Onboard Packet Capture SDA

Dominik_ · ‎05-08-2022

Hi SDA-Experts,

shortly to the environement:

we have an SDA Fabric in our Location.

We use the Catalyst C9300-48P as Access Switch.

Our actual version is the 17.3.4 (which was the recommended at this time)

Now we recently had a case on our end where we wanted to capture multicast traffic for one of the attached devices.

Since it is a quite remote location we wanted to use the onboard capture of the C9300.

So we added the Trace like this:

monitor capture [CapName] file ring 3 size 100 location flash:[CAPNAME].pcap interface [,...] both match any

But from the capture itself I only see incoming traffic. So from the device to the switch. Everything which is

VXLAN encapsulated to the device is not visible here. We did a workaround to capture the Uplink and decoded VXLAN in the capture. But for switches with high traffic beside the one we want to capture this is not feasible since we get a big load of data that we don't need...

Anybody has some tip how to get all the traffic? Or is the only way to do a span session?

Flavio Miranda · ‎05-09-2022

Hi

The behavior you are seing seems to be expected. As you are using "Embedded Packet Capture", Cisco informs that:

"EPC captures multicast packets only on ingress and does not capture the replicated packets on egress."

What you can try is to use "Wireshark" mode on the switch. Ultimately, you can try to run Wireshark on the endpoint, if possible.

You can refer to this guide for more information:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/nmgmt/b_169_nmgmt_9300_cg/configuring_packet_capture.html