Embedded Packet Capture for a Cisco 4500X switch

rakuten02 · ‎07-25-2024

It seems that capturing on physical interfaces configured as L2 does not capture any IP traffic packets. It only captures STP and VRRP traffic etc.

However, if I capture based on the vlans instead, I can see IP data traffic being captured, but capturing based on vlans will result in vlan traffic of the entire switch being captured and not a specific interface.

How do I determine the source interface from vlan based embedded packet capture?

monitor capture capx interface TenGigabitEthernet1/1/1 both
monitor capture capx vlan 100,403-304 both
monitor capture capx access-list ACL1
monitor capture capx file location bootflash:capx.pcap

Note that I can in fact use any physical interface for the first line and it will still work.. so it does not prove that the captured traffic comes from that interface.

Flavio Miranda · ‎07-25-2024

Hello @rakuten02

Take a look on this guide:

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html

You may need to mark your traffic of interest

ip access-list extended BUF-FILTER
    permit ip host 192.168.1.1 host 172.16.1.1
    permit ip host 172.16.1.1 host 192.168.1.1

monitor capture buffer BUF filter access-list BUF-FILTER

rakuten02 · ‎07-25-2024

Hi Flavio, I have already used an ACL to filter the logs.

The command you listed appears to be for IOS instead of IOS-XE.

MHM Cisco World · ‎07-25-2024

what you need to capture here ?

MHM

rakuten02 · ‎07-25-2024

I am trying to capture TCP traffic between 2 IP addresses. I have used an ACL to filter the logs to only those 2 IPs.

MHM Cisco World · ‎07-25-2024

Use this

Monitor capture point MHM interface x/x filter ip protocol tcp src <><> dest-port 80 associate file bootflash:MHM.pcap

Monitor capture point MHM start

Monitor capture point MHM stop

Show monitor capture file bootflash:MHM.pcap

MHM