cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16645
Views
0
Helpful
8
Replies

packet capture on cisco switches and routers for troubleshooting

SJ K
Contributor
Contributor

Hi all,

 

I have been working on packet tracer and gns3 which have incorporated packet capturing and tracing as part of their function.

This allow me to see and understand how the network traffic flows and troubleshoot if necessary.

 

However, in actual life scenario, what would be the "recommended" or straightforward or most efficient way of capturing packets on interfaces and exporting them out on wireshark for troubleshooting ?

 

Can i just plug a server into a switch port and have have another interface traffic mirrored over and send to the server ?

 

Regards,
Noob

 

 

2 Accepted Solutions

Accepted Solutions

Maybe Joseph had already answered well, I'd have been very interested in his post :)

You could look at "spanning" a port to a sniffer which in essence replicates the traffic to a "monitor" port, some routers/switch's have a mechanism (embedded packet capture) to do captures already which outputs to a file in a location (you usually set it to xxxxx.pcap) and then pull the file off via tftp or something, on top of that, if EPC is not supported, a poor man's sniffer would be an ACL on an interface logging away the hits.

Examples:

SPAN http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html

EPC https://supportforums.cisco.com/document/139686/configuration-example-embedded-packet-capture-cisco-ios-and-ios-xe

Hope this helps.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Hmm, I see Aglaia hasn't restored our posts.  That would seem both a disservice to those of us who freely provide our time to provide them, and to the rest of the community that loses out on their content.  If someone is scoring their own posts, instead of removing other users' innocent posts, that they also scored, couldn't you just remove their scores from our posts?

Regardless, I think my original post mentioned the later EPC feature, which Bilal also has since noted, but I recall I also mentioned a variation of SPAN, ESPAN, which I found, allows you to direct its output, via L3, right to a host running something like Wireshark.  Very handy!  You do, though, need to be aware of the bandwidth it might consume, especially if you ESPAN a LAN port but your monitoring host is somewhere else across a lower bandwidth WAN.

View solution in original post

8 Replies 8

Posts in this discussion have been removed due to possible misconduct. Please refer to the CSC terms of use for more details. https://supportforums.cisco.com/document/29951/cisco-support-community-acceptable-use-agreement
 
The Cisco Support Community

Could you clarify why my post was removed?

Post was deleted because a user was identified to be gaming the system by self-rating their own posts using secondary accounts. Unfortunately, several posts had to be removed.

We are currently reviewing other posts and will not hesitate to remove or block users who engage in misconduct on the Cisco Support Community.

So you're saying, someone was self rating their own posts and other innocent "bystander" posts had to be removed too?

Agreed with Joseph. I have no idea why was the thread deleted (there are no misconduct here).

 

Regards,
Noob

Maybe Joseph had already answered well, I'd have been very interested in his post :)

You could look at "spanning" a port to a sniffer which in essence replicates the traffic to a "monitor" port, some routers/switch's have a mechanism (embedded packet capture) to do captures already which outputs to a file in a location (you usually set it to xxxxx.pcap) and then pull the file off via tftp or something, on top of that, if EPC is not supported, a poor man's sniffer would be an ACL on an interface logging away the hits.

Examples:

SPAN http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html

EPC https://supportforums.cisco.com/document/139686/configuration-example-embedded-packet-capture-cisco-ios-and-ios-xe

Hope this helps.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Hmm, I see Aglaia hasn't restored our posts.  That would seem both a disservice to those of us who freely provide our time to provide them, and to the rest of the community that loses out on their content.  If someone is scoring their own posts, instead of removing other users' innocent posts, that they also scored, couldn't you just remove their scores from our posts?

Regardless, I think my original post mentioned the later EPC feature, which Bilal also has since noted, but I recall I also mentioned a variation of SPAN, ESPAN, which I found, allows you to direct its output, via L3, right to a host running something like Wireshark.  Very handy!  You do, though, need to be aware of the bandwidth it might consume, especially if you ESPAN a LAN port but your monitoring host is somewhere else across a lower bandwidth WAN.

Thanks all,

 

No worries, I saved the answers in  my notes already ;)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers