cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
630
Views
4
Helpful
10
Replies

Monitor capture on cisco 6800 and 2960 not showing outputs

Simone C
Level 1
Level 1

Hello all,

 

i'm facing a weird behaviour with a monitor capture session I made on my switches. I followed the guide provided by Cisco from this page:
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html

And configured it as follows:

2960XSWITCH#sho monitor capture buffer MONITOR1 parameters
Capture buffer MONITOR1 (linear buffer)
Buffer Size : 2097152 bytes, Max Element Size : 1518 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : MONITOR, Status : Active
Configuration:
monitor capture buffer MONITOR1 size 2048 max-size 1518 linear
monitor capture point associate MONITOR MONITOR1
monitor capture buffer MONITOR1 filter access-list Monitor


But as you can see, the packets keeps remaining to 0. The interface is UP and working since the one I'm monitoring is part of an uplink (I've also tried to set the port-channel as interface source, in both directions).

Any suggestions?

Thanks

1 Accepted Solution

Accepted Solutions

I would try to create a new ACL and mark only the traffic you want.

View solution in original post

10 Replies 10

@Simone C 

 What about the ACL Monitor ? It is properly configured? This is one of the reason I can think of. If the traffic is not maked correctly, they will be no capture

Hello Flavio,

Yes the ACL is set to permit everything, it is configured as follow:

 

Extended IP access list Monitor
10 permit ip any any

I would try to create a new ACL and mark only the traffic you want.

Hello Flavio,

I can try to capture some ICMP packets and see if it works like that, I will let you know.

It seems like the capture session on your Cisco switch is set up correctly, but you're not seeing any packets in the buffer, which can happen for a few reasons. Here are several troubleshooting steps you can follow to identify the issue:

1. Verify the Capture Point Association
Ensure that the capture point is correctly associated with the buffer and applied to the correct interface. Double-check that the interface you're trying to monitor is correctly associated with the capture point:

show monitor capture point all


Look for the MONITOR capture point and ensure it's associated with the correct interface and direction (ingress or egress). If you're using a port channel, make sure the association is correct there as well.

If you're capturing on a physical interface or a port-channel, use a command similar to this:


monitor capture point ip cef MONITOR gigabitEthernet 1/0/1 both
If you're monitoring only in one direction (ingress or egress), verify that it matches your traffic flow.

2. Check the ACL Configuration
Although your ACL is set to allow all traffic, it's worth verifying that it's correctly applied to the capture buffer. The ACL should be linked properly to the buffer:

show access-lists Monitor
Ensure that the ACL is properly configured and there are no implicit denies (though unlikely, since you allow all traffic). If necessary, you can try temporarily removing the filter to see if the capture works without the ACL:

monitor capture buffer MONITOR1 no filter


3. Ensure Traffic Is Passing Through the Monitored Interface
Make sure that traffic is indeed flowing through the interface where you're capturing. You can check this using the following command:


show interfaces gigabitEthernet 1/0/1


Look for the input and output packet counters. If these counters remain at zero, no traffic is flowing through the interface, or you might be capturing traffic on the wrong interface.

4. Check the Capture Point Status
Ensure that the capture point is active and working as expected:

show monitor capture point status all
The status should be Active and it should show the correct interface and direction.

5. Use Wireshark or Similar Tools
If the switch supports exporting the captured buffer to a file (like a PCAP), you could try exporting the buffer for more detailed inspection with tools like Wireshark:


monitor capture buffer MONITOR1 export flash:monitor1.pcap
Then, transfer this PCAP file to your PC and analyze it with Wireshark. This can help identify whether any traffic is being captured at all.

6. Check for Hardware Limitations or Restrictions
On some switches like the 2960X, Embedded Packet Capture (EPC) can have limitations, such as not being able to capture certain types of traffic (for example, control plane traffic). Ensure that the traffic you're trying to capture is supported on the interface type and capture point.

7. Reset the Capture Session
Sometimes, clearing and resetting the capture session can help. Try stopping the capture, resetting it, and then restarting:

monitor capture point stop MONITOR
monitor capture point remove MONITOR
monitor capture buffer MONITOR1 clear
monitor capture point ip cef MONITOR gigabitEthernet 1/0/1 both
monitor capture point associate MONITOR MONITOR1
monitor capture point start MONITOR
8. Ensure the Switch Has Enough Resources
Packet capture can be resource-intensive, and on some lower-end switches, there may be issues if the switch is under high load. Check the CPU and memory utilization of the switch:

show processes cpu
show processes memory

Hello Maher and thank you for the post and tips. I've checked all the configuration of the monitor capture I set up and it looks ok, according also to the cisco page: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html

I also tried to delete it and create it back from 0, so negating both buffer, point and ACL, and yet it does not work, I will try to set up an ACL to just permit the ICMP packets like Flavio suggested and I will update this post.

Hello Simon,

If you've already reviewed the configuration and re-created the setup but are still facing the issue, here are a few additional advanced troubleshooting steps that could help you identify why the monitor capture session isn't capturing any packets.

1. Ensure Embedded Packet Capture (EPC) is Supported on Your Switch Model and IOS Version

The Cisco 2960X switch does have limitations on certain features like EPC. Please ensure that EPC is fully supported on both the hardware platform and the exact version of the IOS you're running. The 2960X is a Layer 2 switch, so certain features of EPC that are IP-based might have restrictions.

Then, compare the output to the Cisco feature navigator to confirm whether EPC is supported on your device and IOS version.

2. Test EPC on Another Interface

Try applying EPC to a different interface to see if it captures traffic. This could help isolate the issue to either the specific interface or the configuration itself.

monitor capture point ip cef MONITOR gigabitEthernet 1/0/2 both

This will help verify if the problem is specific to the interface you're monitoring or a broader configuration issue.

3. Increase Buffer Size Temporarily

It's possible that a smaller buffer size could be affecting packet capture (especially if you're dealing with a high traffic volume). Try increasing the buffer size to see if it captures more data:

monitor capture buffer MONITOR1 size 4096 max-size 1518 linear

Then reapply the capture point and start monitoring again.

4. Disable and Re-enable the Interface

Although your interface appears up and running, sometimes resetting it could help. Disable and re-enable the interface you're monitoring, then recheck the packet capture:

interface gigabitEthernet 1/0/1
shutdown
no shutdown

This will reset the interface and can sometimes clear any unseen problems that might be blocking the capture process.

5. Check for Bugs in the IOS Version

Sometimes, specific IOS versions have bugs that can prevent features from working as expected. Search for any reported bugs in the specific IOS version you're running, especially related to EPC. You can also check Cisco's bug search tool for any known issues:

If there is a bug, upgrading to a newer stable IOS version might resolve the issue.

6. Test with Simple Traffic (Ping)

To verify that the capture session is working, try generating simple traffic that should pass through the interface (e.g., ICMP traffic). Initiate a ping from a device connected through the monitored interface and check whether EPC captures the ping packets.

You can generate ICMP traffic using:

ping <destination IP> repeat 100

Then, inspect the buffer for captured packets:

show monitor capture buffer MONITOR1 dump

7. Use a Different Capture Mechanism (SPAN/RSPAN)

If EPC is still not capturing any packets, consider using another monitoring feature like SPAN (Switch Port Analyzer) or RSPAN (Remote SPAN) to see if that captures traffic:

monitor session 1 source interface gigabitEthernet 1/0/1
monitor session 1 destination interface gigabitEthernet 1/0/2

This can help determine if the issue is specific to EPC or if the problem lies elsewhere, such as with the interface itself.

8. Check for Overloaded Interface (Buffer Drops)

In cases of heavy traffic or congestion, packet captures might fail if the buffers are overloaded. Check the interface counters for dropped packets:

show interfaces gigabitEthernet 1/0/1 | include drops

 

chrihussey
VIP Alumni
VIP Alumni

Hello, 

Have you associated the capture with an interface or VLAN?

Hello,

 

I've associated an interface to my capture.

Simone C
Level 1
Level 1

Hello all,  I wanted to update you about the capture. I managed to try it by making an ACL to permit only ICMP packets and looks it worked like that. So perhaps it is always needed to specify which kind of traffic you want to capture. Thank you all for the support and tips! you helped me so much!

Review Cisco Networking for a $25 gift card