Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
815
Views
6
Helpful
10
Replies

Packet capture on 3850 and 2960 or Netflow possible?

ajwhite0
Level 1
Level 1

‎01-03-2025 12:15 AM

Hello,

We notice on a few 2960s and 3850s at 12:30am on the same LAN all patched ports will get a burst of bandwidth utilisation for about 30 minutes, I've asked around if anyone knows of any scheduled tasks that kick in at that time, but can these switches do packet captures and also Netflow?

Netflow would be nice, but would require firewall ports open by a 3rd party so I that will take days.

Thanks

10 Replies 10

M02@rt37
VIP
VIP

‎01-03-2025 12:35 AM

Hello @ajwhite0 

Cisco Catalyst 2960 and 3850 switches can help investigate the bandwidth burst, but their capabilities differ.

The 2960 does not support on-device packet captures or NetFlow, but you can set up a SPAN session to mirror traffic to a device running Wireshark for analysis. On the other hand, the 3850 supports both SPAN and on-device packet captures using the monitor capture feature, allowing you to capture and export traffic directly from the switch. It also supports NetFlow Lite, which can export flow data to a collector, though this requires configuring the firewall to allow the traffic to the collector.

As an immediate step, set up SPAN on either switch or use packet captures on the 3850 to analyze the traffic during the 12:30 AM burst. Additionally, check switch logs and CPU utilization to identify any unusual events. Once firewall restrictions are addressed, NetFlow can provide detailed insights into traffic patterns, aiding in long-term monitoring...

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swspan.html

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World
VIP
VIP

‎01-03-2025 12:53 AM

I will send you PM today 

MHM

ajwhite0
Level 1
Level 1
In response to MHM Cisco World

‎01-03-2025 01:24 AM

On the 3850 what would be the acceptable command to run a packet capture?  I don’t know the source or destination or port info, but know the ports that see this activity.  I could run the capture for 1-2 mins to a file in flash or live?

M02@rt37
VIP
VIP
In response to ajwhite0

‎01-03-2025 01:35 AM - edited ‎01-03-2025 01:35 AM

@ajwhite0 

On your 3850, you can use the monitor capture feature to perform a packet capture even if you don’t know the specific source, destination, or port information. Since you know the interfaces experiencing the activity, you can set up a broad capture on those interfaces...

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3850-series-switches/117639-configure-wireshark-00.html

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

ajwhite0
Level 1
Level 1
In response to M02@rt37

‎01-03-2025 03:42 AM

Thanks for the link, so am I safe to paste this into the 3850 to monitor int gig 1/0/10?

monitor capture mycap interface GigabitEthernet1/0/10 both
   monitor capture mycap match ipv4  any any
   monitor capture mycap file location flash:mycap.pcap buffer-size 10
   monitor capture mycap limit packets 100

  I only really need to run it for 2-3 mins I think at 12:30am, it's a shame I can't schedule.  I just don't want to cause the switch to have issues with space and CPU if I run the above.

Thanks 

0 Helpful

Elliot Dierksen
VIP
VIP

‎01-03-2025 02:06 AM

If the traffic is between hosts on the same VLAN, it may be challenging to get Netflow information. You might look into something a little more basic to get an idea regarding the source of the traffic. I don't know if MRTG is still around, but something like that would give you traffic rates (TX and RX) so you could try and determine what ports are involved. Then you could look at the applicable scheduler on the offending hosts. If it is something like a Windows SQL server, there could be a scheduler in the DB engine in addition to the OS task scheduler.

ajwhite0
Level 1
Level 1
In response to Elliot Dierksen

‎01-03-2025 02:56 AM

Thanks, I'l take a look.  To get the TX/RX I'm using SNMP Exporter into Grafana/Prometheus which is just great for this, but yeah it's just the port/IP details really I need within some sort of capture.

0 Helpful

Elliot Dierksen
VIP
VIP
In response to ajwhite0

‎01-03-2025 04:04 AM

Understood. My point was that if you can narrow down the capture to a particular source port then you would have less data to sift through. You might even be able to identify the reason for the traffic without a port capture by examining scheduled tasks on the source host.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎01-03-2025 05:02 AM

All ports on the same VLAN, and for 30 minutes?

That's rather unusual, but if legitimate traffic, I wondering if it's some scheduled host to host transfer being unicast flooded.

0 Helpful

ajwhite0
Level 1
Level 1
In response to Joseph W. Doherty

‎01-03-2025 06:24 AM

True, I think while we see it happening if I run the any any capture on the port for 60 seconds I'll know what it is.  I think I have enough to go on now, thanks.

0 Helpful
Customers Also Viewed These Support Documents