03-22-2021 10:01 AM
configuration terminal ip access-list extended BUFFER-FILTER permit ip any any exit exit monitor capture buffer BUFFER size 20000 circular monitor capture buffer BUFFER filter access-list BUFFER-FILTER monitor capture point ip process-switched TRAFFIC in monitor capture point associate TRAFFIC BUFFER monitor capture point start TRAFFIC
So when I use the above method and then:
monitor capture point stop TRAFFIC monitor capture buffer BUFFER export scp://192.168.1.200/6807-cap.pcap no monitor capture point ip process-switched TRAFFIC in no monitor capture buffer BUFFER
I can see all the traffic to the internally configured gateways.
But I can't seem to get ANY traffic captured from physical interfaces.
The following doesn't work to capture a single packet:
monitor capture buffer BUFFER size 20000 circular monitor capture point ip cef TRAFFIC Ten 2/5/11 both monitor capture point associate TRAFFIC BUFFER monitor capture point start TRAFFIC
Here is what the output always is, nothing.
6800-Switch#show monitor capture point all 6800-Switch#monitor capture buffer BUFFER size 20000 circular 6800-Switch#monitor capture point ip cef TRAFFIC Ten 2/5/11 both 6800-Switch#monitor capture point associate TRAFFIC BUFFER 6800-Switch#monitor capture point start TRAFFIC
6800-Switch#show monitor capture point all Status Information for Capture Point TRAFFIC IPv4 CEF Switch Path: IPv4 CEF , Capture Buffer: BUFFER Status : Active Configuration: monitor capture point ip cef TRAFFIC TenGigabitEthernet2/5/11 both 6800-Switch#show monitor capture buffer BUFFER para Capture buffer BUFFER (circular buffer) Buffer Size : 20480000 bytes, Max Element Size : 68 bytes, Packets : 0 Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0 Associated Capture Points: Name : TRAFFIC, Status : Active Configuration: monitor capture buffer BUFFER size 20000 circular monitor capture point associate TRAFFIC BUFFER
6800-Switch#show monitor capture buffer BUFFER dump 6800-Switch#monitor capture point stop TRAFFIC 6800-Switch#show monitor capture buffer BUFFER dump 6800-Switch#
As you can see there is plenty of traffic on the interface.
TenGigabitEthernet2/5/11 is up, line protocol is up (connected) Hardware is C6k 10000Mb 802.3, address is 00b3.fe63.7a5f (bia 00b3.fe63.7a5f) Description: Trunk-to-Some-other-thing MTU 1500 bytes, BW 10000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 10Gb/s, media type is 10Gbase-LR input flow-control is on, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters 6d21h Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 45835000 bits/sec, 4201 packets/sec 5 minute output rate 1366000 bits/sec, 911 packets/sec 2758150694 packets input, 3461469950234 bytes, 0 no buffer Received 658682 broadcasts (473299 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 1505517475 packets output, 1538870485067 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out
This was taken from the example on https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html and I just can't seem to make it work.
I have also tried using the commands for the interfaces with the "monitor capture buffer BUFFER filter access-list BUFFER-FILTER" set as well, still nothing.
SPANing traffic to a separate server is possible, but it seems like the feature should work on the 15.5 IOS as advertised. It works fine under IOS-XE on switches and routers, but we've never been able to get the 6807 to do it.
Any ideas?
Solved! Go to Solution.
03-22-2021 12:26 PM
If it is low volume as seems to be the case, then you can use the Mini Protocol Analyzer : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-5SY/config_guide/sup6T/15_5_sy_swcg_6T/mini_protocol_analyzer.html . Files can be saved locally as pcap format and then exported for analysis.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking and Cloud Group
03-22-2021 10:44 AM - edited 03-22-2021 10:48 AM
You should be using the SPAN / RSPAN / ERSPAN functions to capture packets from interfaces with Cat 6K family. The IOS versions referenced in that doc do not pertain to the Cat 6K. Which version of Cat 6k IOS are you running ?
This is also a good reference as it shows command-by-command the IOS and platform support:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/command/epc-cr-book.pdf
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking and Cloud Group
03-22-2021 12:02 PM
Cisco IOS Software, s6t64 Software (s6t64-ADVENTERPRISEK9-M), Version 15.5(1)SY5
I'm only really trying to verify some QOS tags on some traffic coming from a switch connected to this 6800.
03-22-2021 12:26 PM
If it is low volume as seems to be the case, then you can use the Mini Protocol Analyzer : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-5SY/config_guide/sup6T/15_5_sy_swcg_6T/mini_protocol_analyzer.html . Files can be saved locally as pcap format and then exported for analysis.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking and Cloud Group
03-22-2021 02:35 PM
Worked like a treat, thank you.
Here are the Cliff notes.
configure terminal no monitor session 1 type capture monitor session 1 type capture buffer-size 4096 rate-limit 20000 source interface port-channel 66 end ! show monitor capture monitor capture start ! monitor capture stop monitor capture export buffer scp://192.168.1.123/6807-po66.pcap
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: