Cisco Switch Wireshark Packet Capture

One of the most fundamental troubleshooting concepts in all of IT is to capture packets and review the data as it flows over the wire.  Historically the easiest way to do this was to configure some type of SPAN port on a switch to copy the traffic to your pack capture device.  I’ve written about this in the past here.  With today’s less expensive and more powerful hardware it should come as no surprise that this functionality is now available on network hardware it’s self.

In the case of Cisco 3650 and 3850 switches the management and control planes are essentially a Linux operating system with a terminal to function like IOS of the past.  With this comes some additional flexibility, in this case, Wireshark.

Let’s look firsthand at how to configure and use the capture features of the switch.

First, take note that this configuration takes place in enabled mode, not configuration mode.

Second, you want to come up with some way of filtering traffic.  Ideally, you may want to leverage an extended access list.  Build an access list to account for traffic flowing in both directions if you do in fact want to see both sides of the flow.  To monitor traffic to a specific site we might do something like this:

ip access-list extended CAPTURE_ACL
 permit ip host any
 permit ip any host

This ACL will get specific traffic for the remote destination of

Next, lets start configuring the capture.  Define an interface and the direction of the flow you would like to capture.  If you are leveraging an ACL similarly to my example above you can link to this here as well.

#monitor capture CAPTURE interface vlan 201 both access-list CAPTURE_ACL

If not, you can define this separately but with less granularity as would be the case with the ACL.  You can see the contextual help output below.

#monitor capture CAPTURE match ipv4 ?
  A.B.C.D/nn  IPv4 source Prefix /, e.g.,
  any         Any source prefix
  host        A single source host
  protocol    Protocols

Next, define a file to have the capture dumped to.

#monitor capture CAPTURE file location flash:capture.pcap

Finally, start the capture.

#monitor capture start

You can check the status of the capture at any time with the “show monitor capture” command.

#show monitor capture
Status Information for Capture CAPTURE
  Target Type:
 Interface: Vlan201, Direction: BOTH
   Status : Inactive
  Filter Details:
   Access-list: CAPTURE_ACL
  Buffer Details:
   Buffer Type: LINEAR (default)
  File Details:
   Associated file name: flash:CAPTURE
   Size of buffer(in MB): 10
  Limit Details:
   Number of Packets to capture: 0 (no limit)
   Packet capture duration: 0 (no limit)
   Packet Size to capture: 0 (no limit)
   Maximum number of packets to capture per second: 1000
   Packet sampling rate: 0 (no sampling)

Finally, once concluded you can stop the capture.

#monitor capture stop
Stopped capture point : CAPTURE

To view captures after the fact you can leverage the “show monitor capture” command.  In this example you can see ICMP ping go out and back.

#show monitor capture file flash:CAPTURE
  1 0.000000000 -> ICMP 102 Echo (ping) request  id=0x77f3, seq=0/0, ttl=64
  2 0.093479000 -> ICMP 102 Echo (ping) reply    id=0x77f3, seq=0/0, ttl=45

Finally, this file can be exported to another system for analysis with standard copy commands.

I hope you found this useful!



This entry was posted in Networking and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *