01-27-2017 08:29 AM - edited 03-08-2019 09:05 AM
We've just installed 2960X stacks running IOS 15.2 at several sites. I'm interested in being able to do embedded packet captures, but I'm having some trouble getting this feature working. The syntax on the 2960X seems to be a little different from what I've seen searching online. I can get it running and can get captures that I can pull onto my workstation and view in Wireshark, but they all seem to be showing packets in one direction only. I'm not sure what I'm doing wrong. Can anyone help me?
01-27-2017 06:58 PM
Hi
How did you configured your capture? Are you using an acl? If yes does your acl refers the 2 way traffic?
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
01-30-2017 06:52 AM
I'm not sure what's going on with this post. I received a reply, but I don't seem to see it here.
EDIT: After submitting this reply. I now am able to see the reply from Francesco Molino.I think this forum may be having issues.
I went back and looked at how I set up the packet capture. It's under IOS-XE on a 4500X VSS pair that I seem to be having problems, not the 2960x as I thought. Under IOS-XE, the capture is set up as:
monitor capture mycap int te1/1/1 both
monitor capture mycap match ipv4 host xx.xx.xx.xx any
monitor capture mycap start
For the match statement, I can only enter one. If I try to add another entry with "match ipv4 any host xx.xx.xx.xx" it tries to replace the first one. Do I need two match statements? If I can only have one, what is the purpose of the "both" keyword in the first command?
Only the 2960x stack running IOS, I am able to specify an extended access-list to use with the capture with no problem.
01-30-2017 09:03 AM
Hello!
Can you prove with an ACL?
Device> enable Device# configure terminal Device(config)# ip access-list standard acl1 Device(config-std-nacl)# permit any Device(config-std-nacl)# exit Device(config)# exit Device# monitor capture mycap access-list acl1 Device# end
02-01-2017 11:02 AM
I've tried it with an acl. I can specify multiple lines now, but it still seems to only show inbound traffic, but there are one or two outbound packets too. I see a lot of ACKs coming in, but don't see what they were ACKing. It's almost like there's some sort of size limit and packets over the size limit don't get placed in the buffer. Could that be the case?
02-01-2017 07:02 PM
Hi
Could you paste your config. There could be a packet size limit of you configured the buffer.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
02-02-2017 05:39 AM
The config was something like:
(config mode)
ip access-list extended mycapf
permit ip host xx.xx.xx.xx any
permit ip any host xx.xx.xx.xx
(enable mode)
monitor capture mycap buffer size 2 circular
monitor capture mycap access-list mycapf
monitor capture mycap interface Te1/1/1
monitor capture mycap start
02-02-2017 06:07 PM
Hi
Here you'll find out how to configure the buffer and increase the size packet:
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html
Run again your capture and let us know.
Thanks
02-03-2017 05:45 AM
Actually, the link shows nothing at all for buffer size or maximum packet size under the IOS-XE section. It's also kind of strange that Cisco states that the IOS-XE configuration is different than the IOS configuration because it "adds more features". It looks to me like IOS-XE has fewer options like no max-size parameter and it can't write directly to tftp.
02-03-2017 02:48 PM
Packet lenght can be modified within the buffer configuration:
monitor capture test buffer size 100 limit ?
duration Limit total duration of capture in seconds
every Limit capture to one in every nth packet
packet-len Limit the packet length to capture
packets Limit number of packets to capture
pps Limit number of packets per second to capture
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
02-06-2017 06:29 AM
It's strange... even when I explicitly set the packet-length, I'm still not seeing all the packets. I think there must be some sort of bug
02-06-2017 03:28 PM
I'm sorry I don't have any 2960x to do some tests. However, I did it on 3850 and it works.
Could you setup a basic monitor without filtering and check if you see all packets.
Thanks
02-02-2017 04:45 AM
Take a look here, try increasing your buffer size to check that Wireshark is not dropping packets:
https://www.wireshark.org/docs/wsug_html_chunked/ChCapEditInterfaceSettingsSection.html
Buffer size: n megabyte(s)Enter the buffer size to be used while capturing. This is the size of the kernel buffer which will keep the captured packets, until they are written to disk. If you encounter packet drops, try increasing this value.
Regards,
02-02-2017 05:37 AM
Wireshark is not doing the capturing. It's only reading the resulting capture after transfer from the switch. The buffer used during tested was 2mb and the capture was much less than that.
01-30-2017 02:50 PM
Hi
The both keyword is to capture packets in and out on the specified interface. However, if you set a filter with a match ipv4, it will match only this statement at the end.
To do both ways, you should use acl as I specified on my previous answer and it will be much easier to filter really what you want to track.
thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide