09-30-2024 07:03 AM
Hello all,
i'm facing a weird behaviour with a monitor capture session I made on my switches. I followed the guide provided by Cisco from this page:
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html
And configured it as follows:
2960XSWITCH#sho monitor capture buffer MONITOR1 parameters
Capture buffer MONITOR1 (linear buffer)
Buffer Size : 2097152 bytes, Max Element Size : 1518 bytes, Packets : 0
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : MONITOR, Status : Active
Configuration:
monitor capture buffer MONITOR1 size 2048 max-size 1518 linear
monitor capture point associate MONITOR MONITOR1
monitor capture buffer MONITOR1 filter access-list Monitor
But as you can see, the packets keeps remaining to 0. The interface is UP and working since the one I'm monitoring is part of an uplink (I've also tried to set the port-channel as interface source, in both directions).
Any suggestions?
Thanks
Solved! Go to Solution.
09-30-2024 08:29 AM
I would try to create a new ACL and mark only the traffic you want.
09-30-2024 07:28 AM
What about the ACL Monitor ? It is properly configured? This is one of the reason I can think of. If the traffic is not maked correctly, they will be no capture
09-30-2024 07:32 AM
Hello Flavio,
Yes the ACL is set to permit everything, it is configured as follow:
Extended IP access list Monitor
10 permit ip any any
09-30-2024 08:29 AM
I would try to create a new ACL and mark only the traffic you want.
09-30-2024 11:50 PM
Hello Flavio,
I can try to capture some ICMP packets and see if it works like that, I will let you know.
09-30-2024 08:56 AM
It seems like the capture session on your Cisco switch is set up correctly, but you're not seeing any packets in the buffer, which can happen for a few reasons. Here are several troubleshooting steps you can follow to identify the issue:
1. Verify the Capture Point Association
Ensure that the capture point is correctly associated with the buffer and applied to the correct interface. Double-check that the interface you're trying to monitor is correctly associated with the capture point:
show monitor capture point all
Look for the MONITOR capture point and ensure it's associated with the correct interface and direction (ingress or egress). If you're using a port channel, make sure the association is correct there as well.
If you're capturing on a physical interface or a port-channel, use a command similar to this:
monitor capture point ip cef MONITOR gigabitEthernet 1/0/1 both
If you're monitoring only in one direction (ingress or egress), verify that it matches your traffic flow.
2. Check the ACL Configuration
Although your ACL is set to allow all traffic, it's worth verifying that it's correctly applied to the capture buffer. The ACL should be linked properly to the buffer:
show access-lists Monitor
Ensure that the ACL is properly configured and there are no implicit denies (though unlikely, since you allow all traffic). If necessary, you can try temporarily removing the filter to see if the capture works without the ACL:
monitor capture buffer MONITOR1 no filter
3. Ensure Traffic Is Passing Through the Monitored Interface
Make sure that traffic is indeed flowing through the interface where you're capturing. You can check this using the following command:
show interfaces gigabitEthernet 1/0/1
Look for the input and output packet counters. If these counters remain at zero, no traffic is flowing through the interface, or you might be capturing traffic on the wrong interface.
4. Check the Capture Point Status
Ensure that the capture point is active and working as expected:
show monitor capture point status all
The status should be Active and it should show the correct interface and direction.
5. Use Wireshark or Similar Tools
If the switch supports exporting the captured buffer to a file (like a PCAP), you could try exporting the buffer for more detailed inspection with tools like Wireshark:
monitor capture buffer MONITOR1 export flash:monitor1.pcap
Then, transfer this PCAP file to your PC and analyze it with Wireshark. This can help identify whether any traffic is being captured at all.
6. Check for Hardware Limitations or Restrictions
On some switches like the 2960X, Embedded Packet Capture (EPC) can have limitations, such as not being able to capture certain types of traffic (for example, control plane traffic). Ensure that the traffic you're trying to capture is supported on the interface type and capture point.
7. Reset the Capture Session
Sometimes, clearing and resetting the capture session can help. Try stopping the capture, resetting it, and then restarting:
monitor capture point stop MONITOR
monitor capture point remove MONITOR
monitor capture buffer MONITOR1 clear
monitor capture point ip cef MONITOR gigabitEthernet 1/0/1 both
monitor capture point associate MONITOR MONITOR1
monitor capture point start MONITOR
8. Ensure the Switch Has Enough Resources
Packet capture can be resource-intensive, and on some lower-end switches, there may be issues if the switch is under high load. Check the CPU and memory utilization of the switch:
show processes cpu
show processes memory
09-30-2024 11:52 PM
Hello Maher and thank you for the post and tips. I've checked all the configuration of the monitor capture I set up and it looks ok, according also to the cisco page: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html
I also tried to delete it and create it back from 0, so negating both buffer, point and ACL, and yet it does not work, I will try to set up an ACL to just permit the ICMP packets like Flavio suggested and I will update this post.
10-01-2024 01:10 AM - edited 10-01-2024 01:16 AM
Hello Simon,
If you've already reviewed the configuration and re-created the setup but are still facing the issue, here are a few additional advanced troubleshooting steps that could help you identify why the monitor capture session isn't capturing any packets.
The Cisco 2960X switch does have limitations on certain features like EPC. Please ensure that EPC is fully supported on both the hardware platform and the exact version of the IOS you're running. The 2960X is a Layer 2 switch, so certain features of EPC that are IP-based might have restrictions.
Then, compare the output to the Cisco feature navigator to confirm whether EPC is supported on your device and IOS version.
Try applying EPC to a different interface to see if it captures traffic. This could help isolate the issue to either the specific interface or the configuration itself.
monitor capture point ip cef MONITOR gigabitEthernet 1/0/2 both
This will help verify if the problem is specific to the interface you're monitoring or a broader configuration issue.
It's possible that a smaller buffer size could be affecting packet capture (especially if you're dealing with a high traffic volume). Try increasing the buffer size to see if it captures more data:
monitor capture buffer MONITOR1 size 4096 max-size 1518 linear
Then reapply the capture point and start monitoring again.
Although your interface appears up and running, sometimes resetting it could help. Disable and re-enable the interface you're monitoring, then recheck the packet capture:
interface gigabitEthernet 1/0/1
shutdown
no shutdown
This will reset the interface and can sometimes clear any unseen problems that might be blocking the capture process.
Sometimes, specific IOS versions have bugs that can prevent features from working as expected. Search for any reported bugs in the specific IOS version you're running, especially related to EPC. You can also check Cisco's bug search tool for any known issues:
If there is a bug, upgrading to a newer stable IOS version might resolve the issue.
To verify that the capture session is working, try generating simple traffic that should pass through the interface (e.g., ICMP traffic). Initiate a ping from a device connected through the monitored interface and check whether EPC captures the ping packets.
You can generate ICMP traffic using:
ping <destination IP> repeat 100
Then, inspect the buffer for captured packets:
show monitor capture buffer MONITOR1 dump
If EPC is still not capturing any packets, consider using another monitoring feature like SPAN (Switch Port Analyzer) or RSPAN (Remote SPAN) to see if that captures traffic:
monitor session 1 source interface gigabitEthernet 1/0/1
monitor session 1 destination interface gigabitEthernet 1/0/2
This can help determine if the issue is specific to EPC or if the problem lies elsewhere, such as with the interface itself.
In cases of heavy traffic or congestion, packet captures might fail if the buffers are overloaded. Check the interface counters for dropped packets:
show interfaces gigabitEthernet 1/0/1 | include drops
09-30-2024 09:02 AM
Hello,
Have you associated the capture with an interface or VLAN?
09-30-2024 11:53 PM
Hello,
I've associated an interface to my capture.
10-01-2024 08:22 AM
Hello all, I wanted to update you about the capture. I managed to try it by making an ACL to permit only ICMP packets and looks it worked like that. So perhaps it is always needed to specify which kind of traffic you want to capture. Thank you all for the support and tips! you helped me so much!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide