Cisco Catalyst 4500 Series Switches

Catalyst 4500 Series Switches Wireshark Feature Configuration Example

Document ID: 116470

Updated: Sep 12, 2013

Contributed by Shashank Singh and Dennis McLaughlin, Cisco TAC Engineers.



This document describes how to configure the Wireshark feature for Cisco Catalyst 4500 Series switches.



In order to utilize the Wireshark feature, you must meet these conditions:

  • The system must utilize a Cisco Catalyst 4500 Series switch.
  • The switch must run Supervisor Engine 7-E (Supervisor Engine 6 is unsupported at this time).
  • The feature must have a set IP Base and Enterprise Services (LAN Base is unsupported at this time).
  • The switch CPU cannot have a high utilization condition, as the Wireshark feature is CPU-intensive and software-switches certain packets in the capture process.

Components Used

The information in this document is based on Cisco Catalyst 4500 Series switches that run Supervisor Engine 7-E.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

The Cisco Catalyst 4500 Series switches that run Supervisor Engine 7-E have a new built-in functionality with Cisco IOS?-XE Versions 3.3(0) / 151.1 or later. This built-in Wireshark feature has the ability to capture packets in a way that replaces the traditional use of Switch Port Analyzer (SPAN) with an attached PC in order to capture packets in a troubleshooting scenario.


This section serves as a quick-start guide in order to begin a capture. The information provided is very general, and you must implement filters and buffer settings as needed in order to limit the excessive capture of packets if you operate in a production network.

Complete these steps in order to configure the Wireshark feature:

  1. Verify that you meet the conditions in order to support the capture. (Reference the Requirements section for more details.) Enter these commands and verify the output:
    4500TEST#show version

    Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software
     (cat4500e-UNIVERSAL-M), Version 03.03.00.SG RELEASE SOFTWARE (fc3)

    <output omitted>

    License Information for 'WS-X45-SUP7-E'
     License Level: entservices   Type: Permanent
     Next reboot license Level: entservices

    cisco WS-C4507R+E (MPC8572) processor (revision 8)
     with 2097152K/20480K bytes of memory.

    Processor board ID FOX1512GWG1

    MPC8572 CPU at 1.5GHz, Supervisor 7

    <output omitted>

    4500TEST#show proc cpu history

    History information for system:

    10 ****                                                       ****
                0     5     0     5     0     5     0     5     0    5   

                        CPU% per second (last 60 seconds)
  2. Traffic is captured in a TX/RX direction from port gig2/26 in this example. Store the capture file on bootflash in a pcap file format for review from a local PC, if necessary:

    Note: Ensure that you perform the configuration from User EXEC mode, not Global Configuration mode.

    4500TEST#monitor capture MYCAP interface g2/26 both
    4500TEST#monitor capture file bootflash:MYCAP.pcap
    4500TEST#monitor capture MYCAP match any start

    *Sep 13 15:24:32.012: %BUFCAP-6-ENABLE: Capture Point MYCAP enabled.
  3. This captures all traffic ingress and egress on port g2/26. It also fills the file very quickly with useless traffic in a production situation, unless you specify the direction and apply capture filters in order to narrow the scope of the traffic that is captured. Enter this command in order to apply a filter:
    4500TEST#monitor capture MYCAP start capture-filter "icmp"

    Note: This ensures that you only capture Internet Control Message Protocol (ICMP) traffic in your capture file.

  4. Once the capture file times-out, or fills the size quota, you receive this message:
    *Sep 13 15:25:07.933: %BUFCAP-6-DISABLE_ASYNC:
     Capture Point MYCAP disabled. Reason : Wireshark session ended
    Enter this command in order to manually stop the capture:
    4500TEST#monitor capture MYCAP stop
  5. You can view the capture from the CLI. Enter this command in order to view the packets:
    4500TEST#show monitor capture file bootflash:MYCAP.pcap

      1   0.000000 44:d3:ca:25:9c:c9 -> 01:00:0c:cc:cc:cc CDP
          Device ID: 4500TEST  Port ID: GigabitEthernet2/26 
      2   0.166983 00:19:e7:c1:6a:18 -> 01:80:c2:00:00:00 STP
          Conf. Root = 32768/1/00:19:e7:c1:6a:00  Cost = 0  Port = 0x8018
      3   0.166983 00:19:e7:c1:6a:18 -> 01:00:0c:cc:cc:cd STP
          Conf. Root = 32768/1/00:19:e7:c1:6a:00  Cost = 0  Port = 0x8018
      4   1.067989 ->    HSRP Hello (state Standby)
      5   2.173987 00:19:e7:c1:6a:18 -> 01:80:c2:00:00:00 STP
          Conf. Root = 32768/1/00:19:e7:c1:6a:00  Cost = 0  Port = 0x8018

    Note: The detail option is available at the end in order to view the packet in a Wireshark format. Also, the dump option is available in order to see the Hex value of the packet.

  6. The capture file becomes cluttered if you do not use a capture-filter when you begin the capture. In this case, utilize the display-filter option in order to show specific traffic in the display. You only want to view ICMP traffic, not the Hot Standby Router Protocol (HSRP), Spanning Tree Protocol (STP), and Cisco Discovery Protocol (CDP) traffic shown in the previous output. The display-filter uses the same format as Wireshark, so you can find the filtersonline.

    4500TEST#show monitor capture file bootflash:MYCAP.pcap display-filter "icmp"

     17   4.936999 -> ICMP Echo
          (ping) request  (id=0x0001, seq(be/le)=0/0, ttl=255)
     18   4.936999 ->  ICMP Echo
          (ping) reply    (id=0x0001, seq(be/le)=0/0, ttl=251)
     19   4.938007 -> ICMP Echo
          (ping) request  (id=0x0001, seq(be/le)=1/256, ttl=255)
     20   4.938007 ->  ICMP Echo
          (ping) reply    (id=0x0001, seq(be/le)=1/256, ttl=251)
     21   4.938998 -> ICMP Echo
          (ping) request  (id=0x0001, seq(be/le)=2/512, ttl=255)
     22   4.938998 ->  ICMP Echo
          (ping) reply    (id=0x0001, seq(be/le)=2/512, ttl=251)
     23   4.938998 -> ICMP Echo
          (ping) request  (id=0x0001, seq(be/le)=3/768, ttl=255)
     24   4.940005 ->  ICMP Echo
          (ping) reply    (id=0x0001, seq(be/le)=3/768, ttl=251)
     25   4.942996 -> ICMP Echo
          (ping) request  (id=0x0001, seq(be/le)=4/1024, ttl=255)
     26   4.942996 ->  ICMP Echo
          (ping) reply    (id=0x0001, seq(be/le)=4/1024, ttl=251)
  7. Transfer the file to a local machine, and look at the pcap file as you would any other standard capture file. Enter one of these commands in order to complete the transfer:
    4500TEST#copy bootflash: ftp://Username:Password@<ftp server address>
    4500TEST#copy bootflash: tftp:
  8. In order to clean up the capture, remove the configuration with these commands:
    4500TEST#no monitor capture MYCAP
    4500TEST#show monitor capture MYCAP

    <no output>


Additional Settings

By default, the size limit of the capture file is 100 packets, or 60 seconds in a linear file. In order to change the size limit, use the limit option in the monitor capture syntax:

4500TEST#monitor cap MYCAP limit ?

duration       Limit total duration of capture in seconds
packet-length  Limit the packet length to capture
packets        Limit number of packets to capture

The buffer maximum size is 100 MB. This is adjusted, as well as the circular/linear buffer setting, with this command:

4500TEST#monitor cap MYCAP buffer ?

circular  circular buffer
size      Size of buffer

The built-in Wireshark feature is a very powerful tool if used correctly. It saves time and resources when you troubleshoot a network. However, exercise caution when you utilize the feature, because it might increase CPU utilization in high-traffic situations. Never configure the tool and leave it unattended.


There is currently no verification procedure available for this configuration.


Due to hardware limitations, you might receive out-of-order packets in the capture file. This is due to the separate buffers used for the ingress and egress packet captures. If you have out-of-order packets in your capture, set both of your buffers to ingress. This prevents the packets in egress from processing before the ingress packets when the buffer is processed.

If you see out-of-order packets, it is recommended that you change your configuration from both to in on both interfaces.

Here is the previous command:

4500TEST#monitor capture MYCAP interface g2/26 both

Change the command to these:

4500TEST#monitor capture MYCAP interface g2/26 in

4500TEST#monitor capture MYCAP interface g2/27 in
                  |            |
                  |    4500    |
+------+          |            |         +------+
|      +---------->in       out+--------->      |
| host |          |g2/26  g2/27|         | host |
|      <----------+out       in<---------+      |
+------+          |            |         +------+
                  |            |


Related Information

Updated: Sep 12, 2013
Document ID: 116470