32.0.130 -> 10.32.0.130  UDP 60 49152 b^F^R 3785  Len=12
 14   0.176532  10.32.0.131 -> 10.32.0.131  UDP 60 49152 b^F^R 3785  Len=12
 15   0.190369  10.32.0.139 -> 10.32.0.139  UDP 60 49152 b^F^R 3785  Len=12
 16   0.190398  10.32.0.139 -> 10.32.0.139  UDP 60 49152 b^F^R 3785  Len=12
 17   0.216057  10.32.0.138 -> 10.32.0.138  UDP 60 49152 b^F^R 3785  Len=12
 18   0.236635  10.32.0.130 -> 10.32.0.130  UDP 60 49152 b^F^R 3785  Len=12
 19   0.236687  10.32.0.130 -> 10.32.0.130  UDP 60 49152 b^F^R 3785  Len=12
 20   0.259196  10.32.0.131 -> 10.32.0.131  UDP 60 49152 b^F^R 3785  Len=12
 21   0.281625  10.32.0.139 -> 10.32.0.139  UDP 60 49152 b^F^R 3785  Len=12
 22   0.281676  10.32.0.139 -> 10.32.0.139  UDP 60 49152 b^F^R 3785  Len=12
 23   0.297295  10.32.0.138 -> 10.32.0.138  UDP 60 49152 b^F^R 3785  Len=12
 24   0.322124  10.32.0.130 -> 10.32.0.130  UDP 60 49152 b^F^R 3785  Len=12
 25   0.322165  10.32.0.130 -> 10.32.0.130  UDP 60 49152 b^F^R 3785  Len=12
 26   0.359806  10.32.0.131 -> 10.32.0.131  UDP 60 49152 b^F^R 3785  Len=12

What am I doing wrong?

The other thing I have noticed is that I only see some of the traffic. fx I only see DHCP packets from the server to the Client and not the ones from the Client to the server.

#show monitor capture file  flash:ul.pcap display-filter bootp brief
Starting the packet display ........ Press Ctrl + Shift + 6 to exit

3872  46.906393 10.x.x.39 -> 10.32.4.1    DHCP 436 DHCP Offer    - Transaction ID 0x204c
3875  46.919175 10.x.x.39 -> 10.32.4.1    DHCP 436 DHCP ACK      - Transaction ID 0x204c