One of the most fundamental troubleshooting concepts in all of IT is to capture packets and review the data as it flows over the wire. Historically the easiest way to do this was to configure some type of SPAN port on a switch to copy the traffic to your pack capture device. I’ve written about this in the past here. With today’s less expensive and more powerful hardware it should come as no surprise that this functionality is now available on network hardware it’s self.
In the case of Cisco 3650 and 3850 switches the management and control planes are essentially a Linux operating system with a terminal to function like IOS of the past. With this comes some additional flexibility, in this case, Wireshark.
Let’s look firsthand at how to configure and use the capture features of the switch.
First, take note that this configuration takes place in enabled mode, not configuration mode.
Second, you want to come up with some way of filtering traffic. Ideally, you may want to leverage an extended access list. Build an access list to account for traffic flowing in both directions if you do in fact want to see both sides of the flow. To monitor traffic to a specific site we might do something like this:
ip access-list extended CAPTURE_ACL permit ip host 18.104.22.168 any permit ip any host 22.214.171.124
This ACL will get specific traffic for the remote destination of 126.96.36.199.
Next, lets start configuring the capture. Define an interface and the direction of the flow you would like to capture. If you are leveraging an ACL similarly to my example above you can link to this here as well.
#monitor capture CAPTURE interface vlan 201 both access-list CAPTURE_ACL
If not, you can define this separately but with less granularity as would be the case with the ACL. You can see the contextual help output below.
#monitor capture CAPTURE match ipv4 ? A.B.C.D/nn IPv4 source Prefix /, e.g., 192.168.0.0/16 any Any source prefix host A single source host protocol Protocols
Next, define a file to have the capture dumped to.
#monitor capture CAPTURE file location flash:capture.pcap
Finally, start the capture.
#monitor capture start
You can check the status of the capture at any time with the “show monitor capture” command.
#show monitor capture Status Information for Capture CAPTURE Target Type: Interface: Vlan201, Direction: BOTH Status : Inactive Filter Details: Access-list: CAPTURE_ACL Buffer Details: Buffer Type: LINEAR (default) File Details: Associated file name: flash:CAPTURE Size of buffer(in MB): 10 Limit Details: Number of Packets to capture: 0 (no limit) Packet capture duration: 0 (no limit) Packet Size to capture: 0 (no limit) Maximum number of packets to capture per second: 1000 Packet sampling rate: 0 (no sampling)
Finally, once concluded you can stop the capture.
#monitor capture stop Stopped capture point : CAPTURE
To view captures after the fact you can leverage the “show monitor capture” command. In this example you can see ICMP ping go out and back.
#show monitor capture file flash:CAPTURE 1 0.000000000 192.168.1.35 -> 188.8.131.52 ICMP 102 Echo (ping) request id=0x77f3, seq=0/0, ttl=64 2 0.093479000 184.108.40.206 -> 192.168.1.35 ICMP 102 Echo (ping) reply id=0x77f3, seq=0/0, ttl=45
Finally, this file can be exported to another system for analysis with standard copy commands.
I hope you found this useful!