IOS XE monitor capture issue

Mary · ‎03-31-2016

we are using IOS-XE 03.06.04E on switch 3850. I issue below commands:

monitor capture buffer interface G1/0/22 both
monitor capture PCAP match ipv4 protocol tcp any any
monitor capture PCAP start
Please associate capture file/buffer
Unable to activate Capture.

I want to capture G1/0/22 then export to pcap, how to do? thanks

Mark Malone · ‎03-31-2016

Heres the ios-xe guide for it with examples

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/configuration/xe-3s/asr1000/epc-xe-3s-asr1000-book/nm-packet-capture-xe.html#GUID-7E23C5F6-7BDF-4D18-A208-34FD726D6789

Example: Managing Packet Data Capture

The following example shows how to manage packet data capture:

Device> enable
Device# monitor capture mycap start
Device# monitor capture mycap access-list v4acl 	 
Device# monitor capture mycap limit duration 1000
Device# monitor capture mycap interface GigabitEthernet 0/0/1 both
Device# monitor capture mycap buffer circular size 10
Device# monitor capture mycap start
Device# monitor capture mycap export tftp://10.1.88.9/mycap.pcap
Device# monitor capture mycap stop
Device# end

Basic EPC Configuration

Define the location where the capture will occur:

monitor capture CAP interface GigabitEthernet0/0/1 both

Associate a filter. The filter may be specified inline, or an ACL or class-map may be referenced:
```
monitor capture CAP match ipv4 protocol tcp any any
```
Start the capture:
```
monitor capture CAP start
```
The capture is now active. Allow it to collect the necessary data.
Stop the capture:
```
monitor capture CAP stop
```
Examine the capture in a summary view:
```
show monitor capture CAP buffer brief
```

Examine the capture in a detailed view:

show monitor capture CAP buffer detailed

In addition, export the capture in PCAP format for further analysis:
```
monitor capture CAP export ftp://10.0.0.1/CAP.pcap
```
Once the necessary data has been collected, remove the capture:
```
no monitor capture CAP
```

http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html

Mary · ‎03-31-2016

not working in 3850, I don't use any access list, see attached

Mark Malone · ‎03-31-2016

Did you associate the capture ? can you post some outputs from show commands ?

what license are you on lanbase does not support epc , could be a bug also seems to be a lot of issues with epc on 38s as per doc below not working on multiple versions ios-xe

checked your release open caveats nothing specific for epc bugs though

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3e/release_notes/OL3262101.html

https://supportforums.cisco.com/document/12013221/using-3850-embedded-wireshark-wired

Mary · ‎03-31-2016

can you look at my error_pcap.png in above thread, how to assoiciate? both buffer and capture are named PCAP

Mark Malone · ‎03-31-2016

This is the associate command

monitor capture point associate PCAP PCAP

Mary · ‎03-31-2016

Dear expert,

monitor capture point associate not workable, see attached

Mark Malone · ‎04-01-2016

Looking at your config against the 3850 doc theres nothing wrong but your software will just not activate epc, so id say your most likely hitting some bug or its not actually supported on that version of ios-xe

Its asking you to associate the buffer for it to start the epc but the syntax is not even there to do that and in the 3850 doc that's not even a required step to get it working either

This is all that's required as per doc if its not working with that you have a software or platform support issue

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-1/configuration_guide/b_161_consolidated_3850_cg/b_161_consolidated_3650_cg_chapter_0110000.pdf

Step 1: Define a capture point to match on the relevant traffic by entering:

Switch# monitor capture mycap interface GigabitEthernet1/0/3 in

Switch# monitor capture mycap match ipv4 any any

Switch# monitor capture mycap limit duration 60 packets 50

Switch# monitor capture mycap buffer size 100

To avoid high CPU utilization, a low packet count and duration as limits has been set.

Step 2: Confirm that the capture point has been correctly defined by entering:

Switch# show monitor capture mycap parameter

monitor capture mycap interface GigabitEthernet1/0/3 in

monitor capture mycap match ipv4 any any

monitor capture mycap buffer size 100

monitor capture mycap limit packets 50 duration 60

Switch# show monitor capture mycap

Status Information for Capture mycap

Target Type:

Interface: GigabitEthernet1/0/3, Direction: in

Status : Inactive

Filter Details:

IPv4

Source IP: any

Destination IP: any

Protocol: any

Buffer Details:

Mary · ‎04-07-2016

Dear Experts,

My 3850 is on version: IOS XE 03.06.04.E

below command is use:

monitor capture 1 match any

monitor cap 1int G1/0/32 both

once I enter monitor capture start, it says:

please associate capture file/buffer, unable to activiate capture

on another 3850, IOS XE 03.03.04E also same error

pls help

KAPMAHOK1986 · ‎04-15-2016

3650 Version 03.07.02E

same error

how you solved this problem?

llewesc11 · ‎04-27-2018

Little late to the game on this one, but I just came across the same issue and made it work using the following:

monitor capture buffer interface G1/0/22 both

monitor capture PCAP match ipv4 protocol tcp any any

monitor capture PCAP file location flash:/mycap.pcap

monitor capture PCAP start