Re: Monitor Capture on Cisoc IOS-XE

Netmart · ‎11-12-2019

Hello,

I applied the monitor capture as listed below - c4500. However, I am only able to see one-way communication, meaning only traffic leaving the source IP defined in ACL, but no incoming traffic is seen on the capture.

ip access-list extended MonCapTest
permit ip host 1.1.1.1 host 2.2.2.2

Instead of using the Vlan111 interface, I applied monitor capture on the interface hosting device with IP 1.1.1.1 resulting in the same output.

Status Information for Capture test
Target Type:
Interface: Vlan111, Direction: both
Status : Active
Filter Details:
Access-list: MonCapTest
File Details:
File not associated
Buffer Details:
Buffer Type: CIRCULAR
Buffer Size (in MB): 10
Limit Details:
limit not set

Extract of capture - 2.2.2.2 is pinging 1.1.1.1, which is member of VLAN 111:

==>ping requests are missing on packet capture; I was expecting that RX and TX are captured.

1025.835000 1.1.1.1 -> 2.2.2.2 ICMP Echo (ping) reply (id=0x0001, seq(be/le)=56729/39389, ttl=128)
1026.836007 1.1.1.1 -> 2.2.2.2 ICMP Echo (ping) reply (id=0x0001, seq(be/le)=56730/39645, ttl=128)
1027.838006 1.1.1.1 -> 2.2.2.2 ICMP Echo (ping) reply (id=0x0001, seq(be/le)=56731/39901, ttl=128)
1028.841012 1.1.1.1 -> 2.2.2.2 ICMP Echo (ping) reply (id=0x0001, seq(be/le)=56732/40157, ttl=128)

Any information is much appreciated.

Thanks,

Netmart

Oleksandr Y. · ‎02-25-2021

Hi, I was looking for another issue and stumbled upon this one ... probably already resolved but I have a feeling the Access List is the bottle neck ... you have chosen specific SRC and DST IP Addresses which means that only packets with SRC 1.1.1.1 and DST 2.2.2.2 will be recorded ... but not SRC 2.2.2.2 / DST 1.1.1.1 on the way back. The Monitor Capture for BOTH ways is fine, just edit the Access List to also capture the SRC & DST of the Packet on it's way back