Hello!

Can you prove with an ACL?

Device> enable
Device# configure terminal
Device(config)# ip access-list standard acl1
Device(config-std-nacl)# permit any
Device(config-std-nacl)# exit
Device(config)# exit
Device# monitor capture mycap access-list acl1
Device# end

I've tried it with an acl. I can specify multiple lines now, but it still seems to only show inbound traffic, but there are one or two outbound packets too. I see a lot of ACKs coming in, but don't see what they were ACKing. It's almost like there's some sort of size limit and packets over the size limit don't get placed in the buffer. Could that be the case?

Hi

Could you paste your config. There could be a packet size limit of you configured the buffer.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

The config was something like:

(config mode)

ip access-list extended mycapf

    permit ip host xx.xx.xx.xx any

    permit ip any host xx.xx.xx.xx

(enable mode)

monitor capture mycap buffer size 2 circular

monitor capture mycap access-list mycapf

monitor capture mycap interface Te1/1/1

monitor capture mycap start

Hi

Here you'll find out how to configure the buffer and increase the size packet:

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html

Run again your capture and let us know.

Thanks

Actually, the link shows nothing at all for buffer size or maximum packet size under the IOS-XE section. It's also kind of strange that Cisco states that the IOS-XE configuration is different than the IOS configuration because it "adds more features". It looks to me like IOS-XE has fewer options like no max-size parameter and it can't write directly to tftp.

Packet lenght can be modified within the buffer configuration:

monitor capture test buffer size 100 limit ?
duration Limit total duration of capture in seconds
every Limit capture to one in every nth packet
packet-len Limit the packet length to capture
packets Limit number of packets to capture
pps Limit number of packets per second to capture

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

It's strange... even when I explicitly set the packet-length, I'm still not seeing all the packets. I think there must be some sort of bug

I'm sorry I don't have any 2960x to do some tests. However, I did it on 3850 and it works.

Could you setup a basic monitor without filtering and check if you see all packets.

Thanks

Take a look here, try increasing your buffer size to check that Wireshark is not dropping packets:

https://www.wireshark.org/docs/wsug_html_chunked/ChCapEditInterfaceSettingsSection.html

Buffer size: n megabyte(s)Enter the buffer size to be used while capturing. This is the size of the kernel buffer which will keep the captured packets, until they are written to disk. If you encounter packet drops, try increasing this value.

Regards,

Wireshark is not doing the capturing. It's only reading the resulting capture after transfer from the switch. The buffer used during tested was 2mb and the capture was much less than that.

Hi

The both keyword is to capture packets in and out on the specified interface. However, if you set a filter with a match ipv4, it will match only this statement at the end.

To do both ways, you should use acl as I specified on my previous answer and it will be much easier to filter really what you want to track.

thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question