cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
261
Views
5
Helpful
4
Replies
hemmerling
Beginner

I can't seem to get our 6807 to capture interface traffic.

configuration terminal
ip access-list extended BUFFER-FILTER
    permit ip any any
    exit
exit

monitor capture buffer BUFFER size 20000 circular
monitor capture buffer BUFFER filter access-list BUFFER-FILTER
monitor capture point ip process-switched TRAFFIC in
monitor capture point associate TRAFFIC BUFFER
monitor capture point start TRAFFIC

So when I use the above method and then:

monitor capture point stop TRAFFIC
monitor capture buffer BUFFER export scp://192.168.1.200/6807-cap.pcap

no monitor capture point ip process-switched TRAFFIC in
no monitor capture buffer BUFFER

I can see all the traffic to the internally configured gateways. 

But I can't seem to get ANY traffic captured from physical interfaces.

The following doesn't work to capture a single packet:

monitor capture buffer BUFFER size 20000 circular
monitor capture point ip cef TRAFFIC Ten 2/5/11 both
monitor capture point associate TRAFFIC BUFFER
monitor capture point start TRAFFIC

Here is what the output always is, nothing.

6800-Switch#show monitor capture point all
6800-Switch#monitor capture buffer BUFFER size 20000 circular
6800-Switch#monitor capture point ip cef TRAFFIC Ten 2/5/11 both
6800-Switch#monitor capture point associate TRAFFIC BUFFER
6800-Switch#monitor capture point start TRAFFIC
6800-Switch#show monitor capture point all Status Information for Capture Point TRAFFIC IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: BUFFER Status : Active Configuration: monitor capture point ip cef TRAFFIC TenGigabitEthernet2/5/11 both 6800-Switch#show monitor capture buffer BUFFER para Capture buffer BUFFER (circular buffer) Buffer Size : 20480000 bytes, Max Element Size : 68 bytes, Packets : 0 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : TRAFFIC, Status : Active Configuration: monitor capture buffer BUFFER size 20000 circular monitor capture point associate TRAFFIC BUFFER
6800-Switch#show monitor capture buffer BUFFER dump 6800-Switch#monitor capture point stop TRAFFIC 6800-Switch#show monitor capture buffer BUFFER dump 6800-Switch#

As you can see there is plenty of traffic on the interface.

TenGigabitEthernet2/5/11 is up, line protocol is up (connected)
  Hardware is C6k 10000Mb 802.3, address is 00b3.fe63.7a5f (bia 00b3.fe63.7a5f)
  Description: Trunk-to-Some-other-thing
  MTU 1500 bytes, BW 10000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 10Gb/s, media type is 10Gbase-LR
  input flow-control is on, output flow-control is off
  Clock mode is auto
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 6d21h
  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 45835000 bits/sec, 4201 packets/sec
  5 minute output rate 1366000 bits/sec, 911 packets/sec
     2758150694 packets input, 3461469950234 bytes, 0 no buffer
     Received 658682 broadcasts (473299 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     1505517475 packets output, 1538870485067 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

This was taken from the example on https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html and I just can't seem to make it work.
I have also tried using the commands for the interfaces with the "monitor capture buffer BUFFER filter access-list BUFFER-FILTER" set as well, still nothing.
SPANing traffic to a separate server is possible, but it seems like the feature should work on the 15.5 IOS as advertised. It works fine under IOS-XE on switches and routers, but we've never been able to get the 6807 to do it.


Any ideas?

 

1 ACCEPTED SOLUTION

Accepted Solutions

@hemmerling ,

If it is low volume as seems to be the case, then you can use the Mini Protocol Analyzer : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-5SY/config_guide/sup6T/15_5_sy_swcg_6T/mini_protocol_analyzer.html . Files can be saved locally as pcap format and then exported for analysis.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

View solution in original post

4 REPLIES 4
Scott Hodgdon
Cisco Employee

@hemmerling ,

You should be using the SPAN / RSPAN / ERSPAN functions to capture packets from interfaces with Cat 6K family. The IOS versions referenced in that doc do not pertain to the Cat 6K. Which version of Cat 6k IOS are you running ?

This is also a good reference as it shows command-by-command the IOS and platform support:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/command/epc-cr-book.pdf

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Cisco IOS Software, s6t64 Software (s6t64-ADVENTERPRISEK9-M), Version 15.5(1)SY5

 

I'm only really trying to verify some QOS tags on some traffic coming from a switch connected to this 6800.

 

 

@hemmerling ,

If it is low volume as seems to be the case, then you can use the Mini Protocol Analyzer : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-5SY/config_guide/sup6T/15_5_sy_swcg_6T/mini_protocol_analyzer.html . Files can be saved locally as pcap format and then exported for analysis.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

View solution in original post

Worked like a treat, thank you.
Here are the Cliff notes.

configure terminal
no monitor session 1 type capture
monitor session 1 type capture
 buffer-size 4096
 rate-limit 20000
 source interface port-channel 66
end
!
show monitor capture
monitor capture start
!
monitor capture stop
monitor capture export buffer scp://192.168.1.123/6807-po66.pcap